PC Repair Service Centre
Computer Repair Center would post the daily security alert below. Please check if your server, web server, email server and PC have below Vulnerabilities and fix it as soon as possible. You may also contact our IT expertises at 9145-7188.
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 1000projects--Online Project Report Submission and Evaluation System | A vulnerability has been found in 1000projects Online Project Report Submission and Evaluation System 1.0. This issue affects some unknown processing of the file /admin/controller/delete_group_student.php. The manipulation of the argument batch_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-26 | 7.3 | CVE-2025-9444 |
| 8bitkid--Yahoo! WebPlayer | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8bitkid Yahoo! WebPlayer allows Reflected XSS. This issue affects Yahoo! WebPlayer: from n/a through 2.0.6. | 2025-08-28 | 7.1 | CVE-2025-53215 |
| Aaron Axelsen--WPMU Ldap Authentication | Cross-Site Request Forgery (CSRF) vulnerability in Aaron Axelsen WPMU Ldap Authentication allows Stored XSS. This issue affects WPMU Ldap Authentication: from n/a through 5.0.1. | 2025-08-28 | 7.1 | CVE-2025-48343 |
| add-ons.org--Drag and Drop File Upload for Elementor Forms | Unrestricted Upload of File with Dangerous Type vulnerability in add-ons.org Drag and Drop File Upload for Elementor Forms allows Upload a Web Shell to a Web Server. This issue affects Drag and Drop File Upload for Elementor Forms: from n/a through 1.5.3. | 2025-08-28 | 10 | CVE-2025-49387 |
| Agiloft--Agiloft | Agiloft Release 28 downloads critical system packages over an insecure HTTP connection. An attacker in a Man-In-the-Middle position could replace or modify the contents of the download URL. Users should upgrade to Agiloft Release 30. | 2025-08-26 | 8.1 | CVE-2025-35115 |
| Agiloft--Agiloft | Agiloft Release 28 contains several accounts with default credentials that could allow local privilege escalation. The password hash is known for at least one of the accounts and the credentials could be cracked offline. Users should upgrade to Agiloft Release 30. | 2025-08-26 | 7.5 | CVE-2025-35114 |
| Ai3--QbiCRMGateway | The QbiCRMGateway developed by Ai3 has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files. | 2025-08-29 | 7.5 | CVE-2025-9639 |
| Arista Networks--EOS | On affected platforms running Arista EOS, maliciously formed UDP packets with source port 3503 may be accepted by EOS. UDP Port 3503 is associated with LspPing Echo Reply. This can result in unexpected behaviors, especially for UDP based services that do not perform some form of authentication. | 2025-08-25 | 7.5 | CVE-2025-6188 |
| Assaf Parag--Poll, Survey & Quiz Maker Plugin by Opinion Stage | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Assaf Parag Poll, Survey & Quiz Maker Plugin by Opinion Stage allows PHP Local File Inclusion. This issue affects Poll, Survey & Quiz Maker Plugin by Opinion Stage: from n/a through 19.11.0. | 2025-08-28 | 7.5 | CVE-2025-53328 |
| asterisk--asterisk | Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.15.2, 21.10.2, and 22.5.2, if a SIP request is received with an Authorization header that contains a realm that wasn't in a previous 401 response's WWW-Authenticate header, or an Authorization header with an incorrect realm was received without a previous 401 response being sent, the get_authorization_header() function in res_pjsip_authenticator_digest will return a NULL. This wasn't being checked before attempting to get the digest algorithm from the header which causes a SEGV. This issue has been patched in versions 20.15.2, 21.10.2, and 22.5.2. There are no workarounds. | 2025-08-28 | 7.5 | CVE-2025-57767 |
| bPlugins--Tiktok Feed | Missing Authorization vulnerability in bPlugins Tiktok Feed allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Tiktok Feed: from n/a through 1.0.21. | 2025-08-28 | 7.1 | CVE-2025-54710 |
| Campcodes--Advanced Online Voting System | A vulnerability was determined in Campcodes Advanced Online Voting System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/login.php. Executing manipulation of the argument Username can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-08-30 | 7.3 | CVE-2025-9694 |
| Campcodes--Farm Management System | A security flaw has been discovered in Campcodes Farm Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /review.php. The manipulation of the argument pid results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be exploited. | 2025-08-31 | 7.3 | CVE-2025-9726 |
| Campcodes--Online Learning Management System | A security flaw has been discovered in Campcodes Online Learning Management System 1.0. This vulnerability affects unknown code of the file /admin/login.php. The manipulation of the argument Username results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | 2025-08-31 | 7.3 | CVE-2025-9750 |
| Campcodes--Online Learning Management System | A weakness has been identified in Campcodes Online Learning Management System 1.0. This issue affects some unknown processing of the file /login.php. This manipulation of the argument Username causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-08-31 | 7.3 | CVE-2025-9751 |
| Campcodes--Online Loan Management System | A weakness has been identified in Campcodes Online Loan Management System 1.0. This impacts an unknown function of the file /ajax.php?action=save_payment. Executing manipulation of the argument loan_id can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-08-27 | 7.3 | CVE-2025-9502 |
| Campcodes--Online Loan Management System | A security vulnerability has been detected in Campcodes Online Loan Management System 1.0. Affected is an unknown function of the file /ajax.php?action=save_borrower. The manipulation of the argument lastname leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2025-08-27 | 7.3 | CVE-2025-9503 |
| Campcodes--Online Loan Management System | A vulnerability was detected in Campcodes Online Loan Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=save_plan. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. | 2025-08-27 | 7.3 | CVE-2025-9504 |
| Campcodes--Online Loan Management System | A flaw has been found in Campcodes Online Loan Management System 1.0. Affected by this issue is some unknown functionality of the file /ajax.php?action=save_loan_type. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. | 2025-08-27 | 7.3 | CVE-2025-9505 |
| Campcodes--Online Loan Management System | A vulnerability has been found in Campcodes Online Loan Management System 1.0. This affects an unknown part of the file /ajax.php?action=delete_plan. Such manipulation of the argument ID leads to sql injection. The attack may be performed from a remote location. The exploit has been disclosed to the public and may be used. | 2025-08-27 | 7.3 | CVE-2025-9506 |
| Campcodes--Online Loan Management System | A weakness has been identified in Campcodes Online Loan Management System 1.0. The impacted element is an unknown function of the file /ajax.php?action=delete_borrower. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-08-29 | 7.3 | CVE-2025-9678 |
| Campcodes--Online Loan Management System | A weakness has been identified in Campcodes Online Loan Management System 1.0. The affected element is an unknown function of the file /ajax.php?action=login. Executing manipulation of the argument Username can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-08-31 | 7.3 | CVE-2025-9744 |
| Campcodes--Online Shopping System | A vulnerability has been found in Campcodes Online Shopping System 1.0. This impacts an unknown function of the file /login.php. Such manipulation of the argument Password leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-30 | 7.3 | CVE-2025-9691 |
| Campcodes--Online Shopping System | A vulnerability was found in Campcodes Online Shopping System 1.0. Affected is an unknown function of the file /product.php. Performing manipulation of the argument p results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used. | 2025-08-30 | 7.3 | CVE-2025-9692 |
| Campcodes--Online Water Billing System | A vulnerability was determined in Campcodes Online Water Billing System 1.0. Affected is an unknown function of the file /editecex.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2025-08-25 | 7.3 | CVE-2025-9423 |
| Campcodes--Online Water Billing System | A vulnerability was determined in Campcodes Online Water Billing System 1.0. This affects an unknown function of the file /addclient1.php. Executing manipulation of the argument lname can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. Other parameters might be affected as well. | 2025-08-26 | 7.3 | CVE-2025-9492 |
| Campcodes--Online Water Billing System | A vulnerability has been found in Campcodes Online Water Billing System 1.0. Affected by this issue is some unknown functionality of the file /process.php. The manipulation of the argument Username leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2025-08-31 | 7.3 | CVE-2025-9739 |
| Campcodes--Payroll Management System | A weakness has been identified in Campcodes Payroll Management System 1.0. The affected element is the function include of the file /index.php. This manipulation of the argument page causes file inclusion. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | 2025-08-27 | 7.3 | CVE-2025-9529 |
| captcha.eu--Captcha.eu | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in captcha.eu Captcha.eu allows Reflected XSS. This issue affects Captcha.eu: from n/a through n/a. | 2025-08-28 | 7.1 | CVE-2025-53579 |
| Changing--Clinic Image System | Clinic Image System developed by Changing contains hard-coded Credentials, allowing unauthenticated remote attackers to log into the system using administrator credentials embedded in the source code. | 2025-08-29 | 9.8 | CVE-2025-8857 |
| Changing--Clinic Image System | Clinic Image System developed by Changing has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2025-08-29 | 7.5 | CVE-2025-8858 |
| Changing--TSA | TSA developed by Changing has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to read, modify, and delete database contents. | 2025-08-29 | 9.8 | CVE-2025-8861 |
| Cisco--Cisco NX-OS Software | A vulnerability in the Intermediate System-to-Intermediate System (IS-IS) feature of Cisco NX-OS Software for Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an unauthenticated, adjacent attacker to cause the IS-IS process to unexpectedly restart, which could cause an affected device to reload. This vulnerability is due to insufficient input validation when parsing an ingress IS-IS packet. An attacker could exploit this vulnerability by sending a crafted IS-IS packet to an affected device. A successful exploit could allow the attacker to cause the unexpected restart of the IS-IS process, which could cause the affected device to reload, resulting in a denial of service (DoS) condition. Note: The IS-IS protocol is a routing protocol. To exploit this vulnerability, an attacker must be Layer 2-adjacent to the affected device. | 2025-08-27 | 7.4 | CVE-2025-20241 |
| Cisco--Cisco Unified Computing System (Managed) | A vulnerability in the Virtual Keyboard Video Monitor (vKVM) connection handling of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to redirect a user to a malicious website. This vulnerability is due to insufficient verification of vKVM endpoints. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious webpage and potentially capture user credentials. Note: The affected vKVM client is also included in Cisco UCS Manager. | 2025-08-27 | 7.1 | CVE-2025-20317 |
| CocoBasic--Neresa | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CocoBasic Neresa allows PHP Local File Inclusion. This issue affects Neresa: from n/a through 1.3. | 2025-08-28 | 8.1 | CVE-2025-49383 |
| code-projects--Human Resource Integrated System | A security flaw has been discovered in code-projects Human Resource Integrated System 1.0. This impacts an unknown function of the file /login_timeee.php. Performing manipulation of the argument emp_id results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-08-31 | 7.3 | CVE-2025-9733 |
| code-projects--Human Resource Integrated System | A vulnerability was found in code-projects Human Resource Integrated System 1.0. This affects an unknown part of the file /log_query.php. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit has been made public and could be used. | 2025-08-31 | 7.3 | CVE-2025-9740 |
| code-projects--Human Resource Integrated System | A vulnerability was determined in code-projects Human Resource Integrated System 1.0. This vulnerability affects unknown code of the file /login_query12.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-08-31 | 7.3 | CVE-2025-9741 |
| code-projects--Human Resource Integrated System | A vulnerability was identified in code-projects Human Resource Integrated System 1.0. This issue affects some unknown processing of the file /login.php. Such manipulation of the argument user/pass leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2025-08-31 | 7.3 | CVE-2025-9742 |
| code-projects--Human Resource Integrated System | A security flaw has been discovered in code-projects Human Resource Integrated System 1.0. Impacted is an unknown function of the file login_attendance2.php. Performing manipulation of the argument employee_id/date results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-08-31 | 7.3 | CVE-2025-9743 |
| code-projects--Online Event Judging System | A vulnerability was determined in code-projects Online Event Judging System 1.0. This issue affects some unknown processing of the file /create_account.php. This manipulation of the argument fname causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. Other parameters might be affected as well. | 2025-08-29 | 7.3 | CVE-2025-9610 |
| code-projects--Simple Grading System | A vulnerability was determined in code-projects Simple Grading System 1.0. This affects an unknown function of the file /login.php of the component Admin Panel. Executing manipulation can lead to sql injection. The attack may be performed from a remote location. The exploit has been publicly disclosed and may be utilized. | 2025-08-29 | 7.3 | CVE-2025-9662 |
| CodeYatri--Gutenify | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodeYatri Gutenify allows PHP Local File Inclusion. This issue affects Gutenify: from n/a through 1.5.6. | 2025-08-28 | 7.5 | CVE-2025-53326 |
| Consensys--gnark | gnark is a zero-knowledge proof system framework. In version 0.12.0, there is a potential denial of service vulnerability when computing scalar multiplication is using the fake-GLV algorithm. This is because the algorithm didn't converge quickly enough for some of the inputs. This issue has been patched in version 0.13.0. | 2025-08-29 | 7.5 | CVE-2025-58157 |
| cuckoohello-- | Cross-Site Request Forgery (CSRF) vulnerability in cuckoohello 百度分享按钮 allows Stored XSS. This issue affects 百度分享按钮: from n/a through 1.0.6. | 2025-08-28 | 7.1 | CVE-2025-48320 |
| dactum--Clickbank WordPress Plugin (Niche Storefront) | Cross-Site Request Forgery (CSRF) vulnerability in dactum Clickbank WordPress Plugin (Niche Storefront) allows Stored XSS. This issue affects Clickbank WordPress Plugin (Niche Storefront): from n/a through 1.3.5. | 2025-08-28 | 7.1 | CVE-2025-48353 |
| Dell--ThinOS 10 | Dell ThinOS 10, versions prior to 2508_10.0127, contain a Protection Mechanism Failure vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. | 2025-08-27 | 9.6 | CVE-2025-43728 |
| Dell--ThinOS 10 | Dell ThinOS 10, versions prior to 2508_10.0127, contains an Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability. A local unauthenticated user could potentially exploit this vulnerability leading to Elevation of Privileges and Information disclosure. | 2025-08-27 | 8.4 | CVE-2025-43730 |
| Dell--ThinOS 10 | Dell ThinOS 10, versions prior to 2508_10.0127, contains an Incorrect Permission Assignment for Critical Resource vulnerability. A local low-privileged attacker could potentially exploit this vulnerability leading to Elevation of Privileges and Unauthorized Access. | 2025-08-27 | 7.8 | CVE-2025-43729 |
| Dell--ThinOS 10 | Dell ThinOS 10, versions prior to 2508_10.0127, contains an Unverified Ownership vulnerability. A local low-privileged attacker could potentially exploit this vulnerability leading to Unauthorized Access. | 2025-08-27 | 7.8 | CVE-2025-43882 |
| Delta Electronics--COMMGR | Delta Electronics COMMGR has Stack-based Buffer Overflow vulnerability. | 2025-08-26 | 8.6 | CVE-2025-53418 |
| Delta Electronics--COMMGR | Delta Electronics COMMGR has Code Injection vulnerability. | 2025-08-26 | 7.8 | CVE-2025-53419 |
| developers savyour--Savyour Affiliate Partner | Cross-Site Request Forgery (CSRF) vulnerability in developers savyour Savyour Affiliate Partner allows Stored XSS. This issue affects Savyour Affiliate Partner: from n/a through 2.1.4. | 2025-08-28 | 7.1 | CVE-2025-48306 |
| Dmitry V. (CEO of "UKR Solution")--UPC/EAN/GTIN Code Generator | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Dmitry V. (CEO of "UKR Solution") UPC/EAN/GTIN Code Generator allows Path Traversal. This issue affects UPC/EAN/GTIN Code Generator: from n/a through 2.0.2. | 2025-08-28 | 7.7 | CVE-2025-53588 |
| dyiosah--Ultimate twitter profile widget | Cross-Site Request Forgery (CSRF) vulnerability in dyiosah Ultimate twitter profile widget allows Stored XSS. This issue affects Ultimate twitter profile widget: from n/a through 1.0. | 2025-08-28 | 7.1 | CVE-2025-48321 |
| Dylan James--Zephyr Project Manager | Missing Authorization vulnerability in Dylan James Zephyr Project Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Zephyr Project Manager: from n/a through 3.3.201. | 2025-08-28 | 7.1 | CVE-2025-54714 |
| eboekhouden--e-Boekhouden.nl | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eboekhouden e-Boekhouden.nl allows Reflected XSS. This issue affects e-Boekhouden.nl: from n/a through 1.9.3. | 2025-08-28 | 7.1 | CVE-2025-53225 |
| emarket-design--Employee Directory Staff Listing & Team Directory Plugin for WordPress | Deserialization of Untrusted Data vulnerability in emarket-design Employee Directory - Staff Listing & Team Directory Plugin for WordPress allows Object Injection. This issue affects Employee Directory - Staff Listing & Team Directory Plugin for WordPress: from n/a through 4.5.3. | 2025-08-28 | 8.1 | CVE-2025-53243 |
| emarket-design--Employee Spotlight | Deserialization of Untrusted Data vulnerability in emarket-design Employee Spotlight allows Object Injection. This issue affects Employee Spotlight: from n/a through 5.1.1. | 2025-08-28 | 8.1 | CVE-2025-53583 |
| emarket-design--WP Easy Contact | Deserialization of Untrusted Data vulnerability in emarket-design WP Easy Contact allows Object Injection. This issue affects WP Easy Contact: from n/a through 4.0.1. | 2025-08-28 | 8.1 | CVE-2025-53572 |
| emarket-design--WP Ticket Customer Service Software & Support Ticket System | Deserialization of Untrusted Data vulnerability in emarket-design WP Ticket Customer Service Software & Support Ticket System allows Object Injection. This issue affects WP Ticket Customer Service Software & Support Ticket System: from n/a through 6.0.2. | 2025-08-28 | 8.1 | CVE-2025-53584 |
| emarket-design--YouTube Showcase | Improper Control of Generation of Code ('Code Injection') vulnerability in emarket-design YouTube Showcase allows Object Injection. This issue affects YouTube Showcase: from n/a through 3.5.1. | 2025-08-28 | 8.1 | CVE-2025-54731 |
| enituretechnology--Small Package Quotes USPS Edition | Deserialization of Untrusted Data vulnerability in enituretechnology Small Package Quotes - USPS Edition allows Object Injection. This issue affects Small Package Quotes - USPS Edition: from n/a through 1.3.9. | 2025-08-27 | 7.2 | CVE-2025-58218 |
| extendons--WooCommerce csv import export | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in extendons WooCommerce csv import export allows Path Traversal. This issue affects WooCommerce csv import export: from n/a through 2.0.6. | 2025-08-28 | 7.7 | CVE-2025-54029 |
| extremeidea--bidorbuy Store Integrator | Improper Control of Generation of Code ('Code Injection') vulnerability in extremeidea bidorbuy Store Integrator allows Remote Code Inclusion. This issue affects bidorbuy Store Integrator: from n/a through 2.12.0. | 2025-08-28 | 9.1 | CVE-2025-48100 |
| Favethemes--Houzez | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Favethemes Houzez allows PHP Local File Inclusion.This issue affects Houzez: from n/a before 4.1.4. | 2025-08-28 | 8.1 | CVE-2025-49405 |
| favethemes--Houzez | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez allows Reflected XSS. This issue affects Houzez: from n/a through 4.1.1. | 2025-08-28 | 7.1 | CVE-2025-49407 |
| Gary Illyes--Google XML News Sitemap plugin | Cross-Site Request Forgery (CSRF) vulnerability in Gary Illyes Google XML News Sitemap plugin allows Stored XSS. This issue affects Google XML News Sitemap plugin: from n/a through 0.02. | 2025-08-28 | 7.1 | CVE-2025-48304 |
| gavias--Kipso | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kipso allows PHP Local File Inclusion. This issue affects Kipso: from n/a through 1.3.4. | 2025-08-28 | 8.1 | CVE-2025-53578 |
| GeroNikolov--Instant Breaking News | Cross-Site Request Forgery (CSRF) vulnerability in GeroNikolov Instant Breaking News allows Stored XSS. This issue affects Instant Breaking News: from n/a through 1.0. | 2025-08-27 | 7.1 | CVE-2025-58217 |
| glpi-project--glpi | GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 10.0.0 to before 10.0.19, a connected user without administration rights can change the rules execution order. This issue has been patched in version 10.0.19. | 2025-08-27 | 7.5 | CVE-2025-53105 |
| Hamid Alinia--Login with phone number | Missing Authorization vulnerability in Hamid Alinia Login with phone number.This issue affects Login with phone number: from n/a through 1.6.93. | 2025-08-31 | 9.8 | CVE-2024-32832 |
| harness--harness | Harness Open Source is an end-to-end developer platform with Source Control Management, CI/CD Pipelines, Hosted Developer Environments, and Artifact Registries. Prior to version 3.3.0, Open Source Harness git LFS server (Gitness) exposes api to retrieve and upload files via git LFS. Implementation of upload git LFS file api is vulnerable to arbitrary file write. Due to improper sanitization for upload path, a malicious authenticated user who has access to Harness Gitness server api can use a crafted upload request to write arbitrary file to any location on file system, may even compromise the server. Users using git LFS are vulnerable. This issue has been patched in version 3.3.0. | 2025-08-29 | 8.8 | CVE-2025-58158 |
| HashiCorp--Vault | A malicious user may submit a specially-crafted complex payload that otherwise meets the default request size limit which results in excessive memory and CPU consumption of Vault. This may lead to a timeout in Vault's auditing subroutine, potentially resulting in the Vault server to become unresponsive. This vulnerability, CVE-2025-6203, is fixed in Vault Community Edition 1.20.3 and Vault Enterprise 1.20.3, 1.19.9, 1.18.14, and 1.16.25. | 2025-08-28 | 7.5 | CVE-2025-6203 |
| Hikvision--HikCentral Professional | There is an Access Control Vulnerability in some HikCentral Professional versions. This could allow an unauthenticated user to obtain the admin permission. | 2025-08-29 | 8.6 | CVE-2025-39247 |
| HKritesh009--Grocery List Management Web App | A vulnerability was identified in HKritesh009 Grocery List Management Web App up to f491b681eb70d465f445c9a721415c965190f83b. This affects an unknown part of the file /src/update.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-08-31 | 7.3 | CVE-2025-9749 |
| honzat--Page Manager for Elementor | Missing Authorization vulnerability in honzat Page Manager for Elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Page Manager for Elementor: from n/a through 2.0.5. | 2025-08-28 | 7.6 | CVE-2025-53230 |
| IBM--Cognos Command Center | IBM Cognos Command Center 10.2.4.1 and 10.2.5 could allow a local user to execute arbitrary code on the system due to the use of unsafe use of the BinaryFormatter function. | 2025-08-26 | 7.8 | CVE-2025-1994 |
| IBM--Cognos Command Center | IBM Cognos Command Center 10.2.4.1 and 10.2.5 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. | 2025-08-26 | 7.4 | CVE-2025-2697 |
| IBM--Security Verify Governance Identity Manager | IBM Security Verify Governance Identity Manager 10.0.2 could allow a remote attacker to obtain sensitive information when detailed technical error messages are returned. This information could be used in further attacks against the system. | 2025-08-28 | 7.5 | CVE-2025-36003 |
| IBM--watsonx Orchestrate Cartridge for IBM Cloud Pak for Data | IBM watsonx Orchestrate Cartridge for IBM Cloud Pak for Data 4.8.4, 4.8.5, and 5.0.0 through 5.2.0 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. | 2025-08-30 | 7.6 | CVE-2025-0165 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to ImageMagick versions 6.9.13-28 and 7.1.2-2, a format string bug vulnerability exists in InterpretImageFilename function where user input is directly passed to FormatLocaleString without proper sanitization. An attacker can overwrite arbitrary memory regions, enabling a wide range of attacks from heap overflow to remote code execution. This issue has been patched in versions 6.9.13-28 and 7.1.2-2. | 2025-08-26 | 7.5 | CVE-2025-55298 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2 for ImageMagick's 32-bit build, a 32-bit integer overflow in the BMP encoder's scanline-stride computation collapses bytes_per_line (stride) to a tiny value while the per-row writer still emits 3 × width bytes for 24-bpp images. The row base pointer advances using the (overflowed) stride, so the first row immediately writes past its slot and into adjacent heap memory with attacker-controlled bytes. This is a classic, powerful primitive for heap corruption in common auto-convert pipelines. This issue has been patched in versions 6.9.13-28 and 7.1.2-2. | 2025-08-26 | 7.5 | CVE-2025-57803 |
| ISC--Kea | If a DHCPv4 client sends a request with some specific options, and Kea fails to find an appropriate subnet for the client, the `kea-dhcp4` process will abort with an assertion failure. This happens only if the client request is unicast directly to Kea; broadcast messages do not cause the problem. This issue affects Kea versions 2.7.1 through 2.7.9, 3.0.0, and 3.1.0. | 2025-08-27 | 7.5 | CVE-2025-40779 |
| itsourcecode--Apartment Management System | A security vulnerability has been detected in itsourcecode Apartment Management System 1.0. Impacted is an unknown function of the file /owner/addowner.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2025-08-25 | 7.3 | CVE-2025-9418 |
| itsourcecode--Apartment Management System | A vulnerability was detected in itsourcecode Apartment Management System 1.0. The affected element is an unknown function of the file /unit/addunit.php. Performing manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. | 2025-08-25 | 7.3 | CVE-2025-9419 |
| itsourcecode--Apartment Management System | A flaw has been found in itsourcecode Apartment Management System 1.0. The impacted element is an unknown function of the file /floor/addfloor.php. Executing manipulation of the argument hdnid can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. | 2025-08-25 | 7.3 | CVE-2025-9420 |
| itsourcecode--Apartment Management System | A vulnerability has been found in itsourcecode Apartment Management System 1.0. This affects an unknown function of the file /complain/addcomplain.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-25 | 7.3 | CVE-2025-9421 |
| itsourcecode--Apartment Management System | A security vulnerability has been detected in itsourcecode Apartment Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /bill/add_bill.php. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-08-26 | 7.3 | CVE-2025-9468 |
| itsourcecode--Apartment Management System | A vulnerability was detected in itsourcecode Apartment Management System 1.0. Affected by this issue is some unknown functionality of the file /fund/add_fund.php. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. | 2025-08-26 | 7.3 | CVE-2025-9469 |
| itsourcecode--Apartment Management System | A flaw has been found in itsourcecode Apartment Management System 1.0. This affects an unknown part of the file /management/add_m_committee.php. Executing manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used. | 2025-08-26 | 7.3 | CVE-2025-9470 |
| itsourcecode--Apartment Management System | A vulnerability has been found in itsourcecode Apartment Management System 1.0. This vulnerability affects unknown code of the file /maintenance/add_maintenance_cost.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2025-08-26 | 7.3 | CVE-2025-9471 |
| itsourcecode--Apartment Management System | A vulnerability was found in itsourcecode Apartment Management System 1.0. This issue affects some unknown processing of the file /owner_utility/add_owner_utility.php. The manipulation of the argument ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used. | 2025-08-26 | 7.3 | CVE-2025-9472 |
| itsourcecode--Apartment Management System | A weakness has been identified in itsourcecode Apartment Management System 1.0. Impacted is an unknown function of the file /report/visitor_info.php. Executing manipulation of the argument vid can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-08-27 | 7.3 | CVE-2025-9507 |
| itsourcecode--Apartment Management System | A vulnerability was detected in itsourcecode Apartment Management System 1.0. The impacted element is an unknown function of the file /report/rented_info.php. The manipulation of the argument rsid results in sql injection. The attack may be launched remotely. The exploit is now public and may be used. | 2025-08-27 | 7.3 | CVE-2025-9508 |
| itsourcecode--Apartment Management System | A security flaw has been discovered in itsourcecode Apartment Management System 1.0. This issue affects some unknown processing of the file /report/fair_info_all.php. Performing manipulation of the argument fid results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-08-27 | 7.3 | CVE-2025-9509 |
| itsourcecode--Apartment Management System | A security vulnerability has been detected in itsourcecode Apartment Management System 1.0. The affected element is an unknown function of the file /branch/addbranch.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2025-08-27 | 7.3 | CVE-2025-9510 |
| itsourcecode--Apartment Management System | A vulnerability was identified in itsourcecode Apartment Management System 1.0. This vulnerability affects unknown code of the file /visitor/addvisitor.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2025-08-27 | 7.3 | CVE-2025-9511 |
| itsourcecode--Apartment Management System | A vulnerability was detected in itsourcecode Apartment Management System 1.0. This issue affects some unknown processing of the file /report/bill_info.php. Performing manipulation of the argument vid results in sql injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2025-08-28 | 7.3 | CVE-2025-9592 |
| itsourcecode--Apartment Management System | A flaw has been found in itsourcecode Apartment Management System 1.0. Impacted is an unknown function of the file /report/unit_status_info.php. Executing manipulation of the argument usid can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used. | 2025-08-28 | 7.3 | CVE-2025-9593 |
| itsourcecode--Apartment Management System | A vulnerability has been found in itsourcecode Apartment Management System 1.0. The affected element is an unknown function of the file /report/complain_info.php. The manipulation of the argument vid leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2025-08-28 | 7.3 | CVE-2025-9594 |
| itsourcecode--Apartment Management System | A vulnerability was identified in itsourcecode Apartment Management System 1.0. This impacts an unknown function of the file /o_dashboard/rented_all_info.php. Such manipulation of the argument uid leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2025-08-29 | 7.3 | CVE-2025-9597 |
| itsourcecode--Apartment Management System | A security flaw has been discovered in itsourcecode Apartment Management System 1.0. Affected is an unknown function of the file /setting/year_setup.php. Performing manipulation of the argument txtXYear results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. | 2025-08-29 | 7.3 | CVE-2025-9598 |
| itsourcecode--Apartment Management System | A weakness has been identified in itsourcecode Apartment Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /setting/month_setup.php. Executing manipulation of the argument txtMonthName can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. | 2025-08-29 | 7.3 | CVE-2025-9599 |
| itsourcecode--Apartment Management System | A security vulnerability has been detected in itsourcecode Apartment Management System 1.0. Affected by this issue is some unknown functionality of the file /setting/member_type_setup.php. The manipulation of the argument txtMemberType leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2025-08-29 | 7.3 | CVE-2025-9600 |
| itsourcecode--Apartment Management System | A vulnerability was detected in itsourcecode Apartment Management System 1.0. This affects an unknown part of the file /setting/employee_salary_setup.php. The manipulation of the argument ddlEmpName results in sql injection. The attack may be launched remotely. The exploit is now public and may be used. | 2025-08-29 | 7.3 | CVE-2025-9601 |
| itsourcecode--Apartment Management System | A vulnerability was found in itsourcecode Apartment Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /setting/utility_bill_setup.php. Performing manipulation of the argument txtGasBill results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. | 2025-08-29 | 7.3 | CVE-2025-9643 |
| itsourcecode--Apartment Management System | A vulnerability was determined in itsourcecode Apartment Management System 1.0. Affected by this issue is some unknown functionality of the file /setting/bill_setup.php. Executing manipulation of the argument txtBillType can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-08-29 | 7.3 | CVE-2025-9644 |
| itsourcecode--Apartment Management System | A vulnerability was identified in itsourcecode Apartment Management System 1.0. This affects an unknown part of the file /t_dashboard/r_all_info.php. The manipulation of the argument mid leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2025-08-29 | 7.3 | CVE-2025-9645 |
| itsourcecode--Apartment Management System | A vulnerability was found in itsourcecode Apartment Management System 1.0. The affected element is an unknown function of the file /ajax/updateProfile.php. The manipulation of the argument user_id results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. | 2025-08-31 | 7.3 | CVE-2025-9730 |
| itsourcecode--Online Tour and Travel Management System | A security flaw has been discovered in itsourcecode Online Tour and Travel Management System 1.0. Affected by this issue is some unknown functionality of the file /enquiry.php. Performing manipulation of the argument pid results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. | 2025-08-25 | 7.3 | CVE-2025-9425 |
| itsourcecode--Online Tour and Travel Management System | A weakness has been identified in itsourcecode Online Tour and Travel Management System 1.0. This affects an unknown part of the file /package.php. Executing manipulation of the argument subcatid can lead to sql injection. The attack may be performed from a remote location. The exploit has been made available to the public and could be exploited. | 2025-08-25 | 7.3 | CVE-2025-9426 |
| itsourcecode--Sports Management System | A vulnerability was determined in itsourcecode Sports Management System 1.0. This affects an unknown function of the file /login.php. This manipulation of the argument User causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-08-28 | 7.3 | CVE-2025-9596 |
| itsourcecode--Student Information System | A security vulnerability has been detected in itsourcecode Student Information System 1.0. This affects an unknown function of the file /course_edit1.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2025-08-30 | 7.3 | CVE-2025-9679 |
| Jason--Theme Blvd Widget Areas | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jason Theme Blvd Widget Areas allows Reflected XSS. This issue affects Theme Blvd Widget Areas: from n/a through 1.3.0. | 2025-08-28 | 7.1 | CVE-2025-53289 |
| JetBrains--IDE Services | In JetBrains IDE Services before 2025.5.0.1086, 2025.4.2.2164 users without appropriate permissions could assign high-privileged role for themselves | 2025-08-28 | 8.1 | CVE-2025-58334 |
| Jinher--OA | A vulnerability has been found in Jinher OA 1.0. This issue affects some unknown processing of the file GetTreeDate.aspx. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2025-08-29 | 7.3 | CVE-2025-9669 |
| kamleshyadav--Miraculous Core Plugin | Incorrect Privilege Assignment vulnerability in kamleshyadav Miraculous Core Plugin allows Privilege Escalation. This issue affects Miraculous Core Plugin: from n/a through 2.0.7. | 2025-08-28 | 9.8 | CVE-2025-49388 |
| kasonzhao--SEO For Images | Cross-Site Request Forgery (CSRF) vulnerability in kasonzhao SEO For Images allows Stored XSS. This issue affects SEO For Images: from n/a through 1.0.0. | 2025-08-28 | 7.1 | CVE-2025-48307 |
| Koen Schuit--NextGEN Gallery Search | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Koen Schuit NextGEN Gallery Search allows Reflected XSS. This issue affects NextGEN Gallery Search: from n/a through 2.12. | 2025-08-28 | 7.1 | CVE-2025-53224 |
| LabRedesCefetRJ--WeGIA | WeGIA is a Web manager for charitable institutions. Prior to version 3.4.11, a remote code execution vulnerability was identified, caused by improper validation of uploaded files. The application allows an attacker to upload files with arbitrary filenames, including those with a .php extension. Because the uploaded file is written directly to disk without adequate sanitization or extension restrictions, a spreadsheet file followed by PHP code can be uploaded and executed on the server, leading to arbitrary code execution. This is due to insufficient mitigation of CVE-2025-22133. This issue has been patched in version 3.4.11. | 2025-08-29 | 10 | CVE-2025-58159 |
| langflow-ai--langflow | Langflow is a tool for building and deploying AI-powered agents and workflows. A privilege escalation vulnerability exists in Langflow containers where an authenticated user with RCE access can invoke the internal CLI command langflow superuser to create a new administrative user. This results in full superuser access, even if the user initially registered through the UI as a regular (non-admin) account. A patched version has not been made public at this time. | 2025-08-25 | 8.8 | CVE-2025-57760 |
| Linksys--E1700 | A flaw has been found in Linksys E1700 1.0.0.4.003. Affected by this vulnerability is the function setWan of the file /goform/setWan. This manipulation of the argument DeviceName/lanIp causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-27 | 8.8 | CVE-2025-9525 |
| Linksys--E1700 | A vulnerability has been found in Linksys E1700 1.0.0.4.003. Affected by this issue is the function setSysAdm of the file /goform/setSysAdm. Such manipulation of the argument rm_port leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-27 | 8.8 | CVE-2025-9526 |
| Linksys--E1700 | A vulnerability was found in Linksys E1700 1.0.0.4.003. This affects the function QoSSetup of the file /goform/QoSSetup. Performing manipulation of the argument ack_policy results in stack-based buffer overflow. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-27 | 8.8 | CVE-2025-9527 |
| Linksys--RE6250 | A security vulnerability has been detected in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This affects the function setIpv6 of the file /goform/setIpv6. The manipulation of the argument tunrd_Prefix leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-26 | 8.8 | CVE-2025-9481 |
| Linksys--RE6250 | A vulnerability was detected in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This impacts the function portRangeForwardAdd of the file /goform/portRangeForwardAdd. The manipulation of the argument ruleName/schedule/inboundFilter/TCPPorts/UDPPorts results in stack-based buffer overflow. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-26 | 8.8 | CVE-2025-9482 |
| Linksys--RE6250 | A flaw has been found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected is the function singlePortForwardAdd of the file /goform/singlePortForwardAdd. This manipulation of the argument ruleName/schedule/inboundFilter causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-26 | 8.8 | CVE-2025-9483 |
| magepeopleteam--WpEvently | Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently allows Object Injection. This issue affects WpEvently: from n/a through 4.4.8. | 2025-08-28 | 8.8 | CVE-2025-54742 |
| manfcarlo--WP Funnel Manager | Deserialization of Untrusted Data vulnerability in manfcarlo WP Funnel Manager allows Object Injection. This issue affects WP Funnel Manager: from n/a through 1.4.0. | 2025-08-28 | 9.8 | CVE-2025-52761 |
| Mojoomla--School Management | Unrestricted Upload of File with Dangerous Type vulnerability in Mojoomla School Management allows Upload a Web Shell to a Web Server.This issue affects School Management: from n/a through 1.93.1 (02-07-2025). | 2025-08-31 | 9.9 | CVE-2025-31100 |
| nonletter--Newsletter subscription optin module | Cross-Site Request Forgery (CSRF) vulnerability in nonletter Newsletter subscription optin module allows Stored XSS. This issue affects Newsletter subscription optin module: from n/a through 1.2.9. | 2025-08-28 | 7.1 | CVE-2025-48308 |
| NooTheme--Jobmonster | Authentication Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobmonster allows Authentication Abuse. This issue affects Jobmonster: from n/a through 4.7.9. | 2025-08-28 | 9.8 | CVE-2025-54738 |
| NVIDIA--NeMo Framework | NVIDIA NeMo Framework for all platforms contains a vulnerability in the retrieval services component, where malicious data created by an attacker could cause a code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-08-26 | 7.8 | CVE-2025-23312 |
| NVIDIA--NeMo Framework | NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP component, where malicious data created by an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-08-26 | 7.8 | CVE-2025-23313 |
| NVIDIA--NeMo Framework | NVIDIA NeMo Framework for all platforms contains a vulnerability in the NLP component, where malicious data created by an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-08-26 | 7.8 | CVE-2025-23314 |
| NVIDIA--NeMo Framework | NVIDIA NeMo Framework for all platforms contains a vulnerability in the export and deploy component, where malicious data created by an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-08-26 | 7.8 | CVE-2025-23315 |
| NVIDIA--NVIDIA NeMo Curator | NVIDIA NeMo Curator for all platforms contains a vulnerability where a malicious file created by an attacker could allow code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-08-26 | 7.8 | CVE-2025-23307 |
| OffClicks--Invisible Optin | Cross-Site Request Forgery (CSRF) vulnerability in OffClicks Invisible Optin allows Stored XSS. This issue affects Invisible Optin: from n/a through 1.0. | 2025-08-28 | 7.1 | CVE-2025-48311 |
| ovatheme--Ireca | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Ireca allows PHP Local File Inclusion. This issue affects Ireca: from n/a through 1.8.5. | 2025-08-28 | 8.1 | CVE-2025-54716 |
| ovatheme--Ovatheme Events | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Ovatheme Events allows PHP Local File Inclusion. This issue affects Ovatheme Events: from n/a through 1.2.8. | 2025-08-28 | 8.1 | CVE-2025-53576 |
| ovatheme.com--Event List | The Event List plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.0.4. This is due to the plugin not properly validating a user's capabilities prior to updating their profile in the el_update_profile() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change their capabilities to those of an administrator. | 2025-08-26 | 8.8 | CVE-2025-6366 |
| Paymenter--Paymenter | Paymenter is a free and open-source webshop solution for hostings. Prior to version 1.2.11, the ticket attachments functionality in Paymenter allows a malicious authenticated user to upload arbitrary files. This could result in sensitive data extraction from the database, credentials being read from configuration files, and arbitrary system commands being run under the web server user context. This vulnerability was patched by commit 87c3db4 and was released under the version 1.2.11 tag without any other code modifications compared to version 1.2.10. If upgrading is not immediately possible, administrators can mitigate this vulnerability with one or more of the following measures: updating nginx config to download attachments instead of executing them or disallowing access to /storage/ fully using a WAF such as Cloudflare. | 2025-08-28 | 10 | CVE-2025-58048 |
| pbmacintyre--RingCentral Communications Plugin FREE | The RingCentral Communications plugin for WordPress is vulnerable to Authentication Bypass due to improper validation within the ringcentral_admin_login_2fa_verify() function in versions 1.5 to 1.6.8. This makes it possible for unauthenticated attackers to log in as any user simply by supplying identical bogus codes. | 2025-08-28 | 9.8 | CVE-2025-7955 |
| PHPGurukul--Online Course Registration | A vulnerability was detected in PHPGurukul Online Course Registration 3.1. This vulnerability affects unknown code of the file /admin/student-registration.php. Performing manipulation of the argument studentname results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. | 2025-08-31 | 7.3 | CVE-2025-9729 |
| pierrelannoy--Vibes | The Vibes plugin for WordPress is vulnerable to time-based SQL Injection via the 'resource' parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-08-26 | 7.5 | CVE-2025-9172 |
| plone--volto | Volto is a React based frontend for the Plone Content Management System. In versions from 19.0.0-alpha.1 to before 19.0.0-alpha.4, 18.0.0 to before 18.24.0, 17.0.0 to before 17.22.1, and prior to 16.34.0, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a specific URL. The problem has been patched in versions 16.34.0, 17.22.1, 18.24.0, and 19.0.0-alpha.4. To mitigate downtime, have setup automatically restart processes that quit with an error. | 2025-08-28 | 7.5 | CVE-2025-58047 |
| pluggabl--Booster for WooCommerce PDF Invoices, Abandoned Cart, Variation Swatches & 100+ Tools | The Booster for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'add_files_to_order' function in all versions up to, and including, 7.2.4. This makes it possible for unauthenticated attackers to upload arbitrary files with double extensions on the affected site's server which may make remote code execution possible. This is only exploitable on select instances where the configuration will execute the first extension present. | 2025-08-29 | 8.1 | CVE-2024-13342 |
| PluginsPoint--Kento Splash Screen | Cross-Site Request Forgery (CSRF) vulnerability in PluginsPoint Kento Splash Screen allows Stored XSS. This issue affects Kento Splash Screen: from n/a through 1.4. | 2025-08-28 | 7.1 | CVE-2025-48351 |
| purethemes--Listeo-Core | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in purethemes Listeo-Core allows SQL Injection. This issue affects Listeo-Core: from n/a through 1.9.32. | 2025-08-28 | 8.5 | CVE-2025-49404 |
| RACOM--M!DGE2 | A non-primary administrator user with admin rights to the web interface but without shell access permissions can display configuration of the device including the master admin password. This vulnerability also allows the user to give themselves shell access with the root gid. | 2025-08-26 | 7.2 | CVE-2025-36729 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in the Udisks daemon, where it allows unprivileged users to create loop devices using the D-BUS system. This is achieved via the loop device handler, which handles requests sent through the D-BUS interface. As two of the parameters of this handle, it receives the file descriptor list and index specifying the file where the loop device should be backed. The function itself validates the index value to ensure it isn't bigger than the maximum value allowed. However, it fails to validate the lower bound, allowing the index parameter to be a negative value. Under these circumstances, an attacker can cause the UDisks daemon to crash or perform a local privilege escalation by gaining access to files owned by privileged users. | 2025-08-28 | 8.5 | CVE-2025-8067 |
| SAIL Image Decoding Library--SAIL Image Decoding Library | A memory corruption vulnerability exists in the BMPv3 Image Decoding functionality of the SAIL Image Decoding Library v0.9.8. When loading a specially crafted .bmp file, an integer overflow can be made to occur when calculating the stride for decoding. Afterwards, this will cause a heap-based buffer to overflow when decoding the image which can lead to remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability. | 2025-08-25 | 8.8 | CVE-2025-32468 |
| SAIL Image Decoding Library--SAIL Image Decoding Library | A memory corruption vulnerability exists in the PCX Image Decoding functionality of the SAIL Image Decoding Library v0.9.8. When decoding the image data from a specially crafted .pcx file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability. | 2025-08-25 | 8.8 | CVE-2025-35984 |
| SAIL Image Decoding Library--SAIL Image Decoding Library | A memory corruption vulnerability exists in the BMPv3 Palette Decoding functionality of the SAIL Image Decoding Library v0.9.8. When loading a specially crafted .bmp file, an integer overflow can be made to occur which will cause a heap-based buffer to overflow when reading the palette from the image. These conditions can allow for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability. | 2025-08-25 | 8.8 | CVE-2025-46407 |
| SAIL Image Decoding Library--SAIL Image Decoding Library | A memory corruption vulnerability exists in the PCX Image Decoding functionality of the SAIL Image Decoding Library v0.9.8. When decoding the image data from a specially crafted .tga file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability. | 2025-08-25 | 8.8 | CVE-2025-50129 |
| SAIL Image Decoding Library--SAIL Image Decoding Library | A memory corruption vulnerability exists in the WebP Image Decoding functionality of the SAIL Image Decoding Library v0.9.8. When loading a specially crafted .webp animation an integer overflow can be made to occur when calculating the stride for decoding. Afterwards, this will cause a heap-based buffer to overflow when decoding the image which can lead to remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability. | 2025-08-25 | 8.8 | CVE-2025-52456 |
| SAIL Image Decoding Library--SAIL Image Decoding Library | A memory corruption vulnerability exists in the BMPv3 RLE Decoding functionality of the SAIL Image Decoding Library v0.9.8. When decompressing the image data from a specially crafted .bmp file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability. | 2025-08-25 | 8.8 | CVE-2025-52930 |
| SAIL Image Decoding Library--SAIL Image Decoding Library | A memory corruption vulnerability exists in the PSD RLE Decoding functionality of the SAIL Image Decoding Library v0.9.8. When decompressing the image data from a specially crafted .psd file, a heap-based buffer overflow can occur which allows for remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability. | 2025-08-25 | 8.8 | CVE-2025-53085 |
| SAIL Image Decoding Library--SAIL Image Decoding Library | A memory corruption vulnerability exists in the PSD Image Decoding functionality of the SAIL Image Decoding Library v0.9.8. When loading a specially crafted .psd file, an integer overflow can be made to occur when calculating the stride for decoding. Afterwards, this will cause a heap-based buffer to overflow when decoding the image which can lead to remote code execution. An attacker will need to convince the library to read a file to trigger this vulnerability. | 2025-08-25 | 8.8 | CVE-2025-53510 |
| Securden--Unified PAM | An authentication bypass vulnerability exists which allows an unauthenticated attacker to control administrator backup functions, leading to compromise of passwords, secrets, and application session tokens stored by the Unified PAM. | 2025-08-25 | 9.8 | CVE-2025-53118 |
| Securden--Unified PAM | A path traversal vulnerability in unauthenticated upload functionality allows a malicious actor to upload binaries and scripts to the server's configuration and web root directories, achieving remote code execution on the Unified PAM server. | 2025-08-25 | 9.4 | CVE-2025-53120 |
| Securden--Unified PAM | An unauthenticated unrestricted file upload vulnerability allows an attacker to upload malicious binaries and scripts to the server. | 2025-08-25 | 7.5 | CVE-2025-53119 |
| Securden--Unified PAM | Securden's Unified PAM Remote Vendor Gateway access portal shares infrastructure and access tokens across multiple tenants. A malicious actor can obtain authentication material and access the gateway server with low-privilege permissions. | 2025-08-25 | 7.2 | CVE-2025-6737 |
| shmish111--WP Admin Theme | Cross-Site Request Forgery (CSRF) vulnerability in shmish111 WP Admin Theme allows Stored XSS. This issue affects WP Admin Theme: from n/a through 1.0. | 2025-08-28 | 7.1 | CVE-2025-48325 |
| Solwin--Blog Designer PRO | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Solwin Blog Designer PRO.This issue affects Blog Designer PRO: from n/a through 3.4.7. | 2025-08-31 | 8.1 | CVE-2025-47696 |
| SourceCodester--Bakeshop Online Ordering System | A vulnerability was found in SourceCodester Bakeshop Online Ordering System 1.0. The impacted element is an unknown function of the file /passwordrecover.php. Performing manipulation of the argument phonenumber results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2025-08-29 | 7.3 | CVE-2025-9660 |
| SourceCodester--Human Resource Information System | A flaw has been found in SourceCodester Human Resource Information System 1.0. Affected by this vulnerability is an unknown functionality of the file /Admin_Dashboard/process/editemployee_process.php. This manipulation of the argument employee_file201 causes unrestricted upload. The attack may be initiated remotely. The exploit has been published and may be used. | 2025-08-26 | 7.3 | CVE-2025-9475 |
| SourceCodester--Human Resource Information System | A vulnerability has been found in SourceCodester Human Resource Information System 1.0. Affected by this issue is some unknown functionality of the file /Superadmin_Dashboard/process/editemployee_process.php. Such manipulation of the argument employee_file201 leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-26 | 7.3 | CVE-2025-9476 |
| SourceCodester--Online Bank Management System | A security vulnerability has been detected in SourceCodester Online Bank Management System 1.0. This impacts an unknown function of the file /feedback.php. The manipulation of the argument msg leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | 2025-08-26 | 7.3 | CVE-2025-9473 |
| SourceCodester--Online Book Store | A flaw has been found in SourceCodester Online Book Store 1.0. This issue affects some unknown processing of the file /publisher_list.php. This manipulation of the argument pubid causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2025-08-30 | 7.3 | CVE-2025-9700 |
| SourceCodester--Online Polling System Code | A vulnerability was detected in SourceCodester Online Polling System Code 1.0. This vulnerability affects unknown code of the file /admin/checklogin.php. The manipulation of the argument myusername results in sql injection. The attack may be performed from a remote location. The exploit is now public and may be used. | 2025-08-30 | 7.3 | CVE-2025-9699 |
| SourceCodester--Simple Cafe Billing System | A vulnerability was determined in SourceCodester Simple Cafe Billing System 1.0. The impacted element is an unknown function of the file /receipt.php. Executing manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-08-30 | 7.3 | CVE-2025-9701 |
| SourceCodester--Simple Cafe Billing System | A vulnerability was identified in SourceCodester Simple Cafe Billing System 1.0. This affects an unknown function of the file /sales_report.php. The manipulation of the argument month leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2025-08-30 | 7.3 | CVE-2025-9702 |
| SourceCodester--Water Billing System | A security flaw has been discovered in SourceCodester Water Billing System 1.0. This impacts an unknown function of the file /viewbill.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be exploited. | 2025-08-30 | 7.3 | CVE-2025-9704 |
| SourceCodester--Water Billing System | A weakness has been identified in SourceCodester Water Billing System 1.0. Affected is an unknown function of the file /paybill.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. | 2025-08-30 | 7.3 | CVE-2025-9705 |
| SourceCodester--Water Billing System | A security vulnerability has been detected in SourceCodester Water Billing System 1.0. Affected by this vulnerability is an unknown functionality of the file /edit.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. | 2025-08-30 | 7.3 | CVE-2025-9706 |
| SteelThemes--Nest Addons | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SteelThemes Nest Addons allows SQL Injection. This issue affects Nest Addons: from n/a through 1.6.3. | 2025-08-28 | 9.3 | CVE-2025-54720 |
| Tenda--AC1206 | A vulnerability was detected in Tenda AC1206 15.03.06.23. Affected is the function GetParentControlInfo of the file /goform/GetParentControlInfo. The manipulation of the argument mac results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is now public and may be used. | 2025-08-27 | 9.8 | CVE-2025-9523 |
| Tenda--AC21 | A security vulnerability has been detected in Tenda AC21 and AC23 16.03.08.16. Affected is the function GetParentControlInfo of the file /goform/GetParentControlInfo. Such manipulation of the argument mac leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-08-29 | 9.8 | CVE-2025-9605 |
| Tenda--CH22 | A flaw has been found in Tenda CH22 1.0.0.1. This vulnerability affects the function formeditUserName of the file /goform/editUserName. Executing manipulation of the argument new_account can lead to buffer overflow. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2025-08-26 | 8.8 | CVE-2025-9443 |
| Tenda--CH22 | A vulnerability was determined in Tenda CH22 1.0.0.1. Affected by this issue is the function fromIpsecitem of the file /goform/IPSECsave of the component httpd. Executing manipulation of the argument ipsecno can lead to stack-based buffer overflow. The attack may be performed from remote. | 2025-08-31 | 8.8 | CVE-2025-9748 |
| thaihavnn07--ATT YouTube Widget | Cross-Site Request Forgery (CSRF) vulnerability in thaihavnn07 ATT YouTube Widget allows Stored XSS. This issue affects ATT YouTube Widget: from n/a through 1.0. | 2025-08-28 | 7.1 | CVE-2025-48359 |
| The Biosig Project--libbiosig | A heap-based buffer overflow vulnerability exists in the RHS2000 parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted RHS2000 file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. | 2025-08-25 | 9.8 | CVE-2025-48005 |
| The Biosig Project--libbiosig | An integer overflow vulnerability exists in the GDF parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted GDF file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. | 2025-08-25 | 9.8 | CVE-2025-52581 |
| The Biosig Project--libbiosig | A heap-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. | 2025-08-25 | 9.8 | CVE-2025-53511 |
| The Biosig Project--libbiosig | An integer overflow vulnerability exists in the ABF parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted ABF file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. | 2025-08-25 | 9.8 | CVE-2025-53518 |
| The Biosig Project--libbiosig | A heap-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. | 2025-08-25 | 9.8 | CVE-2025-53557 |
| The Biosig Project--libbiosig | A heap-based buffer overflow vulnerability exists in the ISHNE parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted ISHNE ECG annotations file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. | 2025-08-25 | 9.8 | CVE-2025-53853 |
| The Biosig Project--libbiosig | A heap-based buffer overflow vulnerability exists in the Nex parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted .nex file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. | 2025-08-25 | 9.8 | CVE-2025-54462 |
| The Biosig Project--libbiosig | A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 8719 of biosig.c on the current master branch (35a819fa), when the Tag is 0: if (tag==0) { if (len!=1) fprintf(stderr,"Warning MFER tag0 incorrect length %i!=1\n",len); curPos += ifread(buf,1,len,hdr); } | 2025-08-25 | 9.8 | CVE-2025-54480 |
| The Biosig Project--libbiosig | A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 8744 of biosig.c on the current master branch (35a819fa), when the Tag is 3: else if (tag==3) { // character code char v[17]; // [1] if (len>16) fprintf(stderr,"Warning MFER tag2 incorrect length %i>16\n",len); curPos += ifread(&v,1,len,hdr); v[len] = 0; In this case, the overflowed buffer is the newly-declared `v` \[1\] instead of `buf`. Since `v` is only 17 bytes large, much smaller values of `len` (even those encoded using a single octet) can trigger an overflow in this code path. | 2025-08-25 | 9.8 | CVE-2025-54481 |
| The Biosig Project--libbiosig | A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 8751 of biosig.c on the current master branch (35a819fa), when the Tag is 4: else if (tag==4) { // SPR if (len>4) fprintf(stderr,"Warning MFER tag4 incorrect length %i>4\n",len); curPos += ifread(buf,1,len,hdr); | 2025-08-25 | 9.8 | CVE-2025-54482 |
| The Biosig Project--libbiosig | A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 8759 of biosig.c on the current master branch (35a819fa), when the Tag is 5: else if (tag==5) //0x05: number of channels { uint16_t oldNS=hdr->NS; if (len>4) fprintf(stderr,"Warning MFER tag5 incorrect length %i>4\n",len); curPos += ifread(buf,1,len,hdr); | 2025-08-25 | 9.8 | CVE-2025-54483 |
| The Biosig Project--libbiosig | A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 8779 of biosig.c on the current master branch (35a819fa), when the Tag is 6: else if (tag==6) // 0x06 "number of sequences" { // NRec if (len>4) fprintf(stderr,"Warning MFER tag6 incorrect length %i>4\n",len); curPos += ifread(buf,1,len,hdr); | 2025-08-25 | 9.8 | CVE-2025-54484 |
| The Biosig Project--libbiosig | A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 8785 of biosig.c on the current master branch (35a819fa), when the Tag is 8: else if (tag==8) { if (len>2) fprintf(stderr,"Warning MFER tag8 incorrect length %i>2\n",len); curPos += ifread(buf,1,len,hdr); | 2025-08-25 | 9.8 | CVE-2025-54485 |
| The Biosig Project--libbiosig | A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 8824 of biosig.c on the current master branch (35a819fa), when the Tag is 11: else if (tag==11) //0x0B { // Fs if (len>6) fprintf(stderr,"Warning MFER tag11 incorrect length %i>6\n",len); double fval; curPos += ifread(buf,1,len,hdr); | 2025-08-25 | 9.8 | CVE-2025-54486 |
| The Biosig Project--libbiosig | A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 8842 of biosig.c on the current master branch (35a819fa), when the Tag is 12: else if (tag==12) //0x0C { // sampling resolution if (len>6) fprintf(stderr,"Warning MFER tag12 incorrect length %i>6\n",len); val32 = 0; int8_t v8; curPos += ifread(&UnitCode,1,1,hdr); curPos += ifread(&v8,1,1,hdr); curPos += ifread(buf,1,len-2,hdr); In addition to values of `len` greater than 130 triggering a buffer overflow, a value of `len` smaller than 2 will also trigger a buffer overflow due to an integer underflow when computing `len-2` in this code path. | 2025-08-25 | 9.8 | CVE-2025-54487 |
| The Biosig Project--libbiosig | A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 8850 of biosig.c on the current master branch (35a819fa), when the Tag is 13: else if (tag==13) { if (len>8) fprintf(stderr,"Warning MFER tag13 incorrect length %i>8\n",len); curPos += ifread(&buf,1,len,hdr); | 2025-08-25 | 9.8 | CVE-2025-54488 |
| The Biosig Project--libbiosig | A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 8970 of biosig.c on the current master branch (35a819fa), when the Tag is 63: else if (tag==63) { uint8_t tag2=255, len2=255; count = 0; while ((count<len) && !(FlagInfiniteLength && len2==0 && tag2==0)){ curPos += ifread(&tag2,1,1,hdr); curPos += ifread(&len2,1,1,hdr); if (VERBOSE_LEVEL==9) fprintf(stdout,"MFER: tag=%3i chan=%2i len=%-4i tag2=%3i len2=%3i curPos=%i %li count=%4i\n",tag,chan,len,tag2,len2,curPos,iftell(hdr),(int)count); if (FlagInfiniteLength && len2==0 && tag2==0) break; count += (2+len2); curPos += ifread(&buf,1,len2,hdr); Here, the number of bytes read is not the Data Length decoded from the current frame in the file (`len`) but rather is a new length contained in a single octet read from the same input file (`len2`). Despite this, a stack-based buffer overflow condition can still occur, as the destination buffer is still `buf`, which has a size of only 128 bytes, while `len2` can be as large as 255. | 2025-08-25 | 9.8 | CVE-2025-54489 |
| The Biosig Project--libbiosig | A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 9090 of biosig.c on the current master branch (35a819fa), when the Tag is 64: else if (tag==64) //0x40 { // preamble char tmp[256]; // [1] curPos += ifread(tmp,1,len,hdr); In this case, the overflowed buffer is the newly-declared `tmp` \[1\] instead of `buf`. While `tmp` is larger than `buf`, having a size of 256 bytes, a stack overflow can still occur in cases where `len` is encoded using multiple octets and is greater than 256. | 2025-08-25 | 9.8 | CVE-2025-54490 |
| The Biosig Project--libbiosig | A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 9191 of biosig.c on the current master branch (35a819fa), when the Tag is 65: else if (tag==65) //0x41: patient event { // event table curPos += ifread(buf,1,len,hdr); | 2025-08-25 | 9.8 | CVE-2025-54491 |
| The Biosig Project--libbiosig | A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 9141 of biosig.c on the current master branch (35a819fa), when the Tag is 67: else if (tag==67) //0x43: Sample skew { int skew=0; // [1] curPos += ifread(&skew, 1, len,hdr); In this case, the address of the newly-defined integer `skew` \[1\] is overflowed instead of `buf`. This means a stack overflow can occur using much smaller values of `len` in this code path. | 2025-08-25 | 9.8 | CVE-2025-54492 |
| The Biosig Project--libbiosig | A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 9184 of biosig.c on the current master branch (35a819fa), when the Tag is 131: else if (tag==131) //0x83 { // Patient Age if (len!=7) fprintf(stderr,"Warning MFER tag131 incorrect length %i!=7\n",len); curPos += ifread(buf,1,len,hdr); | 2025-08-25 | 9.8 | CVE-2025-54493 |
| The Biosig Project--libbiosig | A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.This vulnerability manifests on line 9205 of biosig.c on the current master branch (35a819fa), when the Tag is 133: else if (tag==133) //0x85 { curPos += ifread(buf,1,len,hdr); | 2025-08-25 | 9.8 | CVE-2025-54494 |
| The Biosig Project--libbiosig | A stack-based buffer overflow vulnerability exists in the MFER parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted MFER file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. | 2025-08-25 | 8.1 | CVE-2025-46411 |
| The Biosig Project--libbiosig | An out-of-bounds read vulnerability exists in the Nex parsing functionality of The Biosig Project libbiosig 3.9.0 and Master Branch (35a819fa). A specially crafted .nex file can lead to an information leak. An attacker can provide a malicious file to trigger this vulnerability. | 2025-08-25 | 8.2 | CVE-2025-52461 |
| ThemeUniver--Glamer | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeUniver Glamer allows PHP Local File Inclusion. This issue affects Glamer: from n/a through 1.0.2. | 2025-08-28 | 8.1 | CVE-2025-53216 |
| TieLabs--Jannah | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah allows PHP Local File Inclusion. This issue affects Jannah: from n/a through 7.4.1. | 2025-08-28 | 8.1 | CVE-2025-53334 |
| TOTOLINK--T10 | A vulnerability has been found in TOTOLINK T10 4.1.8cu.5241_B20210927. Affected is an unknown function of the file /formLoginAuth.htm. The manipulation of the argument authCode with the input 1 leads to improper authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-27 | 7.3 | CVE-2025-9533 |
| UkrSolution--Barcode Scanner with Inventory & Order Manager | Missing Authorization vulnerability in UkrSolution Barcode Scanner with Inventory & Order Manager.This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through 1.5.3. | 2025-08-31 | 7.1 | CVE-2024-32589 |
| undoIT--Theme Switcher Reloaded | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in undoIT Theme Switcher Reloaded allows Reflected XSS. This issue affects Theme Switcher Reloaded: from n/a through 1.1. | 2025-08-28 | 7.1 | CVE-2025-53223 |
| Unfoldwp--Magazine | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magazine allows PHP Local File Inclusion. This issue affects Magazine: from n/a through 1.2.2. | 2025-08-28 | 8.1 | CVE-2025-53248 |
| Unfoldwp--Magazine Elite | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magazine Elite allows PHP Local File Inclusion. This issue affects Magazine Elite: from n/a through 1.2.4. | 2025-08-28 | 8.1 | CVE-2025-53244 |
| Unfoldwp--Magazine Saga | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Unfoldwp Magazine Saga allows PHP Local File Inclusion. This issue affects Magazine Saga: from n/a through 1.2.7. | 2025-08-28 | 8.1 | CVE-2025-53227 |
| uxper--Golo | Authentication Bypass Using an Alternate Path or Channel vulnerability in uxper Golo allows Authentication Abuse. This issue affects Golo: from n/a through 1.7.0. | 2025-08-28 | 9.8 | CVE-2025-54725 |
| uxper--Golo | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Golo allows Reflected XSS. This issue affects Golo: from n/a through 1.7.1. | 2025-08-28 | 7.1 | CVE-2025-54724 |
| valtimo-platform--valtimo-backend-libraries | Valtimo is a platform for Business Process Automation. In versions before 12.16.0.RELEASE, and from 13.0.0.RELEASE to before 13.1.2.RELEASE, any admin that can create or modify and execute process-definitions could gain access to sensitive data or resources. This includes but is not limited to: running executables on the application host, inspecting and extracting data from the host environment or application properties, spring beans (application context, database pooling). The following conditions have to be met in order to perform this attack: the user must be logged in, have the admin role, and must have some knowledge about running scripts via a the Camunda/Operator engine. Version 12.16.0 and 13.1.2 have been patched. It is strongly advised to upgrade. If no scripting is needed in any of the processes, it could be possible to disable it altogether via the ProcessEngineConfiguration. However, this workaround could lead to unexpected side-effects. | 2025-08-28 | 9.1 | CVE-2025-58059 |
| videowhisper--Video Share VOD Turnkey Video Site Builder Script | The Video Share VOD - Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.6. This is due to missing or incorrect nonce validation on the adminExport() function. This makes it possible for unauthenticated attackers to update settings and execute remote code when the Server command execution setting is enabled via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-08-28 | 8.8 | CVE-2025-7812 |
| WBW--WooBeWoo Product Filter Pro | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WBW WooBeWoo Product Filter Pro allows SQL Injection.This issue affects WooBeWoo Product Filter Pro: from n/a before 2.9.6. | 2025-08-28 | 9.3 | CVE-2025-39496 |
| web-able--BetPress | Cross-Site Request Forgery (CSRF) vulnerability in web-able BetPress allows Stored XSS. This issue affects BetPress: from n/a through 1.0.1 Lite. | 2025-08-28 | 7.1 | CVE-2025-48309 |
| wedevs--Dokan Pro | The Dokan Pro plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.5. This is due to the plugin not properly validating a user's identity prior to updating their password during a staff password reset. This makes it possible for authenticated attackers, with vendor-level access and above, to elevate their privilege to the level of a staff member and then change arbitrary user passwords, including those of administrators in order to gain access to their accounts. By default, the plugin allows customers to become vendors. | 2025-08-26 | 8.8 | CVE-2025-5931 |
| Welotec--EG400Mk2-D11001-000101 | The JWT secret key is embedded in the egOS WebGUI backend and is readable to the default user. An unauthenticated remote attacker can generate valid HS256 tokens and bypass authentication/authorization due to the use of hard-coded cryptographic key. | 2025-08-26 | 9.8 | CVE-2025-41702 |
| WPInterface--BlogMarks | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WPInterface BlogMarks allows PHP Local File Inclusion. This issue affects BlogMarks: from n/a through 1.0.8. | 2025-08-28 | 8.1 | CVE-2025-53247 |
| xagio--Xagio SEO AI Powered SEO | The Xagio SEO plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.1.0.5 via the backup functionality due to weak filename structure and lack of protection in the directory. This makes it possible for unauthenticated attackers to extract sensitive data from backups which can include the entire database and site's files. | 2025-08-28 | 7.5 | CVE-2024-13807 |
| Xavier Media--XM-Backup | Cross-Site Request Forgery (CSRF) vulnerability in Xavier Media XM-Backup allows Stored XSS. This issue affects XM-Backup: from n/a through 0.9.1. | 2025-08-28 | 7.1 | CVE-2025-48109 |
| XmasB--XmasB Quotes | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in XmasB XmasB Quotes allows Reflected XSS. This issue affects XmasB Quotes: from n/a through 1.6.1. | 2025-08-28 | 7.1 | CVE-2025-53220 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 1000projects--Online Project Report Submission and Evaluation System | A vulnerability was determined in 1000projects Online Project Report Submission and Evaluation System 1.0. This affects an unknown function of the file /admin/edit_title.php?id=1. Executing manipulation of the argument desc can lead to cross site scripting. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-08-26 | 4.3 | CVE-2025-9434 |
| 1000projects--Online Project Report Submission and Evaluation System | A security flaw has been discovered in 1000projects Online Project Report Submission and Evaluation System 1.0. Affected is an unknown function of the file /admin/add_student.php. The manipulation of the argument address results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be exploited. | 2025-08-26 | 4.3 | CVE-2025-9438 |
| 1000projects--Online Project Report Submission and Evaluation System | A weakness has been identified in 1000projects Online Project Report Submission and Evaluation System 1.0. Affected by this vulnerability is an unknown functionality of the file /rse/admin/edit_faculty.php?id=2. This manipulation of the argument Name causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be exploited. | 2025-08-26 | 4.3 | CVE-2025-9439 |
| 1000projects--Online Project Report Submission and Evaluation System | A security vulnerability has been detected in 1000projects Online Project Report Submission and Evaluation System 1.0. Affected by this issue is some unknown functionality of the file /admin/add_title.php. Such manipulation of the argument Title leads to cross site scripting. The attack may be performed from a remote location. The exploit has been disclosed publicly and may be used. | 2025-08-26 | 4.3 | CVE-2025-9440 |
| AA-Team--Pro Bulk Watermark Plugin for WordPress | Path Traversal: '.../...//' vulnerability in AA-Team Pro Bulk Watermark Plugin for WordPress allows Path Traversal.This issue affects Pro Bulk Watermark Plugin for WordPress: from n/a through 2.0. | 2025-08-30 | 4.3 | CVE-2025-4956 |
| add-ons.org--PDF for Elementor Forms + Drag And Drop Template Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder allows Stored XSS. This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through 6.2.0. | 2025-08-27 | 6.5 | CVE-2025-58208 |
| AfterShip & Automizely--AfterShip Tracking | Missing Authorization vulnerability in AfterShip & Automizely AfterShip Tracking allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects AfterShip Tracking: from n/a through 1.17.17. | 2025-08-27 | 5.3 | CVE-2025-58201 |
| Agiloft--Agiloft | Agiloft Release 28 does not properly neutralize special elements used in an EUI template engine, allowing an authenticated attacker to achieve remote code execution by loading a specially crafted payload. Users should upgrade to Agiloft Release 31. | 2025-08-26 | 5.9 | CVE-2025-35113 |
| Agiloft--Agiloft | Agiloft Release 28 contains an XML External Entities vulnerability in any table that allows 'import/export', allowing an authenticated attacker to import the template file and perform path traversal on the local system files. Users should upgrade to Agiloft Release 31. | 2025-08-26 | 4.1 | CVE-2025-35112 |
| AiondaDotCom--mcp-ssh | A security flaw has been discovered in AiondaDotCom mcp-ssh up to 1.0.3. Affected by this issue is some unknown functionality of the file server-simple.mjs. Performing manipulation results in command injection. The attack can be initiated remotely. Upgrading to version 1.0.4 and 1.1.0 can resolve this issue. The patch is named cd2566a948b696501abfa6c6b03462cac5fb43d8. It is advisable to upgrade the affected component. | 2025-08-29 | 6.3 | CVE-2025-9654 |
| Akamai--AkamaiGhost | Akamai Ghost before 2025-07-21 allows HTTP Request Smuggling via an OPTIONS request that has an entity body, because there can be a subsequent request within the persistent connection between an Akamai proxy server and an origin server, if the origin server violates certain Internet standards. | 2025-08-29 | 4 | CVE-2025-54142 |
| alexvtn--Chatbox Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in alexvtn Chatbox Manager allows Stored XSS. This issue affects Chatbox Manager: from n/a through 1.2.6. | 2025-08-27 | 6.5 | CVE-2025-58211 |
| ameliabooking--Booking System Trafft | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ameliabooking Booking System Trafft allows Stored XSS. This issue affects Booking System Trafft: from n/a through 1.0.14. | 2025-08-27 | 6.5 | CVE-2025-58213 |
| Ashan Perera--LifePress | Missing Authorization vulnerability in Ashan Perera LifePress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects LifePress: from n/a through 2.1.3. | 2025-08-28 | 5.4 | CVE-2025-53337 |
| asterisk--asterisk | Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 18.26.4 and 18.9-cert17, RTP UDP ports and internal resources can leak due to a lack of session termination. This could result in leaks and resource exhaustion. This issue has been patched in versions 18.26.4 and 18.9-cert17. | 2025-08-28 | 6.5 | CVE-2025-54995 |
| aurelienlws--LWSCache | The LWSCache plugin for WordPress is vulnerable to unauthorized modification of data due to improper authorization on the lwscache_activatePlugin() function in all versions up to, and including, 2.8.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate arbitrary whitelisted LWS plugins. | 2025-08-29 | 4.3 | CVE-2025-8147 |
| Backup Bolt--Backup Bolt | Cross-Site Request Forgery (CSRF) vulnerability in Backup Bolt allows Cross Site Request Forgery.This issue affects Backup Bolt: from n/a through 1.4.1. | 2025-08-27 | 4.3 | CVE-2025-49040 |
| basecamp--google_sign_in | Basecamp's Google Sign-In adds Google sign-in to Rails applications. Prior to version 1.3.0, it is possible to craft a malformed URL that passes the "same origin" check, resulting in the user being redirected to another origin. Rails applications configured to store the flash information in a session cookie may be vulnerable, if this can be chained with an attack that allows injection of arbitrary data into the session cookie. This issue has been patched in version 1.3.0. If upgrading is not possible at this time, a way to mitigate the chained attack can be done by explicitly setting SameSite=Lax or SameSite=Strict on the application session cookie. | 2025-08-27 | 4.2 | CVE-2025-57821 |
| basecamp--google_sign_in | Basecamp's Google Sign-In adds Google sign-in to Rails applications. Prior to version 1.3.1, it is possible to redirect a user to another origin if the "proceed_to" value in the session store is set to a protocol-relative URL. Normally the value of this URL is only written and read by the library or the calling application. However, it may be possible to set this session value from a malicious site with a form submission. Any Rails applications using the google_sign_in gem may be vulnerable, if this vector can be chained with another attack that is able to modify the OAuth2 request parameters. This issue has been patched in version 1.3.1. There are no workarounds. | 2025-08-29 | 4.2 | CVE-2025-58067 |
| boldthemes--Bold Page Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in boldthemes Bold Page Builder allows Stored XSS. This issue affects Bold Page Builder: from n/a through 5.4.3. | 2025-08-27 | 6.5 | CVE-2025-58194 |
| bPlugins--B Slider | Missing Authorization vulnerability in bPlugins B Slider allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects B Slider: from n/a through 1.1.30. | 2025-08-28 | 5.8 | CVE-2025-54734 |
| briancolinger--Ultimate Tag Warrior Importer | The Ultimate Tag Warrior Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to import tags granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-08-29 | 4.3 | CVE-2025-9374 |
| chaimchaikin--Admin Menu Groups | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in chaimchaikin Admin Menu Groups allows Stored XSS.This issue affects Admin Menu Groups: from n/a through 0.1.2. | 2025-08-27 | 5.9 | CVE-2025-49035 |
| chandrashekharsahu--Site Offline | Incorrect Privilege Assignment vulnerability in chandrashekharsahu Site Offline allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Site Offline: from n/a through 1.5.7. | 2025-08-28 | 4.3 | CVE-2025-48348 |
| Chartbeat--Chartbeat | Server-Side Request Forgery (SSRF) vulnerability in Chartbeat Chartbeat allows Server Side Request Forgery. This issue affects Chartbeat: from n/a through 2.0.7. | 2025-08-28 | 6.4 | CVE-2025-53250 |
| Cisco--Cisco Data Center Network Manager | A vulnerability in the REST API endpoints of Cisco Nexus Dashboard and Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, low-privileged, remote attacker to view sensitive information or upload and modify files on an affected device. This vulnerability exists because of missing authorization controls on some REST API endpoints. An attacker could exploit th vulnerability by sending crafted API requests to an affected endpoint. A successful exploit could allow the attacker to perform limited Administrator functions, such as accessing sensitive information regarding HTTP Proxy and NTP configurations, uploading images, and damaging image files on an affected device. | 2025-08-27 | 5.4 | CVE-2025-20347 |
| Cisco--Cisco Nexus Dashboard | A vulnerability in the backup restore functionality of Cisco Nexus Dashboard could allow an authenticated, remote attacker to conduct a path traversal attack on an affected device. This vulnerability is due to insufficient validation of the contents of a backup file. An attacker with valid Administrator credentials could exploit this vulnerability by restoring a crafted backup file to an affected device. A successful exploit could allow the attacker to gain root privileges on the underlying shell on the affected device. | 2025-08-27 | 6.5 | CVE-2025-20344 |
| Cisco--Cisco Nexus Dashboard | A vulnerability in the REST API endpoints of Cisco Nexus Dashboard and Cisco Nexus Dashboard Fabric Controller (NDFC) could allow an authenticated, low-privileged, remote attacker to view sensitive information or upload and modify files on an affected device. This vulnerability exists because of missing authorization controls on some REST API endpoints. An attacker could exploit th vulnerability by sending crafted API requests to an affected endpoint. A successful exploit could allow the attacker to perform limited Administrator functions, such as accessing sensitive information regarding HTTP Proxy and NTP configurations, uploading images, and damaging image files on an affected device. | 2025-08-27 | 5 | CVE-2025-20348 |
| Cisco--Cisco NX-OS Software | A vulnerability in the Protocol Independent Multicast Version 6 (PIM6) feature of Cisco Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches in standalone NX-OS mode could allow an authenticated, low-privileged, remote attacker to trigger a crash of the PIM6 process, resulting in a denial of service (DoS) condition. This vulnerability is due to improper processing of PIM6 ephemeral data queries. An attacker could exploit this vulnerability by sending a crafted ephemeral query to an affected device through one of the following methods: NX-API REST, NETCONF, RESTConf, gRPC, or Model Driven Telemetry. A successful exploit could allow the attacker to cause the PIM6 process to crash and restart, causing potential adjacency flaps and resulting in a DoS of the PIM6 and ephemeral query processes. | 2025-08-27 | 5 | CVE-2025-20262 |
| Cisco--Cisco NX-OS Software | A vulnerability in the logging feature of Cisco NX-OS Software for Cisco Nexus 3000 Series Switches, Cisco Nexus 9000 Series Switches in standalone NX-OS mode, Cisco UCS 6400 Fabric Interconnects, Cisco UCS 6500 Series Fabric Interconnects, and Cisco UCS 9108 100G Fabric Interconnects could allow an authenticated, local attacker access to sensitive information. This vulnerability is due to improper logging of sensitive information. An attacker could exploit this vulnerability by accessing log files on the file system where they are stored. A successful exploit could allow the attacker to access sensitive information, such as stored credentials. | 2025-08-27 | 5.5 | CVE-2025-20290 |
| Cisco--Cisco NX-OS Software | A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute a command injection attack on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have valid user credentials on the affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by entering crafted input as the argument of an affected CLI command. A successful exploit could allow the attacker to read and write files on the underlying operating system with the privileges of a non-root user account. File system access is limited to the permissions that are granted to that non-root user account. | 2025-08-27 | 4.4 | CVE-2025-20292 |
| Cisco--Cisco Unified Computing System (Managed) | Multiple vulnerabilities in the CLI and web-based management interface of Cisco UCS Manager Software could allow an authenticated, remote attacker with administrative privileges to perform command injection attacks on an affected system and elevate privileges to root. These vulnerabilities are due to insufficient input validation of command arguments supplied by the user. An attacker could exploit these vulnerabilities by authenticating to a device and submitting crafted input to the affected commands. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system of the affected device with root-level privileges. | 2025-08-27 | 6.5 | CVE-2025-20294 |
| Cisco--Cisco Unified Computing System (Managed) | A vulnerability in the CLI of Cisco UCS Manager Software could allow an authenticated, local attacker with administrative privileges to read or create a file or overwrite any file on the file system of the underlying operating system of an affected device, including system files. This vulnerability is due to insufficient input validation of command arguments supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input to the affected command. A successful exploit could allow the attacker to read or create a file or overwrite any file on the file system of the underlying operating system of the affected device, including system files. To exploit this vulnerability, the attacker must have valid administrative credentials on the affected device. | 2025-08-27 | 6 | CVE-2025-20295 |
| Cisco--Cisco Unified Computing System (Managed) | A vulnerability in the Virtual Keyboard Video Monitor (vKVM) connection handling of Cisco Integrated Management Controller (IMC) could allow an authenticated, remote attacker with low privileges to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into a specific data field in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid user credentials with privileges that allow for vKVM access on the affected device. Note: The affected vKVM client is also included in Cisco UCS Manager. | 2025-08-27 | 5.4 | CVE-2025-20342 |
| code-projects--Simple Grading System | A vulnerability was identified in code-projects Simple Grading System 1.0. This impacts an unknown function of the file /edit_account.php of the component Admin Panel. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2025-08-29 | 6.3 | CVE-2025-9663 |
| code-projects--Simple Grading System | A security flaw has been discovered in code-projects Simple Grading System 1.0. Affected is an unknown function of the file /add_student_grade.php of the component Admin Panel. The manipulation of the argument Add results in sql injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | 2025-08-29 | 6.3 | CVE-2025-9664 |
| code-projects--Simple Grading System | A weakness has been identified in code-projects Simple Grading System 1.0. Affected by this vulnerability is an unknown functionality of the file /edit_student.php of the component Admin Panel. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-08-29 | 6.3 | CVE-2025-9665 |
| code-projects--Simple Grading System | A security vulnerability has been detected in code-projects Simple Grading System 1.0. Affected by this issue is some unknown functionality of the file /delete_student.php of the component Admin Panel. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-08-29 | 6.3 | CVE-2025-9666 |
| code-projects--Simple Grading System | A vulnerability was detected in code-projects Simple Grading System 1.0. This affects an unknown part of the file /delete_account.php of the component Admin Panel. Performing manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. | 2025-08-29 | 6.3 | CVE-2025-9667 |
| code-projects--Student Information Management System | A vulnerability was found in code-projects Student Information Management System 1.0. The impacted element is an unknown function of the file /login.php. The manipulation of the argument uname results in cross site scripting. The attack may be performed from a remote location. The exploit has been made public and could be used. | 2025-08-28 | 4.3 | CVE-2025-9595 |
| Comfast--CF-N1 | A vulnerability was detected in Comfast CF-N1 2.6.0. This impacts the function multi_pppoe of the file /usr/bin/webmgnt. Performing manipulation of the argument phy_interface results in command injection. The attack may be initiated remotely. The exploit is now public and may be used. | 2025-08-28 | 6.3 | CVE-2025-9581 |
| Comfast--CF-N1 | A flaw has been found in Comfast CF-N1 2.6.0. Affected is the function ntp_timezone of the file /usr/bin/webmgnt. Executing manipulation of the argument timestr can lead to command injection. The attack may be launched remotely. The exploit has been published and may be used. | 2025-08-28 | 6.3 | CVE-2025-9582 |
| Comfast--CF-N1 | A vulnerability has been found in Comfast CF-N1 2.6.0. Affected by this vulnerability is the function ping_config of the file /usr/bin/webmgnt. The manipulation leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2025-08-28 | 6.3 | CVE-2025-9583 |
| Comfast--CF-N1 | A vulnerability was found in Comfast CF-N1 2.6.0. Affected by this issue is the function update_interface_png of the file /usr/bin/webmgnt. The manipulation of the argument interface/display_name results in command injection. The attack can be executed remotely. The exploit has been made public and could be used. | 2025-08-28 | 6.3 | CVE-2025-9584 |
| Comfast--CF-N1 | A vulnerability was determined in Comfast CF-N1 2.6.0. This affects the function wifilith_delete_pic_file of the file /usr/bin/webmgnt. This manipulation of the argument portal_delete_picname causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2025-08-28 | 6.3 | CVE-2025-9585 |
| Comfast--CF-N1 | A vulnerability was identified in Comfast CF-N1 2.6.0. This vulnerability affects the function wireless_device_dissoc of the file /usr/bin/webmgnt. Such manipulation of the argument mac leads to command injection. The attack may be performed from a remote location. The exploit is publicly available and might be used. | 2025-08-28 | 6.3 | CVE-2025-9586 |
| contao--contao | Contao is an Open Source CMS. In versions starting from 4.9.14 and prior to 4.13.56, 5.3.38, and 5.6.1, protected content elements that are rendered as fragments are indexed and become publicly available in the front end search. This issue has been patched in versions 4.13.56, 5.3.38, and 5.6.1. A workaround involves disabling the front end search. | 2025-08-28 | 5.3 | CVE-2025-57756 |
| contao--contao | Contao is an Open Source CMS. In versions starting from 5.0.0 and prior to 5.3.38 and 5.6.1, if a news feed contains protected news archives, their news items are not filtered and become publicly available in the RSS feed. This issue has been patched in versions 5.3.38 and 5.6.1. A workaround involves not adding protected news archives to the news feed page. | 2025-08-28 | 5.3 | CVE-2025-57757 |
| contao--contao | Contao is an Open Source CMS. In versions starting from 5.0.0 and prior to 5.3.38 and 5.6.1, the table access voter in the back end doesn't check if a user is allowed to access the corresponding module. This issue has been patched in versions 5.3.38 and 5.6.1. A workaround involves not relying solely on the voter and additionally to check USER_CAN_ACCESS_MODULE. | 2025-08-28 | 4.3 | CVE-2025-57758 |
| contao--contao | Contao is an Open Source CMS. In versions starting from 5.3.0 and prior to 5.3.38 and 5.6.1, under certain conditions, back end users may be able to edit fields of pages and articles without having the necessary permissions. This issue has been patched in versions 5.3.38 and 5.6.1. There are no workarounds. | 2025-08-28 | 4.3 | CVE-2025-57759 |
| D-Link--DI-500WF | A security vulnerability has been detected in D-Link DI-500WF 14.04.10A1T. The impacted element is an unknown function of the file /version_upgrade.asp of the component jhttpd. The manipulation of the argument path leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2025-08-31 | 4.7 | CVE-2025-9745 |
| D-Link--DIR-816L | A weakness has been identified in D-Link DIR-816L 206b01. Affected by this issue is the function soapcgi_main of the file /soap.cgi. This manipulation of the argument service causes os command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-08-31 | 6.3 | CVE-2025-9727 |
| Delta Electronics--EIP Builder | Delta Electronics EIP Builder version 1.11 is vulnerable to a File Parsing XML External Entity Processing Information Disclosure Vulnerability. | 2025-08-26 | 5.5 | CVE-2025-57704 |
| diyhi--bbs | A weakness has been identified in diyhi bbs up to 6.8. The impacted element is an unknown function of the file src/main/java/cms/web/action/filePackage/FilePackageManageAction.java of the component File Compression Handler. This manipulation of the argument idGroup causes information disclosure. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be exploited. | 2025-08-26 | 4.3 | CVE-2025-9461 |
| E4 Sistemas--Mercatus ERP | A security flaw has been discovered in E4 Sistemas Mercatus ERP 2.00.019. The affected element is an unknown function of the file /basico/webservice/imprimir-danfe/id/. Performing manipulation results in improper control of resource identifiers. It is possible to initiate the attack remotely. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-29 | 5.3 | CVE-2025-9619 |
| Elastic--Kibana | Incorrect authorization in Kibana can lead to privilege escalation via the built-in reporting_user role which incorrectly has the ability to access all Kibana Spaces. | 2025-08-28 | 6.5 | CVE-2025-25010 |
| Element Invader--ElementInvader Addons for Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Element Invader ElementInvader Addons for Elementor allows DOM-Based XSS. This issue affects ElementInvader Addons for Elementor: from n/a through 1.3.6. | 2025-08-27 | 6.5 | CVE-2025-58205 |
| Enalean--tuleap | Tuleap is an Open Source Suite created to facilitate management of software development and collaboration. In Tuleap Community Edition versions before 16.10.99.1754050155 and Tuleap Enterprise Edition versions before 16.9-8 and before 16.10-5, an attacker can access to the content of the special and always there fields of accessible artifacts even if the permissions associated with the underlying fields do not allow it. This issue has been fixed in Tuleap Community Edition version 16.10.99.1754050155 and Tuleap Enterprise Edition versions 16.9-8 and 16.10-5. | 2025-08-29 | 5.3 | CVE-2025-54877 |
| epeken--Epeken All Kurir | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in epeken Epeken All Kurir allows DOM-Based XSS. This issue affects Epeken All Kurir: from n/a through 2.0.1. | 2025-08-27 | 6.5 | CVE-2025-58212 |
| Eric Teubert--Podlove Podcast Publisher | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Eric Teubert Podlove Podcast Publisher allows Phishing. This issue affects Podlove Podcast Publisher: from n/a through 4.2.5. | 2025-08-27 | 4.7 | CVE-2025-58204 |
| everythingwp--Risk Free Cash On Delivery (COD) – WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in everythingwp Risk Free Cash On Delivery (COD) – WooCommerce allows Stored XSS. This issue affects Risk Free Cash On Delivery (COD) – WooCommerce: from n/a through 1.0.4. | 2025-08-28 | 5.9 | CVE-2025-48358 |
| Facebook--WhatsApp Desktop for Mac | Incomplete authorization of linked device synchronization messages in WhatsApp for iOS prior to v2.25.21.73, WhatsApp Business for iOS v2.25.21.78, and WhatsApp for Mac v2.25.21.78 could have allowed an unrelated user to trigger processing of content from an arbitrary URL on a target's device. We assess that this vulnerability, in combination with an OS-level vulnerability on Apple platforms (CVE-2025-43300), may have been exploited in a sophisticated attack against specific targeted users. | 2025-08-29 | 5.4 | CVE-2025-55177 |
| favethemes--Houzez CRM | Missing Authorization vulnerability in favethemes Houzez CRM allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Houzez CRM: from n/a through 1.4.7. | 2025-08-28 | 6.5 | CVE-2025-49402 |
| Finn Dohrn--Statify Widget | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Finn Dohrn Statify Widget allows Stored XSS. This issue affects Statify Widget: from n/a through 1.4.6. | 2025-08-28 | 6.5 | CVE-2025-48322 |
| firecrawl--firecrawl | Firecrawl turns entire websites into LLM-ready markdown or structured data. Prior to version 2.0.1, a server-side request forgery (SSRF) vulnerability was discovered in Firecrawl's webhook functionality. Authenticated users could configure a webhook to an internal URL and send POST requests with arbitrary headers, which may have allowed access to internal systems. This has been fixed in version 2.0.1. If upgrading is not possible, it is recommend to isolate Firecrawl from any sensitive internal systems. | 2025-08-26 | 6.3 | CVE-2025-57818 |
| GalleryVault--Gallery Vault App | A vulnerability was identified in GalleryVault Gallery Vault App up to 4.5.2 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.thinkyeah.galleryvault. The manipulation leads to improper export of android application components. The attack can only be performed from a local environment. The exploit is publicly available and might be used. | 2025-08-30 | 5.3 | CVE-2025-9695 |
| garbowza--OSM Map Widget for Elementor | The OSM Map Widget for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Map Block URL in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-29 | 6.4 | CVE-2025-8619 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 8.15 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that could have could have allowed an authenticated user to cause a Denial of Service (DoS) condition by submitting URLs that generate excessively large responses. | 2025-08-27 | 6.5 | CVE-2025-3601 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that could have allowed unauthenticated users to access sensitive manual CI/CD variables by querying the GraphQL API. | 2025-08-27 | 5.8 | CVE-2025-2246 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 14.1 before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that that under certain conditions could have allowed an unauthenticated attacker to cause a denial-of-service condition affecting all users by sending specially crafted GraphQL requests. | 2025-08-27 | 5.3 | CVE-2025-4225 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions before 18.1.5, 18.2 before 18.2.5, and 18.3 before 18.3.1 that under certain conditions could have allowed an authenticated attacker to distribute malicious code that appears harmless in the web interface by taking advantage of ambiguity between branches and tags during repository imports. | 2025-08-27 | 5 | CVE-2025-5101 |
| gitpod-io--gitpod | Gitpod is a developer platform for cloud development environments. In versions before main-gha.33628 for both Gitpod Classic and Gitpod Classic Enterprise, OAuth integration with Bitbucket in certain conditions allowed a crafted link to expose a valid Bitbucket access token via the URL fragment when clicked by an authenticated user. This resulted from how Bitbucket returned tokens and how Gitpod handled the redirect flow. The issue was limited to Bitbucket (GitHub and GitLab integrations were not affected), required user interaction, and has been mitigated through redirect handling and OAuth logic hardening. The issue was resolved in main-gha.33628 and later. There are no workarounds. | 2025-08-29 | 6.5 | CVE-2025-55750 |
| givanz--Vvveb | A security vulnerability has been detected in givanz Vvveb 1.0.7.2. This affects an unknown part of the file app/template/user/login.tpl. Such manipulation of the argument Email/Password leads to cross site scripting. The attack can be executed remotely. The name of the patch is bbd4c42c66ab818142240348173a669d1d2537fe. Applying a patch is advised to resolve this issue. | 2025-08-31 | 4.3 | CVE-2025-9728 |
| gslauraspeck--Mesa Mesa Reservation Widget | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gslauraspeck Mesa Mesa Reservation Widget allows Stored XSS. This issue affects Mesa Mesa Reservation Widget: from n/a through 1.0.0. | 2025-08-28 | 5.9 | CVE-2025-48319 |
| HCL Software--AIML Solutions for SX | AIML Solutions for HCL SX is vulnerable to a URL validation vulnerability. The issue may allow attackers to launch a server-side request forgery (SSRF) attack enabling unauthorized network calls from the system, potentially exposing internal services or sensitive information. | 2025-08-28 | 5.1 | CVE-2025-31971 |
| HCL Software--BigFix Service Management (SM) | HCL BigFix SM is affected by a Sensitive Information Exposure vulnerability where internal connections do not use TLS encryption which could allow an attacker unauthorized access to sensitive data transmitted between internal components. | 2025-08-28 | 6.5 | CVE-2025-31972 |
| HCL Software--BigFix Service Management (SM) | HCL BigFix SM is affected by cryptographic weakness due to weak or outdated encryption algorithms. An attacker with network access could exploit this weakness to decrypt or manipulate encrypted communications under certain conditions. | 2025-08-28 | 5.3 | CVE-2025-31977 |
| HCL Software--BigFix Service Management (SM) | A File Upload Validation Bypass vulnerability has been identified in the HCL BigFix SM, where the application fails to properly enforce file type restrictions during the upload process. An attacker may exploit this flaw to upload malicious or unauthorized files, such as scripts, executables, or web shells, by bypassing client-side or server-side validation mechanisms. | 2025-08-28 | 5.4 | CVE-2025-31979 |
| Hikvision--HikCentral FocSign | There is an Unquoted Service Path Vulnerability in some HikCentral FocSign versions. This could allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-29 | 5.3 | CVE-2025-39246 |
| Hikvision--HikCentral Master Lite | There is a CSV Injection Vulnerability in some HikCentral Master Lite versions. This could allow an attacker to inject executable commands via malicious CSV data. | 2025-08-29 | 4.7 | CVE-2025-39245 |
| HuangDou--UTCMS | A vulnerability was found in HuangDou UTCMS 9. This issue affects some unknown processing of the file app/modules/ut-frame/admin/update.php of the component Config Handler. Performing manipulation of the argument UPDATEURL results in server-side request forgery. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-25 | 4.7 | CVE-2025-9402 |
| iatspaymentsdev--iATS Online Forms | The iATS Online Forms plugin for WordPress is vulnerable to time-based SQL Injection via the 'order' parameter in all versions up to, and including, 1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-08-29 | 6.5 | CVE-2025-9441 |
| IBM--Cognos Command Center | IBM Cognos Command Center 10.2.4.1 and 10.2.5 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. | 2025-08-26 | 6.1 | CVE-2025-1494 |
| IBM--Watson Studio on Cloud Pak for Data | IBM Watson Studio on Cloud Pak for Data 4.0 and 5.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2025-08-28 | 5.4 | CVE-2024-49790 |
| imaprogrammer--Custom Comment | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in imaprogrammer Custom Comment allows Stored XSS. This issue affects Custom Comment: from n/a through 2.1.6. | 2025-08-28 | 5.9 | CVE-2025-48365 |
| inkthemes--WP Mailgun SMTP | Missing Authorization vulnerability in inkthemes WP Mailgun SMTP allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WP Mailgun SMTP: from n/a through 1.0.7. | 2025-08-28 | 5.3 | CVE-2025-48327 |
| Isra--Kanpress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Isra Kanpress allows Stored XSS. This issue affects Kanpress: from n/a through 1.1. | 2025-08-28 | 6.5 | CVE-2025-48356 |
| ItayXD--Responsive Mobile-Friendly Tooltip | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ItayXD Responsive Mobile-Friendly Tooltip allows Stored XSS. This issue affects Responsive Mobile-Friendly Tooltip: from n/a through 1.6.6. | 2025-08-28 | 6.5 | CVE-2025-48316 |
| itsourcecode--Apartment Management System | A weakness has been identified in itsourcecode Apartment Management System 1.0. This issue affects some unknown processing of the file /employee/addemployee.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. | 2025-08-25 | 6.3 | CVE-2025-9417 |
| JetBrains--Junie | In JetBrains Junie before 252.284.66, 251.284.66, 243.284.66, 252.284.61, 251.284.61, 243.284.61, 252.284.50, 252.284.54, 251.284.54, 251.284.50, 243.284.54, 243.284.50 information disclosure was possible via search_project function | 2025-08-28 | 5.5 | CVE-2025-58335 |
| jgwhite33--WP Thumbtack Review Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jgwhite33 WP Thumbtack Review Slider allows Stored XSS. This issue affects WP Thumbtack Review Slider: from n/a through 2.6. | 2025-08-27 | 5.9 | CVE-2025-58216 |
| justinbusa--Beaver Builder WordPress Page Builder | The Beaver Builder - WordPress Page Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ''fl_builder' parameter in all versions up to, and including, 2.9.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-08-28 | 6.1 | CVE-2025-8897 |
| Kakao-- Hey Kakao App | A vulnerability was detected in Kakao í—¤ì´ì¹´ì¹´ì˜¤ Hey Kakao App up to 2.17.4 on Android. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.kakao.i.connect. The manipulation results in improper export of android application components. The attack requires a local approach. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-29 | 5.3 | CVE-2025-9673 |
| kalcaddle--kodbox | A vulnerability was found in kalcaddle kodbox 1.61. Affected by this vulnerability is an unknown functionality of the file /?explorer/upload/serverDownload of the component Download from Link Handler. Performing manipulation of the argument url results in server-side request forgery. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-25 | 4.7 | CVE-2025-9414 |
| kevin heath--Tripadvisor Shortcode | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kevin heath Tripadvisor Shortcode allows Stored XSS. This issue affects Tripadvisor Shortcode: from n/a through 2.2. | 2025-08-28 | 5.9 | CVE-2025-48313 |
| Kevin Langley Jr.--Post Type Converter | Cross-Site Request Forgery (CSRF) vulnerability in Kevin Langley Jr. Post Type Converter allows Cross-Site Request Forgery.This issue affects Post Type Converter: from n/a through 0.6. | 2025-08-25 | 4.3 | CVE-2025-48303 |
| kevinweber--Lazy Load for Videos | The Lazy Load for Videos plugin for WordPress is vulnerable to Stored Cross-Site Scripting via its lazy‑loading handlers in all versions up to, and including, 2.18.7 due to insufficient input sanitization and output escaping. The plugin's JavaScript registration handlers read the client‑supplied 'data-video-title' and 'href' attributes, decode HTML entities by default, and pass them directly into DOM sinks without any escaping or validation. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-27 | 6.4 | CVE-2025-7732 |
| khashabawy--tli.tl auto Twitter poster | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in khashabawy tli.tl auto Twitter poster allows Stored XSS. This issue affects tli.tl auto Twitter poster: from n/a through 3.4. | 2025-08-28 | 5.9 | CVE-2025-48324 |
| Kubernetes--Kubernetes | A vulnerability exists in the NodeRestriction admission controller in Kubernetes clusters where node users can delete their corresponding node object by patching themselves with an OwnerReference to a cluster-scoped resource. If the OwnerReference resource does not exist or is subsequently deleted, the given node object will be deleted via garbage collection. | 2025-08-27 | 6.7 | CVE-2025-5187 |
| LB-LINK--BL-X26 | A weakness has been identified in LB-LINK BL-X26 1.2.8. The impacted element is an unknown function of the file /goform/set_hidessid_cfg of the component HTTP Handler. This manipulation of the argument enable causes os command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-28 | 6.3 | CVE-2025-9579 |
| LB-LINK--BL-X26 | A security vulnerability has been detected in LB-LINK BL-X26 1.2.8. This affects an unknown function of the file /goform/set_blacklist of the component HTTP Handler. Such manipulation of the argument mac leads to os command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-28 | 6.3 | CVE-2025-9580 |
| Linksys--E1700 | A vulnerability was determined in Linksys E1700 1.0.0.4.003. This vulnerability affects the function systemCommand of the file /goform/systemCommand. Executing manipulation of the argument command can lead to os command injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-27 | 4.7 | CVE-2025-9528 |
| Linksys--RE6250 | A vulnerability was determined in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This issue affects the function cgiMain of the file /cgi-bin/upload.cgi. Executing manipulation of the argument filename can lead to os command injection. The attack may be performed from a remote location. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-28 | 6.3 | CVE-2025-9575 |
| LiquidThemes--AI Hub - Startup & Technology WordPress Theme | Multiple plugins and/or themes for WordPress by LiquidThemes are vulnerable to unauthorized access due to a missing capability check on the liquid_reset_wordpress_before AJAX in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to deactivate all of a site's plugins. While we escalated this to Envato after not being able to establish contact, it appears the developer added a nonce check, however that is not sufficient protection as the nonce is exposed to all users with access to the dashboard. | 2025-08-28 | 4.3 | CVE-2025-0951 |
| lostvip-com--ruoyi-go | A weakness has been identified in lostvip-com ruoyi-go up to 2.1. The affected element is the function SelectListByPage of the file modules/system/dao/GenTableDao.go. Executing manipulation of the argument isAsc/orderByColumn can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-25 | 6.3 | CVE-2025-9410 |
| lostvip-com--ruoyi-go | A security vulnerability has been detected in lostvip-com ruoyi-go up to 2.1. The impacted element is the function SelectPageList of the file modules/system/service/LoginInforService.go. The manipulation of the argument isAsc leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-25 | 6.3 | CVE-2025-9411 |
| lostvip-com--ruoyi-go | A vulnerability was detected in lostvip-com ruoyi-go up to 2.1. This affects the function SelectListByPage of the file modules/system/dao/DictDataDao.go. The manipulation of the argument orderByColumn/isAsc results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-25 | 6.3 | CVE-2025-9412 |
| lostvip-com--ruoyi-go | A flaw has been found in lostvip-com ruoyi-go up to 2.1. This impacts the function SelectListByPage of the file modules/system/system_router.go. This manipulation of the argument orderByColumn/isAsc causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-25 | 6.3 | CVE-2025-9413 |
| lostvip-com--ruoyi-go | A security flaw has been discovered in lostvip-com ruoyi-go up to 2.1. Impacted is the function DownloadTmp/DownloadUpload of the file modules/system/controller/CommonController.go. Performing manipulation of the argument fileName results in path traversal. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-25 | 4.3 | CVE-2025-9409 |
| Md Abunaser Khan--Advance Food Menu | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Md Abunaser Khan Advance Food Menu allows Stored XSS. This issue affects Advance Food Menu: from n/a through 1.0. | 2025-08-28 | 5.9 | CVE-2025-48323 |
| Metin Sara--Popup for CF7 with Sweet Alert | Cross-Site Request Forgery (CSRF) vulnerability in Metin Saraç Popup for CF7 with Sweet Alert allows Cross Site Request Forgery. This issue affects Popup for CF7 with Sweet Alert: from n/a through 1.6.5. | 2025-08-28 | 4.3 | CVE-2025-48363 |
| mibuthu--Link View | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mibuthu Link View allows Stored XSS. This issue affects Link View: from n/a through 0.8.0. | 2025-08-28 | 6.5 | CVE-2025-48110 |
| mibuthu--Link View | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mibuthu Link View allows Stored XSS.This issue affects Link View: from n/a through 0.8.0. | 2025-08-27 | 5.9 | CVE-2025-49039 |
| Mihomo--Party | A vulnerability was detected in Mihomo Party up to 1.8.1 on macOS. Affected is the function enableSysProxy of the file src/main/sys/sysproxy.ts of the component Socket Handler. The manipulation results in creation of temporary file with insecure permissions. The attack requires a local approach. This attack is characterized by high complexity. The exploitability is told to be difficult. The exploit is now public and may be used. | 2025-08-26 | 4.5 | CVE-2025-9474 |
| Miles--All Bootstrap Blocks | Missing Authorization vulnerability in Miles All Bootstrap Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects All Bootstrap Blocks: from n/a through 1.3.28. | 2025-08-28 | 6.5 | CVE-2025-54733 |
| milmor--Amministrazione Trasparente | The Amministrazione Trasparente plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-08-31 | 5.5 | CVE-2025-5083 |
| Mitsubishi Electric Corporation--MELSEC iQ-F Series FX5U-32MT/ES | Improper Handling of Length Parameter Inconsistency vulnerability in web server function on Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module allows a remote unauthenticated attacker to delay the processing of the web server function and prevent legitimate users from utilizing the web server function, by sending a specially crafted HTTP request. | 2025-08-25 | 5.3 | CVE-2025-5514 |
| mixmark-io--turndown | A security flaw has been discovered in mixmark-io turndown up to 7.2.1. This affects an unknown function of the file src/commonmark-rules.js. Performing manipulation results in inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. | 2025-08-29 | 5.3 | CVE-2025-9670 |
| Modo--Legend of the Phoenix | A security flaw has been discovered in Modo Legend of the Phoenix up to 1.0.5. The affected element is an unknown function of the file AndroidManifest.xml of the component com.duige.hzw.multilingual. The manipulation results in improper export of android application components. The attack needs to be approached locally. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-29 | 5.3 | CVE-2025-9677 |
| Mojoomla--School Management | Missing Authorization vulnerability in Mojoomla School Management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects School Management: from n/a through 93.2.0. | 2025-08-26 | 6.5 | CVE-2025-48108 |
| mra13 / Team Tips and Tricks HQ--Simple Download Monitor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mra13 / Team Tips and Tricks HQ Simple Download Monitor allows Stored XSS. This issue affects Simple Download Monitor: from n/a through 3.9.34. | 2025-08-27 | 6.5 | CVE-2025-58197 |
| mra13--Simple Download Monitor | The Simple Download Monitor plugin for WordPress is vulnerable to time-based SQL Injection via the order parameter in all versions up to, and including, 3.9.33 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, and permissions granted by an Administrator, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-08-28 | 6.5 | CVE-2025-8977 |
| mtons--mblog | A flaw has been found in mtons mblog up to 3.5.0. Impacted is an unknown function of the file /search. This manipulation of the argument kw causes cross site scripting. The attack can be initiated remotely. The exploit has been published and may be used. | 2025-08-26 | 4.3 | CVE-2025-9431 |
| mtons--mblog | A vulnerability has been found in mtons mblog up to 3.5.0. The affected element is an unknown function of the file /admin/post/list of the component Admin Panel. Such manipulation of the argument Title leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-26 | 4.3 | CVE-2025-9432 |
| mtons--mblog | A vulnerability was found in mtons mblog up to 3.5.0. The impacted element is an unknown function of the file /admin/user/list of the component Admin Panel. Performing manipulation of the argument Name results in cross site scripting. The attack may be initiated remotely. The exploit has been made public and could be used. | 2025-08-26 | 4.3 | CVE-2025-9433 |
| mtons--mblog | A weakness has been identified in mtons mblog up to 3.5.0. This issue affects some unknown processing of the file /admin/role/list. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-08-29 | 4.3 | CVE-2025-9647 |
| n/a--DCMTK | A vulnerability was identified in DCMTK up to 3.6.9. This affects an unknown function in the library dcmimage/include/dcmtk/dcmimage/diybrpxt.h of the component dcm2img. Such manipulation leads to memory corruption. Local access is required to approach this attack. The name of the patch is 7ad81d69b. It is best practice to apply a patch to resolve this issue. | 2025-08-31 | 5.3 | CVE-2025-9732 |
| n/a--GreenCMS | A vulnerability was identified in GreenCMS up to 2.3.0603. This affects an unknown part of the file /index.php?m=admin&c=media&a=fileconnect. The manipulation of the argument upload[] leads to unrestricted upload. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-08-25 | 6.3 | CVE-2025-9415 |
| n/a--Koillection | A vulnerability has been found in Koillection up to 1.6.18. Affected is an unknown function of the file assets/controllers/csrf_protection_controller.js. Such manipulation leads to cross-site request forgery. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.0 is able to address this issue. The name of the patch is 9ab8562d3f1e953da93fed63f9ee802c7ea26a9a. It is suggested to upgrade the affected component. The vendor explains: "I ended up switching to a newer CSRF handling using stateless token." | 2025-08-31 | 4.3 | CVE-2025-9747 |
| n/a--Mupen64Plus | A security vulnerability has been detected in Mupen64Plus up to 2.6.0. The affected element is the function write_is_viewer of the file src/device/cart/is_viewer.c. The manipulation leads to integer overflow. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is described as difficult. The exploit has been disclosed publicly and may be used. The identifier of the patch is 3984137fc0c44110f1ef876adb008885b05a6e18. To fix this issue, it is recommended to deploy a patch. | 2025-08-30 | 5 | CVE-2025-9688 |
| n/a--Open5GS | A security flaw has been discovered in Open5GS up to 2.7.5. The impacted element is the function gmm_state_exception of the file src/amf/gmm-sm.c. The manipulation results in reachable assertion. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. The patch is identified as 8e5fed16114f2f5e40bee1b161914b592b2b7b8f. Applying a patch is advised to resolve this issue. | 2025-08-25 | 5.3 | CVE-2025-9405 |
| n/a--Rejseplanen App | A security vulnerability has been detected in Rejseplanen App up to 8.2.2. Affected is an unknown function of the file AndroidManifest.xml of the component de.hafas.android.rejseplanen. The manipulation leads to improper export of android application components. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-29 | 5.3 | CVE-2025-9672 |
| n/a--Voice Changer App | A vulnerability was determined in Voice Changer App up to 1.1.0. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.tuyangkeji.changevoice. Executing manipulation can lead to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. | 2025-08-29 | 5.3 | CVE-2025-9675 |
| NCSOFT--Universe App | A vulnerability was identified in NCSOFT Universe App up to 1.3.0. Impacted is an unknown function of the file AndroidManifest.xml of the component com.ncsoft.universeapp. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-29 | 5.3 | CVE-2025-9676 |
| Neuralabz LTD--AutoWP | Missing Authorization vulnerability in Neuralabz LTD AutoWP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AutoWP: from n/a through 2.2.2. | 2025-08-28 | 4.3 | CVE-2025-48350 |
| nicheaddons--Events Addon for Elementor | The Events Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typewriter and Countdown widgets in all versions up to, and including, 2.2.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-29 | 6.4 | CVE-2025-8150 |
| Nozomi Networks--CMC | An access control vulnerability was discovered in the Request Trace and Download Trace functionalities of CMC before 25.1.0 due to a specific access restriction not being properly enforced for users with limited privileges. An authenticated user with limited privileges can request and download trace files due to improper access restrictions, potentially exposing unauthorized network data. | 2025-08-26 | 4.3 | CVE-2025-1501 |
| oceanwp--Ocean Extra | The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's oceanwp_library shortcode in all versions up to, and including, 2.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-30 | 6.4 | CVE-2025-9499 |
| openebs--rawfile-localpv | OpenEBS Local PV RawFile allows dynamic deployment of Stateful Persistent Node-Local Volumes & Filesystems for Kubernetes. Prior to version 0.10.0, persistent volume data is world readable and that would allow non-privileged users to access sensitive data such as databases of k8s workload. The rawfile-localpv storage class creates persistent volume data under /var/csi/rawfile/ on Kubernetes hosts by default. However, the directory and data in it are world-readable. It allows non-privileged users to access the whole persistent volume data, and those can include sensitive information such as a whole database if the Kubernetes tenants are running MySQL or PostgreSQL in a container so it could lead to a database breach. This issue has been patched in version 0.10.0. | 2025-08-28 | 5.5 | CVE-2025-58061 |
| origincode--Video Gallery Vimeo and YouTube Gallery | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in origincode Video Gallery - Vimeo and YouTube Gallery allows Stored XSS. This issue affects Video Gallery - Vimeo and YouTube Gallery: from n/a through 1.1.7. | 2025-08-28 | 6.5 | CVE-2025-48349 |
| pendulum-project--ntpd-rs | nptd-rs is a tool for synchronizing your computer's clock, implementing the NTP and NTS protocols. In versions between 1.2.0 and 1.6.1 inclusive servers which allow non-NTS traffic are affected by a denial of service vulnerability, where an attacker can induce a message storm between two NTP servers running ntpd-rs. Client-only configurations are not affected. Affected users are recommended to upgrade to version 1.6.2 as soon as possible. | 2025-08-29 | 5.3 | CVE-2025-58066 |
| peterhebert--Custom Query Shortcode | The Custom Query Shortcode plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 0.4.0 via the 'lens' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of files on the server, which can contain sensitive information. | 2025-08-25 | 6.5 | CVE-2025-8562 |
| PHPGurukul--Directory Management System | A security vulnerability has been detected in PHPGurukul Directory Management System 2.0. This vulnerability affects unknown code of the file /admin/add-directory.php. The manipulation of the argument fullname leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2025-08-29 | 4.3 | CVE-2025-9656 |
| plugincy--Dynamic AJAX Product Filters for WooCommerce | The Dynamic AJAX Product Filters for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'className' parameter in all versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-28 | 6.4 | CVE-2025-6255 |
| plugincy--Dynamic AJAX Product Filters for WooCommerce | The Dynamic AJAX Product Filters for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter in all versions up to, and including, 1.3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-28 | 6.4 | CVE-2025-8073 |
| Plugins and Snippets--Simple Page Access Restriction | Cross-Site Request Forgery (CSRF) vulnerability in Plugins and Snippets Simple Page Access Restriction allows Cross Site Request Forgery. This issue affects Simple Page Access Restriction: from n/a through 1.0.32. | 2025-08-27 | 4.3 | CVE-2025-58202 |
| Portabilis--i-Educar | A vulnerability was detected in Portabilis i-Educar up to 2.10. This affects an unknown function of the file /intranet/agenda.php of the component Agenda Module. Performing manipulation of the argument cod_agenda results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-27 | 6.3 | CVE-2025-9531 |
| Portabilis--i-Educar | A flaw has been found in Portabilis i-Educar up to 2.10. This impacts an unknown function of the file /RegraAvaliacao/view. Executing manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-27 | 6.3 | CVE-2025-9532 |
| Portabilis--i-Educar | A vulnerability was detected in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functionality of the file /intranet/agenda_preferencias.php. Performing manipulation of the argument cod_agenda results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. | 2025-08-29 | 6.3 | CVE-2025-9606 |
| Portabilis--i-Educar | A flaw has been found in Portabilis i-Educar up to 2.10. Affected by this issue is some unknown functionality of the file /module/TabelaArredondamento/view of the component Tabelas de Arredondamento Page. Executing manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used. | 2025-08-29 | 6.3 | CVE-2025-9607 |
| Portabilis--i-Educar | A vulnerability has been found in Portabilis i-Educar up to 2.10. This affects an unknown part of the file /module/FormulaMedia/view of the component Formula de Cálculo de Média Page. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. | 2025-08-29 | 6.3 | CVE-2025-9608 |
| Portabilis--i-Educar | A vulnerability was found in Portabilis i-Educar up to 2.10. This vulnerability affects unknown code of the file /educacenso/consulta. The manipulation results in improper authorization. The attack can be executed remotely. The exploit has been made public and could be used. | 2025-08-29 | 6.3 | CVE-2025-9609 |
| Portabilis--i-Educar | A vulnerability was determined in Portabilis i-Educar up to 2.10. This affects an unknown part of the file /module/FormulaMedia/edit of the component Formula de Cálculo de Média Page. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2025-08-30 | 6.3 | CVE-2025-9684 |
| Portabilis--i-Educar | A vulnerability was identified in Portabilis i-Educar up to 2.10. This vulnerability affects unknown code of the file /module/AreaConhecimento/view of the component Listagem de áreas de conhecimento Page. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. | 2025-08-30 | 6.3 | CVE-2025-9685 |
| Portabilis--i-Educar | A security flaw has been discovered in Portabilis i-Educar up to 2.10. This issue affects some unknown processing of the file /module/AreaConhecimento/edit of the component Listagem de áreas de conhecimento Page. Performing manipulation of the argument ID results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. | 2025-08-30 | 6.3 | CVE-2025-9686 |
| Portabilis--i-Educar | A weakness has been identified in Portabilis i-Educar up to 2.10. Impacted is an unknown function of the file /module/HistoricoEscolar/processamentoApi. Executing manipulation can lead to improper authorization. The attack may be performed from a remote location. The exploit has been made available to the public and could be exploited. | 2025-08-30 | 6.3 | CVE-2025-9687 |
| Printeers--Printeers Print & Ship | Path Traversal: '.../...//' vulnerability in Printeers Printeers Print & Ship allows Path Traversal.This issue affects Printeers Print & Ship: from n/a through 1.17.0. | 2025-08-27 | 5.3 | CVE-2025-48081 |
| pronamic--Pronamic Google Maps | The Pronamic Google Maps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the description field in all versions up to, and including, 2.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-28 | 5.4 | CVE-2025-9352 |
| Razvan Stanga--Varnish/Nginx Proxy Caching | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Razvan Stanga Varnish/Nginx Proxy Caching allows Stored XSS. This issue affects Varnish/Nginx Proxy Caching: from n/a through 1.8.3. | 2025-08-28 | 5.9 | CVE-2025-48360 |
| Revolution Slider--Slider Revolution | The Slider Revolution plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.7.36 via the 'used_svg' and 'used_images' parameters. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2025-08-29 | 6.5 | CVE-2025-9217 |
| rtCamp--Transcoder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rtCamp Transcoder allows Stored XSS. This issue affects Transcoder: from n/a through 1.4.0. | 2025-08-27 | 6.5 | CVE-2025-58209 |
| Ruijie--WS7204-A | A vulnerability was identified in Ruijie WS7204-A 2017.06.15. Affected by this vulnerability is an unknown functionality of the file /itbox_pi/branch_import.php?a=branch_list. Such manipulation of the argument province leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-25 | 4.7 | CVE-2025-9424 |
| Saeed Sattar Beglou--Hesabfa Accounting | Insertion of Sensitive Information Into Sent Data vulnerability in Saeed Sattar Beglou Hesabfa Accounting allows Retrieve Embedded Sensitive Data. This issue affects Hesabfa Accounting: from n/a through 2.2.4. | 2025-08-28 | 5.3 | CVE-2025-48361 |
| Saeed Sattar Beglou--Hesabfa Accounting | Cross-Site Request Forgery (CSRF) vulnerability in Saeed Sattar Beglou Hesabfa Accounting allows Cross Site Request Forgery. This issue affects Hesabfa Accounting: from n/a through 2.2.4. | 2025-08-28 | 5.4 | CVE-2025-48362 |
| salubrio--Add Code To Head | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in salubrio Add Code To Head allows Stored XSS. This issue affects Add Code To Head: from n/a through 1.17. | 2025-08-28 | 5.9 | CVE-2025-48314 |
| servmask--All-in-One WP Migration and Backup | The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Import in all versions up to, and including, 7.97 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-08-26 | 4.4 | CVE-2025-8490 |
| shafhasan--chatbox | A vulnerability was found in shafhasan chatbox up to 156a39cde62f78532c3265a70eda12c70907e56f. This impacts an unknown function of the file /chat.php. The manipulation of the argument user_id results in sql injection. The attack may be performed from a remote location. The exploit has been made public and could be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. | 2025-08-29 | 6.3 | CVE-2025-9651 |
| shen2-- | Cross-Site Request Forgery (CSRF) vulnerability in shen2 多说社会化评论框 allows Cross Site Request Forgery. This issue affects 多说社会化评论框: from n/a through 1.2. | 2025-08-28 | 4.3 | CVE-2025-48318 |
| sitesearch-yandex--Yandex Site search pinger | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sitesearch-yandex Yandex Site search pinger allows Stored XSS. This issue affects Yandex Site search pinger: from n/a through 1.5. | 2025-08-28 | 5.9 | CVE-2025-48352 |
| SMA--Boy 3.0 | An authorized remote attacker can access files and directories outside the intended web root, potentially exposing sensitive system information of the affected Sunny Boy devices. | 2025-08-27 | 6.5 | CVE-2021-4459 |
| sminozzi--Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection | The Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin for WordPress is vulnerable to unauthorized access of data due to an insufficient capability check on the 'stopbadbots_check_wordpress_logged_in_cookie' function in all versions up to, and including, 11.58. This makes it possible for unauthenticated attackers to bypass blocklists, rate limits, and other plugin functionality. | 2025-08-28 | 6.5 | CVE-2025-9376 |
| softaculous--SiteSEO SEO Simplified | The SiteSEO - SEO Simplified plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the broken preg_replace expression in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-26 | 6.4 | CVE-2025-9277 |
| softdiscover--File Manager, Code Editor, and Backup by Managefy | The File Manager, Code Editor, and Backup by Managefy plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.8 via the ajax_downloadfile() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory. | 2025-08-28 | 4.9 | CVE-2025-9345 |
| solacewp--Solace Extra | Server-Side Request Forgery (SSRF) vulnerability in solacewp Solace Extra allows Server Side Request Forgery. This issue affects Solace Extra: from n/a through 1.3.2. | 2025-08-27 | 4.4 | CVE-2025-58203 |
| Solidigm--D7-PS1010/D7-PS1030 | Improper input validation in firmware of some Solidigm DC Products may allow an attacker with local access to cause a Denial of Service | 2025-08-28 | 4.4 | CVE-2025-9195 |
| SourceCodester--Advanced School Management System | A vulnerability was detected in SourceCodester Advanced School Management System 1.0. The impacted element is an unknown function of the file /index.php/stock/item_select. The manipulation of the argument q results in sql injection. It is possible to launch the attack remotely. The exploit is now public and may be used. | 2025-08-30 | 6.3 | CVE-2025-9689 |
| SourceCodester--Advanced School Management System | A flaw has been found in SourceCodester Advanced School Management System 1.0. This affects an unknown function of the file /index.php/stock/vendordetails. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. | 2025-08-30 | 6.3 | CVE-2025-9690 |
| stanton119--WordPress HTML | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in stanton119 WordPress HTML allows Stored XSS. This issue affects WordPress HTML: from n/a through 0.51. | 2025-08-28 | 6.5 | CVE-2025-48315 |
| stiofansisland--UsersWP Front-end login form, User Registration, User Profile & Members Directory plugin for WP | The UsersWP - Front-end login form, User Registration, User Profile & Members Directory plugin for WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'uwp_profile' and 'uwp_profile_header' shortcodes in all versions up to, and including, 1.2.42 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-28 | 6.4 | CVE-2025-9344 |
| Synology--RADIUS Server | Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Synology RADIUS Server allows remote authenticated users with administrator privileges to read or write limited files in SRM and conduct limited denial-of-service via unspecified vectors. | 2025-08-29 | 5.9 | CVE-2024-13987 |
| TeamViewer--Full Client | Race Condition in the Directory Validation Logic in the TeamViewer Full Client and Host prior version 15.69 on Windows allows a local non-admin user to create arbitrary files with SYSTEM privileges, potentially leading to a denial-of-service condition, via symbolic link manipulation during directory verification. | 2025-08-26 | 6.1 | CVE-2025-44002 |
| Telesquare--TLR-2005KSH | A vulnerability was determined in Telesquare TLR-2005KSH 1.2.4. The affected element is an unknown function of the file /cgi-bin/internet.cgi?Command=lanCfg. Executing manipulation of the argument Hostname can lead to command injection. The attack may be performed from a remote location. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-29 | 6.3 | CVE-2025-9603 |
| The-Scratch-Channel--the-scratch-channel.github.io | The Scratch Channel is a news website. In version 1, it is possible to go to application in devtools and click local storage to edit the account's username locally. This issue has been patched in version 1.1. | 2025-08-25 | 6.7 | CVE-2025-55301 |
| Theme Century--Century ToolKit | Cross-Site Request Forgery (CSRF) vulnerability in Theme Century Century ToolKit allows Cross Site Request Forgery. This issue affects Century ToolKit: from n/a through 1.2.1. | 2025-08-28 | 5.4 | CVE-2025-48357 |
| themefic--Tourfic Ultimate Travel Booking, Hotel Booking & Car Rental WordPress Plugin | WooCommerce Booking | The Tourfic plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the tf_order_status_email_resend_function, tf_visitor_details_edit_function, tf_checkinout_details_edit_function, tf_order_status_edit_function, tf_order_bulk_action_edit_function, tf_remove_room_order_ids, and tf_delete_old_review_fields functions in all versions up to, and including, 2.14.5. This makes it possible for authenticated attackers, with subscriber-level access and above, to resend order status emails, update visitor/order details, edit check-in/out details, edit order status, perform bulk order status updates, remove room order IDs, and delete old review fields, respectively. | 2025-08-26 | 4.3 | CVE-2024-8860 |
| tobiasbg--TablePress Tables in WordPress made easy | The TablePress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'shortcode_debug' parameter in all versions up to, and including, 3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-30 | 6.4 | CVE-2025-9500 |
| Transbyte--Scooper News App | A flaw has been found in Transbyte Scooper News App up to 1.2 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.hatsune.eagleee. This manipulation causes improper export of android application components. The attack requires local access. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-29 | 5.3 | CVE-2025-9674 |
| traPtitech--traQ | traQ is a messenger application built for Digital Creators Club traP. Prior to version 3.25.0, a vulnerability exists where sensitive information, such as OAuth tokens, are recorded in log files when an error occurs during the execution of an SQL query. An attacker could intentionally trigger an SQL error by methods such as placing a high load on the database. This could allow an attacker who has the authority to view the log files to illicitly acquire the recorded sensitive information. This vulnerability has been patched in version 3.25.0. If upgrading is not possible, a temporary workaround involves reviewing access permissions for SQL error logs and strictly limiting access to prevent unauthorized users from viewing them. | 2025-08-26 | 5.9 | CVE-2025-57813 |
| UAB--Paytend App | A weakness has been identified in UAB Paytend App up to 2.1.9 on Android. This impacts an unknown function of the file AndroidManifest.xml of the component com.passport.cash. Executing manipulation can lead to improper export of android application components. The attack needs to be launched locally. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-29 | 5.3 | CVE-2025-9671 |
| uicore--UiCore Elements | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uicore UiCore Elements allows Stored XSS. This issue affects UiCore Elements: from n/a through 1.3.4. | 2025-08-27 | 6.5 | CVE-2025-58196 |
| ulikunitz--xz | xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14. | 2025-08-28 | 5.3 | CVE-2025-58058 |
| Uncanny Owl--Uncanny Automator | Missing Authorization vulnerability in Uncanny Owl Uncanny Automator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Uncanny Automator: from n/a through 6.7.0.1. | 2025-08-27 | 4.3 | CVE-2025-58193 |
| unitecms--Unlimited Elements For Elementor | The Unlimited Elements For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 1.5.148 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-28 | 6.4 | CVE-2025-8603 |
| ValvePress--WordPress Automatic Plugin | The WordPress Automatic Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.118.0. This is due to missing or incorrect nonce validation on one of its functions. This makes it possible for unauthenticated attackers to update campaigns and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-08-26 | 4.7 | CVE-2025-6247 |
| vEnCa-X--rajce | Server-Side Request Forgery (SSRF) vulnerability in vEnCa-X rajce allows Server Side Request Forgery. This issue affects rajce: from n/a through 0.4.2. | 2025-08-28 | 4.9 | CVE-2025-48364 |
| vercel--next.js | Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization API routes are affected by cache key confusion. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled. | 2025-08-29 | 6.2 | CVE-2025-57752 |
| vercel--next.js | Next.js is a React framework for building full-stack web applications. Prior to versions 14.2.32 and 15.4.7, when next() was used without explicitly passing the request object, it could lead to SSRF in self-hosted applications that incorrectly forwarded user-supplied headers. This vulnerability has been fixed in Next.js versions 14.2.32 and 15.4.7. All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function. | 2025-08-29 | 6.5 | CVE-2025-57822 |
| vercel--next.js | Next.js is a React framework for building full-stack web applications. In versions before 14.2.31 and from 15.0.0 to before 15.4.5, Next.js Image Optimization is vulnerable to content injection. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery. This vulnerability has been fixed in Next.js versions 14.2.31 and 15.4.5. | 2025-08-29 | 4.3 | CVE-2025-55173 |
| vikingjs--Goal Tracker for Patreon | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vikingjs Goal Tracker for Patreon allows Stored XSS. This issue affects Goal Tracker for Patreon: from n/a through 0.4.6. | 2025-08-28 | 5.9 | CVE-2025-48305 |
| Vincent Mimoun-Prat--bxSlider integration for WordPress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vincent Mimoun-Prat bxSlider integration for WordPress allows Stored XSS. This issue affects bxSlider integration for WordPress: from n/a through 1.7.2. | 2025-08-28 | 6.5 | CVE-2025-48347 |
| weblineindia--List Subpages | The List Subpages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-29 | 6.4 | CVE-2025-8290 |
| WP Chinese Translation--WPAvatar | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 文派翻译(WP Chinese Translation) WPAvatar allows Stored XSS. This issue affects WPAvatar: from n/a through 1.9.3. | 2025-08-28 | 6.5 | CVE-2025-48312 |
| WP Smart Widgets--Better Post & Filter Widgets for Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Smart Widgets Better Post & Filter Widgets for Elementor allows Stored XSS. This issue affects Better Post & Filter Widgets for Elementor: from n/a through 1.6.0. | 2025-08-28 | 6.5 | CVE-2025-48354 |
| WP Ulike--WP ULike Pro | The WP ULike Pro plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the WP_Ulike_Pro_File_Uploader class in all versions up to, and including, 1.9.3. This makes it possible for unauthenticated attackers to upload limited arbitrary files like .php2, .php6, .php7, .phps, .pht, .phtm, .pgif, .shtml, .phar, .inc, .hphp, .ctp, .module, .html, .svg on the affected site's server which may make make other attacks like Cross-Site Scripting possible. Only versions up to 1.8.7 were confirmed vulnerable, however, the earliest tested version for a patch we have access to is 1.9.4, so we are considering 1.9.4 the patched version. | 2025-08-28 | 6.1 | CVE-2024-9648 |
| wpdevelop--Booking Calendar | The Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 10.14.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-28 | 6.4 | CVE-2025-9346 |
| wpdreams--Ajax Search Lite Live Search & Filter | The Ajax Search Lite plugin for WordPress is vulnerable to Basic Information Exposure due to missing authorization in its AJAX search handler in all versions up to, and including, 4.13.1. This makes it possible for unauthenticated attackers to issue repeated AJAX requests to leak the content of any protected post in rolling 100‑character windows. | 2025-08-28 | 5.3 | CVE-2025-7956 |
| wpdreams--Related Posts Lite | The Related Posts Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-08-30 | 4.3 | CVE-2025-9618 |
| wptableeditor--Table Editor | Cross-Site Request Forgery (CSRF) vulnerability in wptableeditor Table Editor allows Cross Site Request Forgery. This issue affects Table Editor: from n/a through 1.6.4. | 2025-08-28 | 4.3 | CVE-2025-48310 |
| Xinhu--RockOA | A vulnerability was found in Xinhu RockOA up to 2.6.9. Impacted is the function publicsaveAjax of the file /index.php. Performing manipulation results in improper authorization. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2025-08-29 | 6.3 | CVE-2025-9602 |
| Xpro--Xpro Elementor Addons | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xpro Xpro Elementor Addons allows Stored XSS. This issue affects Xpro Elementor Addons: from n/a through 1.4.17. | 2025-08-27 | 6.5 | CVE-2025-58195 |
| Xpro--Xpro Theme Builder | Missing Authorization vulnerability in Xpro Xpro Theme Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Xpro Theme Builder: from n/a through 1.2.9. | 2025-08-27 | 6.5 | CVE-2025-58198 |
| xuhuisheng--lemon | A weakness has been identified in xuhuisheng lemon up to 1.13.0. This affects the function uploadImage of the file CmsArticleController.java of the component com.mossle.cms.web.CmsArticleController.uploadImage. This manipulation of the argument Upload causes unrestricted upload. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-08-25 | 6.3 | CVE-2025-9406 |
| xwiki--xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions from 14.4.2 to before 16.4.8, 16.5.0-rc-1 to before 16.10.7, and 17.0.0-rc-1 to before 17.4.0-rc-1, the PDF export jobs store sensitive cookies unencrypted in job statuses. XWiki shouldn't store passwords in plain text, and it shouldn't be possible to gain access to plain text passwords by gaining access to, e.g., a backup of the data directory. This vulnerability has been patched in XWiki 16.4.8, 16.10.7, and 17.4.0-rc-1. | 2025-08-28 | 5.8 | CVE-2025-58049 |
| Xylus Themes--WP Bulk Delete | Missing Authorization vulnerability in Xylus Themes WP Bulk Delete allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Bulk Delete: from n/a through 1.3.6. | 2025-08-27 | 4.3 | CVE-2025-58192 |
| yeqifu--carRental | A vulnerability has been found in yeqifu carRental up to 3fabb7eae93d209426638863980301d6f99866b3. This affects the function removeFileByPath of the file src/main/java/com/yeqifu/sys/utils/AppFileUtils.java. The manipulation of the argument carimg leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. This product adopts a rolling release strategy to maintain continuous delivery | 2025-08-29 | 5.4 | CVE-2025-9650 |
| YiFang--CMS | A vulnerability was detected in YiFang CMS up to 2.0.5. Affected by this issue is some unknown functionality of the file app/logic/L_tool.php. The manipulation of the argument new_url results in sql injection. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-25 | 6.3 | CVE-2025-9399 |
| YiFang--CMS | A flaw has been found in YiFang CMS up to 2.0.5. This affects the function mergeMultipartUpload of the file app/utils/base/plugin/P_file.php. This manipulation of the argument File causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-25 | 6.3 | CVE-2025-9400 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| appneta--tcpreplay | A security vulnerability has been detected in appneta tcpreplay 4.5.1. Impacted is the function calc_sleep_time of the file send_packets.c. Such manipulation leads to divide by zero. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. Upgrading to version 4.5.3-beta3 is recommended to address this issue. It is advisable to upgrade the affected component. The vendor confirms in a GitHub issue reply: "Was able to reproduce in 6fcbf03 but NOT 4.5.3-beta3." | 2025-08-29 | 3.3 | CVE-2025-9649 |
| Arista Networks--EOS | On affected platforms running Arista EOS, the global common encryption key configuration may be logged in clear text, in local or remote accounting logs. Knowledge of both the encryption key and protocol specific encrypted secrets from the device running-config could then be used to obtain protocol specific passwords in cases where symmetric passwords are required between devices with neighbor protocol relationships. | 2025-08-25 | 3.8 | CVE-2025-3456 |
| Campcodes--Hospital Management System | A vulnerability was detected in Campcodes Hospital Management System 1.0. This affects an unknown function of the file /admin/edit-doctor-specialization.php of the component Edit Doctor Specialization Page. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. | 2025-08-31 | 2.4 | CVE-2025-9746 |
| Cudy--LT500E | A vulnerability was identified in Cudy LT500E up to 2.3.12. Affected is an unknown function of the file /squashfs-root/etc/shadow of the component Web Interface. The manipulation leads to use of hard-coded password. The attack must be carried out locally. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit is publicly available and might be used. Upgrading to version 2.3.13 is able to address this issue. It is recommended to upgrade the affected component. The vendor explains: "[T]he firmware does store a default password of 'admin'. This password has been deprecated since LT500E firmware version 2.3.13 and is no longer used. The LT500E does not have an administrator password set by default; a new password (at least 8 characters ) must be manually created upon first login the web management page." | 2025-08-31 | 2.5 | CVE-2025-9725 |
| Cudy--WR1200EA | A vulnerability was determined in Cudy WR1200EA 2.3.7-20250113-121810. Affected is an unknown function of the file /etc/shadow. Executing manipulation can lead to use of default password. The attack needs to be launched locally. A high complexity level is associated with this attack. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-28 | 2.5 | CVE-2025-9589 |
| editso--fuso | A flaw has been found in editso fuso up to 1.0.4-beta.7. This affects the function PenetrateRsaAndAesHandshake of the file src/net/penetrate/handshake/mod.rs. This manipulation of the argument priv_key causes inadequate encryption strength. Remote exploitation of the attack is possible. A high degree of complexity is needed for the attack. The exploitability is reported as difficult. | 2025-08-27 | 3.7 | CVE-2025-9513 |
| HuangDou--UTCMS | A vulnerability has been found in HuangDou UTCMS 9. This vulnerability affects unknown code of the file app/modules/ut-frame/admin/login.php of the component Login. Such manipulation of the argument code leads to incorrect comparison. The attack can be executed remotely. The attack requires a high level of complexity. It is stated that the exploitability is difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-25 | 3.7 | CVE-2025-9401 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-28 and 7.1.2-2, passing a geometry string containing only a colon (":") to montage -geometry leads GetGeometry() to set width/height to 0. Later, ThumbnailImage() divides by these zero dimensions, triggering a crash (SIGFPE/abort), resulting in a denial of service. This issue has been patched in versions 6.9.13-28 and 7.1.2-2. | 2025-08-26 | 3.7 | CVE-2025-55212 |
| jqlang--jq | A vulnerability was determined in jqlang jq up to 1.6. Impacted is the function run_jq_tests of the file jq_test.c of the component JSON Parser. Executing manipulation can lead to reachable assertion. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Other versions might be affected as well. | 2025-08-25 | 3.3 | CVE-2025-9403 |
| macrozheng--mall | A vulnerability has been found in macrozheng mall up to 1.0.3. This impacts an unknown function of the component Registration. Such manipulation leads to weak password requirements. The attack can be executed remotely. Attacks of this nature are highly complex. The exploitability is said to be difficult. The vendor deleted the GitHub issue for this vulnerability without and explanation. | 2025-08-27 | 3.7 | CVE-2025-9514 |
| mtons--mblog | A flaw has been found in mtons mblog up to 3.5.0. Affected by this vulnerability is an unknown functionality of the file /settings/profile. Executing manipulation of the argument signature can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used. Other parameters might be affected as well. | 2025-08-25 | 3.5 | CVE-2025-9407 |
| mtons--mblog | A security vulnerability has been detected in mtons mblog up to 3.5.0. This vulnerability affects unknown code of the file /post/submit of the component Post Handler. The manipulation of the argument content/title/ leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. | 2025-08-25 | 3.5 | CVE-2025-9429 |
| mtons--mblog | A vulnerability was detected in mtons mblog up to 3.5.0. This issue affects some unknown processing of the file /admin/options/update. The manipulation of the argument input results in cross site scripting. It is possible to launch the attack remotely. The exploit is now public and may be used. | 2025-08-26 | 2.4 | CVE-2025-9430 |
| n/a--coze-studio | A vulnerability was identified in coze-studio up to 0.2.4. The impacted element is an unknown function of the file backend/domain/plugin/encrypt/aes.go. The manipulation of the argument AuthSecretKey/StateSecretKey/OAuthTokenSecretKey leads to use of hard-coded cryptographic key . It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is regarded as difficult. To fix this issue, it is recommended to deploy a patch. The vendor replied to the GitHub issue (translated from simplified Chinese): "For scenarios requiring encryption, we will implement user-defined key management through configuration and optimize the use of encryption tools, such as random salt." | 2025-08-29 | 3.7 | CVE-2025-9604 |
| n/a--O2OA | A security flaw has been discovered in O2OA up to 10.0-410. This vulnerability affects unknown code of the file /x_organization_assemble_personal/jaxrs/definition/calendarConfig. The manipulation of the argument toMonthViewName results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | 2025-08-29 | 3.5 | CVE-2025-9646 |
| n/a--O2OA | A weakness has been identified in O2OA up to 10.0-410. This affects an unknown part of the file /x_organization_assemble_control/jaxrs/person/ of the component Personal Profile Page. Executing manipulation of the argument Description can lead to cross site scripting. The attack can be launched remotely. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | 2025-08-29 | 3.5 | CVE-2025-9655 |
| n/a--O2OA | A vulnerability was detected in O2OA up to 10.0-410. This issue affects some unknown processing of the file /x_program_center/jaxrs/script of the component Personal Profile Page. The manipulation of the argument name/alias/description results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | 2025-08-29 | 3.5 | CVE-2025-9657 |
| n/a--O2OA | A flaw has been found in O2OA up to 10.0-410. Impacted is an unknown function of the file /x_portal_assemble_designer/jaxrs/dict/ of the component Personal Profile Page. This manipulation of the argument name/alias/description causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | 2025-08-29 | 3.5 | CVE-2025-9658 |
| n/a--O2OA | A vulnerability has been found in O2OA up to 10.0-410. The affected element is an unknown function of the file /x_portal_assemble_designer/jaxrs/widget of the component Personal Profile Page. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | 2025-08-29 | 3.5 | CVE-2025-9659 |
| n/a--O2OA | A vulnerability was detected in O2OA up to 10.0-410. This impacts an unknown function of the file /x_portal_assemble_designer/jaxrs/page of the component Personal Profile Page. Performing manipulation results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | 2025-08-30 | 3.5 | CVE-2025-9680 |
| n/a--O2OA | A flaw has been found in O2OA up to 10.0-410. Affected is an unknown function of the file /x_program_center/jaxrs/agent of the component Personal Profile Page. Executing manipulation can lead to cross site scripting. The attack can be launched remotely. The exploit has been published and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | 2025-08-30 | 3.5 | CVE-2025-9681 |
| n/a--O2OA | A vulnerability has been found in O2OA up to 10.0-410. Affected by this vulnerability is an unknown functionality of the file /x_cms_assemble_control/jaxrs/design/appdict of the component Personal Profile Page. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | 2025-08-30 | 3.5 | CVE-2025-9682 |
| n/a--O2OA | A vulnerability was found in O2OA up to 10.0-410. Affected by this issue is some unknown functionality of the file /x_cms_assemble_control/jaxrs/form of the component Personal Profile Page. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | 2025-08-30 | 3.5 | CVE-2025-9683 |
| n/a--O2OA | A vulnerability was found in O2OA up to 10.0-410. Affected is an unknown function of the file /x_cms_assemble_control/jaxrs/script of the component Personal Profile Page. The manipulation of the argument name/alias/description results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | 2025-08-31 | 3.5 | CVE-2025-9715 |
| n/a--O2OA | A vulnerability was determined in O2OA up to 10.0-410. Affected by this vulnerability is an unknown functionality of the file /x_processplatform_assemble_designer/jaxrs/form of the component Personal Profile Page. This manipulation of the argument name/alias/description causes cross site scripting. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | 2025-08-31 | 3.5 | CVE-2025-9716 |
| n/a--O2OA | A vulnerability was identified in O2OA up to 10.0-410. Affected by this issue is some unknown functionality of the file /x_organization_assemble_control/jaxrs/unit/ of the component Personal Profile Page. Such manipulation of the argument name/shortName/distinguishedName/pinyin/pinyinInitial/levelName leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. | 2025-08-31 | 3.5 | CVE-2025-9717 |
| n/a--O2OA | A security flaw has been discovered in O2OA up to 10.0-410. This affects an unknown part of the file /x_processplatform_assemble_designer/jaxrs/process of the component Personal Profile Page. Performing manipulation of the argument name/alias results in cross site scripting. Remote exploitation of the attack is possible. The exploit has been released to the public and may be exploited. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | 2025-08-31 | 3.5 | CVE-2025-9718 |
| n/a--O2OA | A weakness has been identified in O2OA up to 10.0-410. This vulnerability affects unknown code of the file /x_processplatform_assemble_designer/jaxrs/script of the component Personal Profile Page. Executing manipulation of the argument name/alias/description/applicationName can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. | 2025-08-31 | 3.5 | CVE-2025-9719 |
| n/a--O2OA | A security flaw has been discovered in O2OA up to 10.0-410. The impacted element is an unknown function of the file /x_query_assemble_designer/jaxrs/stat of the component Personal Profile Page. The manipulation of the argument name/alias/description/applicationName results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be exploited. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | 2025-08-31 | 3.5 | CVE-2025-9734 |
| n/a--O2OA | A weakness has been identified in O2OA up to 10.0-410. This affects an unknown function of the file /x_query_assemble_designer/jaxrs/table of the component Personal Profile Page. This manipulation of the argument description/applicationName/queryName causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | 2025-08-31 | 3.5 | CVE-2025-9735 |
| n/a--O2OA | A security vulnerability has been detected in O2OA up to 10.0-410. This impacts an unknown function of the file /x_query_assemble_designer/jaxrs/statement of the component Personal Profile Page. Such manipulation of the argument description/queryName leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | 2025-08-31 | 3.5 | CVE-2025-9736 |
| n/a--O2OA | A vulnerability was detected in O2OA up to 10.0-410. Affected is an unknown function of the file /x_query_assemble_designer/jaxrs/importmodel of the component Personal Profile Page. Performing manipulation of the argument description/applicationName/queryName results in cross site scripting. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor replied in the GitHub issue (translated from simplified Chinese): "This issue will be fixed in the new version." | 2025-08-31 | 3.5 | CVE-2025-9737 |
| n/a--Scada-LTS | A vulnerability was identified in Scada-LTS up to 2.7.8.1. The affected element is an unknown function of the file /pointHierarchySLTS of the component Folder Handler. The manipulation of the argument Title leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2025-08-25 | 2.4 | CVE-2025-9404 |
| n/a--ZrLog | A security vulnerability has been detected in ZrLog up to 3.1.5. This vulnerability affects unknown code of the file /api/admin/template/config of the component Theme Configuration Form. Such manipulation of the argument footerLink leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-28 | 2.4 | CVE-2025-9591 |
| nofusscomputing--centurion_erp | Centurion ERP is an ERP with a focus on ITSM and automation. In versions starting from 1.12.0 to before 1.21.0, an authenticated user can view all authentication token details within the database. This includes the actual token, although only the hashed token. This does not include any un-hashed authentication token as viewable. This issue has been patched in version 1.21.0. A workaround for this is not deemed viable as it would involve disabling token authentication. Users are encouraged to remove any authentication token that was created by one of the effected versions of Centurion ERP. Webmasters can ensure this occurs by removing all authentication tokens from the database. | 2025-08-29 | 1.9 | CVE-2025-58156 |
| oitcode--samarium | A security flaw has been discovered in oitcode samarium up to 0.9.6. This vulnerability affects unknown code of the file /cms/webpage/ of the component Pages Image Handler. The manipulation results in cross site scripting. The attack may be performed from a remote location. The exploit has been released to the public and may be exploited. | 2025-08-25 | 2.4 | CVE-2025-9416 |
| oitcode--samarium | A vulnerability was found in oitcode samarium up to 0.9.6. This impacts an unknown function of the file /dashboard/team of the component Team Image Handler. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. | 2025-08-25 | 2.4 | CVE-2025-9422 |
| Portabilis--i-Educar | A vulnerability was determined in Portabilis i-Educar up to 2.10. Affected is an unknown function of the file /intranet/educar_transferencia_tipo_cad.php of the component Cadastrar tipo de transferência Page. This manipulation of the argument nm_tipo/desc_tipo causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-08-29 | 3.5 | CVE-2025-9652 |
| Portabilis--i-Educar | A vulnerability was identified in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functionality of the file /intranet/educar_projeto_cad.php of the component Cadastrar projeto Page. Such manipulation of the argument nome/observacao leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2025-08-29 | 3.5 | CVE-2025-9653 |
| Portabilis--i-Educar | A vulnerability was detected in Portabilis i-Educar up to 2.10. Impacted is an unknown function of the file /module/TabelaArredondamento/edit of the component Cadastrar tabela de arredondamento Page. The manipulation of the argument Nome results in cross site scripting. The attack may be performed from a remote location. The exploit is now public and may be used. | 2025-08-31 | 3.5 | CVE-2025-9720 |
| Portabilis--i-Educar | A flaw has been found in Portabilis i-Educar up to 2.10. The affected element is an unknown function of the file /module/FormulaMedia/edit. This manipulation of the argument nome/formulaMedia causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2025-08-31 | 3.5 | CVE-2025-9721 |
| Portabilis--i-Educar | A vulnerability has been found in Portabilis i-Educar up to 2.10. The impacted element is an unknown function of the file /intranet/educar_tipo_ocorrencia_disciplinar_cad.php. Such manipulation of the argument nm_tipo/descricao leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-31 | 3.5 | CVE-2025-9722 |
| Portabilis--i-Educar | A vulnerability was found in Portabilis i-Educar up to 2.10. This affects an unknown function of the file /intranet/educar_tipo_regime_cad.php. Performing manipulation of the argument nm_tipo results in cross site scripting. The attack can be initiated remotely. The exploit has been made public and could be used. | 2025-08-31 | 3.5 | CVE-2025-9723 |
| Portabilis--i-Educar | A vulnerability was determined in Portabilis i-Educar up to 2.10. This impacts an unknown function of the file /intranet/educar_nivel_ensino_cad.php. Executing manipulation of the argument nm_nivel/descricao can lead to cross site scripting. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2025-08-31 | 3.5 | CVE-2025-9724 |
| Portabilis--i-Educar | A flaw has been found in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functionality of the file /intranet/educar_tipo_ensino_cad.php. Executing manipulation of the argument nm_tipo can lead to cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. | 2025-08-31 | 3.5 | CVE-2025-9738 |
| seeedstudio--ReSpeaker | A vulnerability was identified in seeedstudio ReSpeaker LinkIt7688. Impacted is an unknown function of the file /etc/shadow of the component Administrative Interface. The manipulation leads to use of default credentials. An attack has to be approached locally. A high degree of complexity is needed for the attack. The exploitability is considered difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-28 | 2.5 | CVE-2025-9576 |
| Tenda--AC9 | A vulnerability was determined in Tenda AC9 15.03.05.19. The impacted element is an unknown function of the file /etc_ro/shadow of the component Administrative Interface. This manipulation causes hard-coded credentials. It is possible to launch the attack on the local host. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit has been publicly disclosed and may be utilized. | 2025-08-31 | 2.5 | CVE-2025-9731 |
| TOTOLINK--X2000R | A security flaw has been discovered in TOTOLINK X2000R up to 2.0.0. The affected element is an unknown function of the file /etc/shadow.sample of the component Administrative Interface. The manipulation results in use of default credentials. Attacking locally is a requirement. Attacks of this nature are highly complex. The exploitability is described as difficult. The exploit has been released to the public and may be exploited. | 2025-08-28 | 2.5 | CVE-2025-9577 |
| Weaver--E-Mobile Mobile Management Platform | A vulnerability was identified in Weaver E-Mobile Mobile Management Platform up to 20250813. Affected by this vulnerability is an unknown functionality. The manipulation of the argument gohome leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-28 | 3.5 | CVE-2025-9590 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| ACDH-CH--OpenAtlas | Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote user to send specially crafted queries to an authenticated user and steal their session cookie details, via the "/insert/file" petition, "creator" and "license_holder" parameters. | 2025-08-29 | not yet calculated | CVE-2025-40702 |
| ACDH-CH--OpenAtlas | Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote user to send specially crafted queries to an authenticated user and steal their session cookie details, via the "/insert/group" petition, "name" and "alias-0" parameters. | 2025-08-29 | not yet calculated | CVE-2025-40703 |
| ACDH-CH--OpenAtlas | Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote user to send specially crafted queries to an authenticated user and steal their session cookie details, via the "/insert/edition" petition, "name" parameter. | 2025-08-29 | not yet calculated | CVE-2025-40704 |
| ACDH-CH--OpenAtlas | Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote user to send specially crafted queries to an authenticated user and steal their session cookie details, via the "/insert/acquisition" petition, "name" parameter. | 2025-08-29 | not yet calculated | CVE-2025-40705 |
| ACDH-CH--OpenAtlas | Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote user to send specially crafted queries to an authenticated user and steal their session cookie details, via the "/insert/source" petition, "name" parameter. | 2025-08-29 | not yet calculated | CVE-2025-40706 |
| ACDH-CH--OpenAtlas | Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote user to send specially crafted queries to an authenticated user and steal their session cookie details, via the "/insert/place" petition, "name" and "alias-0" parameters. | 2025-08-29 | not yet calculated | CVE-2025-40707 |
| ACDH-CH--OpenAtlas | Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote user to send specially crafted queries to an authenticated user and steal their session cookie details, via the "/insert/event" petition, "name" parameter. | 2025-08-29 | not yet calculated | CVE-2025-40708 |
| ACDH-CH--OpenAtlas | Cross-Site Scripting (XSS) vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage (ACDH-CH), due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote user to send specially crafted queries to an authenticated user and steal their session cookie details, via the "/insert/person/<ID>" petition, "name" and "alias-0" parameters. | 2025-08-29 | not yet calculated | CVE-2025-40709 |
| Acronis--Acronis Cyber Protect Cloud Agent | Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 40296. | 2025-08-28 | not yet calculated | CVE-2025-48963 |
| Acronis--Acronis Cyber Protect Cloud Agent | Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 40734. | 2025-08-28 | not yet calculated | CVE-2025-9578 |
| activePDF--WebGrabber | activePDF WebGrabber version 3.8.2.0 contains a stack-based buffer overflow vulnerability in the GetStatus() method of the APWebGrb.ocx ActiveX control. By passing an overly long string to this method, a remote attacker can execute arbitrary code in the context of the vulnerable process. Although the control is not marked safe for scripting, exploitation is possible via crafted HTML content in Internet Explorer under permissive security settings. | 2025-08-30 | not yet calculated | CVE-2008-20001 |
| airlinklabs--daemon | Airlink's Daemon interfaces with Docker and the Panel to provide secure access for controlling instances via the Panel. In version 1.0.0, an attacker with access to the affected container can create symbolic links inside the mounted directory (/app/data). Because the container bind-mounts an arbitrary host path, these symlinks can point to sensitive locations on the host filesystem. When the application or other processes follow these symlinks, the attacker can gain unauthorized read access to host files outside the container. This issue has been patched in version 1.0.1. | 2025-08-25 | not yet calculated | CVE-2025-57802 |
| alextselegidis--Easy!Appointments | alextselegidis Easy!Appointments v1.5.1 was discovered to contain a SQL injection vulnerability via the order_by parameter. | 2025-08-25 | not yet calculated | CVE-2025-50383 |
| Apache Friends--XAMPP | A vulnerability in XAMPP, developed by Apache Friends, version 1.7.3's default WebDAV configuration allows remote authenticated attackers to upload and execute arbitrary PHP code. The WebDAV service, accessible via /webdav/, accepts HTTP PUT requests using default credentials. This permits attackers to upload a malicious PHP payload and trigger its execution via a subsequent GET request, resulting in remote code execution on the server. | 2025-08-30 | not yet calculated | CVE-2012-10062 |
| Apache Software Foundation--Apache Cassandra | Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches. This issue affects Apache Cassandra 3.0.30, 3.11.17, 4.0.16, 4.1.7, 5.0.2, but this advisory is only for 4.0.16 because the fix to CVE-2025-23015 was incorrectly applied to 4.0.16, so that version is still affected. Users in the 4.0 series are recommended to upgrade to version 4.0.17 which fixes the issue. Users from 3.0, 3.11, 4.1 and 5.0 series should follow recommendation from CVE-2025-23015. | 2025-08-25 | not yet calculated | CVE-2025-26467 |
| Apple--macOS | The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.2. An app may be able to record the screen without an indicator. | 2025-08-29 | not yet calculated | CVE-2024-44271 |
| Apple--macOS | This issue was addressed with improved handling of symlinks. This issue is fixed in macOS Sequoia 15.1. An app may be able to access sensitive user data. | 2025-08-29 | not yet calculated | CVE-2024-54554 |
| Apple--macOS | The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.2. Parsing a maliciously crafted file may lead to an unexpected app termination. | 2025-08-29 | not yet calculated | CVE-2024-54568 |
| Apple--macOS | This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sonoma 14.7.7, macOS Ventura 13.7.7, macOS Sequoia 15.6. Running an hdiutil command may unexpectedly execute arbitrary code. | 2025-08-29 | not yet calculated | CVE-2025-43187 |
| Apple--macOS | An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in macOS Sonoma 14.7.7, macOS Sequoia 15.6, macOS Ventura 13.7.7. An app may be able to cause unexpected system termination. | 2025-08-29 | not yet calculated | CVE-2025-43255 |
| Apple--macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6. A malicious app may be able to gain root privileges. | 2025-08-29 | not yet calculated | CVE-2025-43268 |
| Apple--macOS | An out-of-bounds read was addressed with improved bounds checking. This issue is fixed in macOS Sonoma 14.7.7, macOS Ventura 13.7.7, macOS Sequoia 15.6. An app may be able to cause unexpected system termination. | 2025-08-29 | not yet calculated | CVE-2025-43284 |
| Arcserve--Unified Data Protection (UDP) | An authentication bypass vulnerability in Arcserve Unified Data Protection (UDP) allows unauthenticated attackers to gain unauthorized access to protected functionality or user accounts. By manipulating specific request parameters or exploiting a logic flaw, an attacker can bypass login mechanisms without valid credentials and access administrator-level features. This vulnerability affects all UDP versions prior to 10.2. UDP 10.2 includes the necessary patches and requires no action. Versions 8.0 through 10.1 are supported and require either patch application or upgrade to 10.2. Versions 7.x and earlier are unsupported or out of maintenance and must be upgraded to 10.2 to remediate the issue. | 2025-08-27 | not yet calculated | CVE-2025-34520 |
| Arcserve--Unified Data Protection (UDP) | A reflected cross-site scripting (XSS) vulnerability exists in the web interface of the Arcserve Unified Data Protection (UDP), where unsanitized user input is improperly reflected in HTTP responses. This flaw allows remote attackers with low privileges to craft malicious links that, when visited by another user, execute arbitrary JavaScript in the victim's browser. Successful exploitation may lead to session hijacking, credential theft, or other client-side impacts. The vulnerability requires user interaction and occurs within a shared browser context. This vulnerability affects all UDP versions prior to 10.2. UDP 10.2 includes the necessary patches and requires no action. Versions 8.0 through 10.1 are supported and require either patch application or upgrade to 10.2. Versions 7.x and earlier are unsupported or out of maintenance and must be upgraded to 10.2 to remediate the issue. | 2025-08-27 | not yet calculated | CVE-2025-34521 |
| Arcserve--Unified Data Protection (UDP) | A heap-based buffer overflow vulnerability exists in the input parsing logic of Arcserve Unified Data Protection (UDP). This flaw can be triggered without authentication by sending specially crafted input to the target system. Improper bounds checking allows an attacker to overwrite heap memory, potentially leading to application crashes or remote code execution. Exploitation occurs in the context of the affected process and does not require user interaction. The vulnerability poses a high risk due to its pre-authentication nature and potential for full compromise. This vulnerability affects all UDP versions prior to 10.2. UDP 10.2 includes the necessary patches and requires no action. Versions 8.0 through 10.1 are supported and require either patch application or upgrade to 10.2. Versions 7.x and earlier are unsupported or out of maintenance and must be upgraded to 10.2 to remediate the issue. | 2025-08-27 | not yet calculated | CVE-2025-34522 |
| Arcserve--Unified Data Protection (UDP) | A heap-based buffer overflow vulnerability exists in the exists in the network-facing input handling routines of Arcserve Unified Data Protection (UDP). This flaw is reachable without authentication and results from improper bounds checking when processing attacker-controlled input. By sending specially crafted data, a remote attacker can corrupt heap memory, potentially causing a denial of service or enabling arbitrary code execution depending on the memory layout and exploitation techniques used. This vulnerability is similar in nature to CVE-2025-34522 but affects a separate code path or component. No user interaction is required, and exploitation occurs in the context of the vulnerable process. This vulnerability affects all UDP versions prior to 10.2. UDP 10.2 includes the necessary patches and requires no action. Versions 8.0 through 10.1 are supported and require either patch application or upgrade to 10.2. Versions 7.x and earlier are unsupported or out of maintenance and must be upgraded to 10.2 to remediate the issue. | 2025-08-27 | not yet calculated | CVE-2025-34523 |
| Atera--Nagios XI 2024R2 | A cross-site scripting (XSS) vulnerability exists in Nagios XI 2024R2. The vulnerability allows remote attackers to execute arbitrary JavaScript in the context of a logged-in user's session via a specially crafted URL. The issue resides in a web component responsible for rendering performance-related data. | 2025-08-26 | not yet calculated | CVE-2025-56432 |
| azu--request-filtering-agent | request-filtering-agent is an http(s).Agent implementation that blocks requests to Private/Reserved IP addresses. Versions 1.x.x and earlier contain a vulnerability where HTTPS requests to 127.0.0.1 bypass IP address filtering, while HTTP requests are correctly blocked. This allows attackers to potentially access internal HTTPS services running on localhost, bypassing the library's SSRF protection. The vulnerability is particularly dangerous when the application accepts user-controlled URLs and internal services are only protected by network-level restrictions. This vulnerability has been fixed in request-filtering-agent version 2.0.0. Users should upgrade to version 2.0.0 or later. | 2025-08-25 | not yet calculated | CVE-2025-57814 |
| Belkin International, Inc.--Bulldog Plus UPS Monitoring Software | Belkin Bulldog Plus version 4.0.2 build 1219 contains a stack-based buffer overflow vulnerability in its web service authentication handler. When a specially crafted HTTP request is sent with an oversized Authorization header, the application fails to properly validate the input length before copying it into a fixed-size buffer, resulting in memory corruption and potential remote code execution. Exploitation requires network access and does not require prior authentication. | 2025-08-30 | not yet calculated | CVE-2009-20009 |
| BS.Player--BS.Player Free and Pro Editions | BS.Player version 2.57 (build 1051) contains a vulnerability in its playlist import functionality. When processing .m3u files, the application fails to properly validate the length of playlist entries, resulting in a buffer overflow condition. This flaw occurs during parsing of long URLs embedded in the playlist, allowing overwrite of Structured Exception Handler (SEH) records. The vulnerability is triggered upon opening a crafted playlist file and affects the Unicode parsing logic in the Windows client. | 2025-08-30 | not yet calculated | CVE-2010-10016 |
| Catalyst--Mahara | Mahara before 22.10.4 and 23.x before 23.04.4 allows information disclosure if the experimental HTML bulk export is used via the administration interface or via the CLI, and the resulting export files are given to the account holders. They may contain images of other account holders because the cache is not cleared after the files of one account are exported. | 2025-08-25 | not yet calculated | CVE-2023-47799 |
| Catalyst--Mahara | Mahara before 22.10.6, 23.04.6, and 24.04.1 allows cross-site scripting (XSS) via a file, with JavaScript code as part of its name, that is uploaded via the Mahara filebrowser system. | 2025-08-26 | not yet calculated | CVE-2024-35203 |
| Catalyst--Mahara | Supported versions of Mahara 24.04 before 24.04.1 and 23.04 before 23.04.6 are vulnerable to information being disclosed to an institution administrator under certain conditions via the 'Current submissions' page: Administration -> Groups -> Submissions. | 2025-08-26 | not yet calculated | CVE-2024-39335 |
| Catalyst--Mahara | An issue was discovered in Mahara 24.04 before 24.04.2 and 23.04 before 23.04.7. The About, Contact, and Help footer links can be set up to be vulnerable to Cross Site Scripting (XSS) due to not sanitising the values. These links can only be set up by an admin but are clickable by any logged-in person. | 2025-08-25 | not yet calculated | CVE-2024-39923 |
| Catalyst--Mahara | In Mahara 23.04.8 and 24.04.4, the external RSS feed block can cause XSS if the external feed XML has a malicious value for the link attribute. | 2025-08-26 | not yet calculated | CVE-2024-45753 |
| Catalyst--Mahara | An issue was discovered in Mahara 23.04.8 and 24.04.4. The use of a malicious export download URL can allow an attacker to download files that they do not have permission to download. | 2025-08-26 | not yet calculated | CVE-2024-47192 |
| Catalyst--Mahara | An issue was discovered in Mahara 23.04.8 and 24.04.4. Attackers may utilize escalation of privileges in certain cases when logging into Mahara with Learning Tools Interoperability (LTI). | 2025-08-26 | not yet calculated | CVE-2024-47853 |
| Catalyst--Mahara | Mahara before 24.04.9 exposes database connection information if the database becomes unreachable, e.g., due to the database server being temporarily down or too busy. | 2025-08-26 | not yet calculated | CVE-2025-29992 |
| CGM--CGM CLININET | In the Print.pl service, the "uhcPrintServerPrint" function allows execution of arbitrary code via the "CopyCounter" parameter. | 2025-08-27 | not yet calculated | CVE-2025-2313 |
| CGM--CGM CLININET | Stored XSS vulnerability exists in the "Oddział" (Ward) module, in the death diagnosis description field, and allows the execution of arbitrary JavaScript code. This can lead to session hijacking of other users and potentially to privilege escalation up to full administrative rights. | 2025-08-27 | not yet calculated | CVE-2025-30036 |
| CGM--CGM CLININET | The system exposes several endpoints, typically including "/int/" in their path, that should be restricted to internal services, but are instead publicly accessible without authentication to any host able to reach the application server on port 443/tcp. | 2025-08-27 | not yet calculated | CVE-2025-30037 |
| CGM--CGM CLININET | The vulnerability consists of a session ID leak when saving a file downloaded from CGM CLININET. The identifier is exposed through a built-in Windows security feature that stores additional metadata in an NTFS alternate data stream (ADS) for all files downloaded from potentially untrusted sources. | 2025-08-27 | not yet calculated | CVE-2025-30038 |
| CGM--CGM CLININET | Unauthenticated access to the "/cgi-bin/CliniNET.prd/GetActiveSessions.pl" endpoint allows takeover of any user session logged into the system, including users with admin privileges. | 2025-08-27 | not yet calculated | CVE-2025-30039 |
| CGM--CGM CLININET | The vulnerability allows unauthenticated users to download a file containing session ID data by directly accessing the "/cgi-bin/CliniNET.prd/utils/userlogxls.pl" endpoint. | 2025-08-27 | not yet calculated | CVE-2025-30040 |
| CGM--CGM CLININET | The paths "/cgi-bin/CliniNET.prd/utils/userlogstat.pl", "/cgi-bin/CliniNET.prd/utils/usrlogstat.pl", and "/cgi-bin/CliniNET.prd/utils/dblogstat.pl" expose data containing session IDs. | 2025-08-27 | not yet calculated | CVE-2025-30041 |
| CGM--CGM CLININET | The "serverConfig" endpoint, which returns the module configuration including credentials, is accessible without authentication. | 2025-08-27 | not yet calculated | CVE-2025-30048 |
| CGM--CGM CLININET | The "system" function receives untrusted input from the user. If the "EnableJSCaching" option is enabled, it is possible to execute arbitrary code provided as the "Module" parameter. | 2025-08-27 | not yet calculated | CVE-2025-30055 |
| CGM--CGM CLININET | The RunCommand function accepts any parameter, which is then passed for execution in the shell. This allows an attacker to execute arbitrary code on the system. | 2025-08-27 | not yet calculated | CVE-2025-30056 |
| CGM--CGM CLININET | In UHCRTFDoc, the filename parameter can be exploited to execute arbitrary code via command injection into the system() call in the ConvertToPDF function. | 2025-08-27 | not yet calculated | CVE-2025-30057 |
| CGM--CGM CLININET | In the PatientService.pl service, the "getPatientIdentifier" function is vulnerable to SQL injection through the "pesel" parameter. | 2025-08-27 | not yet calculated | CVE-2025-30058 |
| CGM--CGM CLININET | In the PrepareCDExportJSON.pl service, the "getPerfServiceIds" function is vulnerable to SQL injection. | 2025-08-27 | not yet calculated | CVE-2025-30059 |
| CGM--CGM CLININET | In the ReturnUserUnitsXML.pl service, the "getUserInfo" function is vulnerable to SQL injection through the "UserID" parameter. | 2025-08-27 | not yet calculated | CVE-2025-30060 |
| CGM--CGM CLININET | In the "utils/Reporter/OpenReportWindow.pl" service, there is an SQL injection vulnerability through the "UserID" parameter. | 2025-08-27 | not yet calculated | CVE-2025-30061 |
| CGM--CGM CLININET | The configuration file containing database logins and passwords is readable by any local user. | 2025-08-27 | not yet calculated | CVE-2025-30063 |
| CGM--CGM CLININET | An insufficiently secured internal function allows session generation for arbitrary users. The decodeParam function checks the JWT but does not verify which signing algorithm was used. As a result, an attacker can use the "ex:action" parameter in the VerifyUserByThrustedService function to generate a session for any user. | 2025-08-27 | not yet calculated | CVE-2025-30064 |
| Changsha SPON Communication Technology Co. Ltd.--SPON IP Network Broadcast System | SPON IP Network Broadcast System, a digital audio transmission platform developed by SPON Communications, contains an arbitrary file read vulnerability in the rj_get_token.php endpoint. The flaw arises from insufficient input validation on the jsondata[url] parameter, which allows attackers to perform directory traversal and access sensitive files on the server. An unauthenticated remote attacker can exploit this vulnerability by sending a crafted POST request to read arbitrary files, potentially exposing system configuration, credentials, or internal logic. An affected version range is undefined. | 2025-08-27 | not yet calculated | CVE-2024-13982 |
| Checkmk--Checkmk Exchange | Improper Certificate Validation in Checkmk Exchange plugin BGP Monitoring allows attackers in MitM position to intercept traffic. | 2025-08-28 | not yet calculated | CVE-2025-58123 |
| Checkmk--Checkmk Exchange | Improper Certificate Validation in Checkmk Exchange plugin check-mk-api allows attackers in MitM position to intercept traffic. | 2025-08-28 | not yet calculated | CVE-2025-58124 |
| Checkmk--Checkmk Exchange | Improper Certificate Validation in Checkmk Exchange plugin Freebox v6 agent allows attackers in MitM position to intercept traffic. | 2025-08-28 | not yet calculated | CVE-2025-58125 |
| Checkmk--Checkmk Exchange | Improper Certificate Validation in Checkmk Exchange plugin VMware vSAN allows attackers in MitM position to intercept traffic. | 2025-08-28 | not yet calculated | CVE-2025-58126 |
| Checkmk--Checkmk Exchange | Improper Certificate Validation in Checkmk Exchange plugin Dell Powerscale allows attackers in MitM position to intercept traffic. | 2025-08-28 | not yet calculated | CVE-2025-58127 |
| Cisco--Cisco Unified Computing System (Managed) | A vulnerability in the web-based management interface of Cisco UCS Manager Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious data into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must be a member of the Administrator or AAA Administrator role. | 2025-08-27 | not yet calculated | CVE-2025-20296 |
| CivetWeb--CivetWeb | Buffer Overflow in the URI parser of CivetWeb 1.14 through 1.16 (latest) allows a remote attacker to achieve remote code execution via a crafted HTTP request. This vulnerability is triggered during request processing and may allow an attacker to corrupt heap memory, potentially leading to denial of service or arbitrary code execution. | 2025-08-29 | not yet calculated | CVE-2025-55763 |
| ContentKeeper Technologies--ContentKeeper Web Appliance | ContentKeeper Web Appliance (now maintained by Impero Software) versions prior to 125.10 are vulnerable to remote command execution due to insecure handling of file uploads via the mimencode CGI utility. The vulnerability allows unauthenticated attackers to upload and execute arbitrary scripts as the Apache user. Additionally, the exploit can optionally escalate privileges by abusing insecure PATH usage in the benetool binary, resulting in root-level access if successful. | 2025-08-30 | not yet calculated | CVE-2009-20011 |
| coolLabs Technologies--Coolify | Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a stored cross-site scripting (XSS) attack in the project creation workflow. An authenticated user with low privileges can create a project with a maliciously crafted name containing embedded JavaScript. When an administrator attempts to delete the project or its associated resource, the payload executes in the admin's browser context. This results in full compromise of the Coolify instance, including theft of API tokens, session cookies, and access to WebSocket-based terminal sessions on managed servers. | 2025-08-27 | not yet calculated | CVE-2025-34157 |
| coolLabs Technologies--Coolify | Coolify versions prior to v4.0.0-beta.420.6 are vulnerable to a remote code execution vulnerability in the application deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary Docker Compose directives during project creation. By crafting a malicious service definition that mounts the host root filesystem, an attacker can gain full root access to the underlying server. | 2025-08-27 | not yet calculated | CVE-2025-34159 |
| coolLabs Technologies--Coolify | Coolify versions prior to v4.0.0-beta.420.7 are vulnerable to a remote code execution vulnerability in the project deployment workflow. The platform allows authenticated users, with low-level member privileges, to inject arbitrary shell commands via the Git Repository field during project creation. By submitting a crafted repository string containing command injection syntax, an attacker can execute arbitrary commands on the underlying host system, resulting in full server compromise. | 2025-08-27 | not yet calculated | CVE-2025-34161 |
| craftcms--cms | Craft is a platform for creating digital experiences. From versions 4.0.0-RC1 to 4.16.5 and 5.0.0-RC1 to 5.8.6, there is a potential remote code execution vulnerability via Twig SSTI (Server-Side Template Injection). This is a follow-up to CVE-2024-52293. This vulnerability has been patched in versions 4.16.6 and 5.8.7. | 2025-08-25 | not yet calculated | CVE-2025-57811 |
| Cursor--Cursor | The configuration of Cursor on macOS, specifically the "RunAsNode" fuse enabled, allows a local attacker with unprivileged access to execute arbitrary code that inherits Cursor TCC (Transparency, Consent, and Control) permissions. Acquired resource access is limited to previously granted permissions by the user. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Cursor, potentially disguising attacker's malicious intent. This issue was detected in 15.4.1 version of Cursor. Project maintainers decided not to fix this issue, because a scenario including a local attacker falls outside their defined threat model. | 2025-08-26 | not yet calculated | CVE-2025-9190 |
| D-Link--DCS-825L | D-Link DCS-825L firmware v1.08.01 contains a vulnerability in the watchdog script `mydlink-watch-dog.sh`, which blindly respawns binaries such as `dcp` and `signalc` without verifying integrity, authenticity, or permissions. An attacker with local filesystem access (via physical access, firmware modification, or debug interfaces) can replace these binaries with malicious payloads. The script executes these binaries as root in an infinite loop, leading to persistent privilege escalation and arbitrary code execution. This issue is mitigated in v1.09.02, but the product is officially End-of-Life and unsupported. | 2025-08-27 | not yet calculated | CVE-2025-55582 |
| D-Link--DI-8100 | D-Link DI-8100 16.07.26A1 is vulnerable to Buffer Overflow via the en`, `val and id parameters in the qj_asp function. This vulnerability allows authenticated attackers to cause a Denial of Service (DoS) by sending crafted GET requests with overly long values for these parameters. | 2025-08-25 | not yet calculated | CVE-2025-51281 |
| D-Link--DIR-110 | Multiple D-Link DIR-series routers, including DIR-110, DIR-412, DIR-600, DIR-610, DIR-615, DIR-645, and DIR-815 firmware version 1.03, contain a vulnerability in the service.cgi endpoint that allows remote attackers to execute arbitrary system commands without authentication. The flaw stems from improper input handling in the EVENT=CHECKFW parameter, which is passed directly to the system shell without sanitization. A crafted HTTP POST request can inject commands that are executed with root privileges, resulting in full device compromise. These router models are no longer supported at the time of assignment and affected version ranges may vary. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-08-21 UTC. | 2025-08-27 | not yet calculated | CVE-2018-25115 |
| D-Link--DIR-868L | D-Link DIR-868L B1 router firmware version FW2.05WWB02 contains an unauthenticated OS command injection vulnerability in the fileaccess.cgi component. The endpoint /dws/api/UploadFile accepts a pre_api_arg parameter that is passed directly to system-level shell execution functions without sanitization or authentication. Remote attackers can exploit this to execute arbitrary commands as root via crafted HTTP requests. | 2025-08-28 | not yet calculated | CVE-2025-55583 |
| D-Link--DSL-7740C | Incorrect access control in the config.xgi function of D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 allows attackers to download the configuration file via providing a crafted web request. | 2025-08-25 | not yet calculated | CVE-2025-29514 |
| D-Link--DSL-7740C | Incorrect access control in the DELT_file.xgi endpoint of D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 allows attackers to modify arbitrary settings within the device's XML database, including the administrator's password. | 2025-08-25 | not yet calculated | CVE-2025-29515 |
| D-Link--DSL-7740C | D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 was discovered to contain a command injection vulnerability via the backup function. | 2025-08-25 | not yet calculated | CVE-2025-29516 |
| D-Link--DSL-7740C | D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 was discovered to contain a command injection vulnerability via the traceroute6 function. | 2025-08-25 | not yet calculated | CVE-2025-29517 |
| D-Link--DSL-7740C | A command injection vulnerability in the EXE parameter of D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 allows attackers to execute arbitrary commands via supplying a crafted GET request. | 2025-08-25 | not yet calculated | CVE-2025-29519 |
| D-Link--DSL-7740C | Incorrect access control in the Maintenance module of D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 allows authenticated attackers with low-level privileges to arbitrarily change the high-privileged account passwords and escalate privileges. | 2025-08-25 | not yet calculated | CVE-2025-29520 |
| D-Link--DSL-7740C | Insecure default credentials for the Adminsitrator account of D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 allows attackers to escalate privileges via a bruteforce attack. | 2025-08-25 | not yet calculated | CVE-2025-29521 |
| D-Link--DSL-7740C | D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 was discovered to contain a command injection vulnerability via the ping function. | 2025-08-25 | not yet calculated | CVE-2025-29522 |
| D-Link--DSL-7740C | D-Link DSL-7740C with firmware DSL7740C.V6.TR069.20211230 was discovered to contain a command injection vulnerability via the ping6 function. | 2025-08-25 | not yet calculated | CVE-2025-29523 |
| DASAN NETWORKS--DASAN GPON ONU H660WM | Incorrect access control in the component /cgi-bin/system_diagnostic_main.asp of DASAN GPON ONU H660WM H660WMR210825 allows attackers to access sensitive information. | 2025-08-25 | not yet calculated | CVE-2025-29524 |
| DASAN NETWORKS--DASAN GPON ONU H660WM | DASAN GPON ONU H660WM OS version H660WMR210825 Hardware version DS-E5-583-A1 was discovered to contain insecure default credentials in the modem's control panel. | 2025-08-25 | not yet calculated | CVE-2025-29525 |
| DASAN NETWORKS--DASAN GPON ONU H660WM | DASAN GPON ONU H660WM H660WMR210825 is susceptible to improper access control under its default settings. Attackers can exploit this vulnerability to gain unauthorized access to sensitive information and modify its configuration via the UPnP protocol WAN sides without any authentication. | 2025-08-25 | not yet calculated | CVE-2025-44178 |
| dataease--dataease | DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.12, there is a H2 JDBC RCE bypass in DataEase. If the JDBC URL meets criteria, the getJdbcUrl method is returned, which acts as the getter for the JdbcUrl parameter provided. This bypasses H2's filtering logic and returns the H2 JDBC URL, allowing the "driver":"org.h2.Driver" to specify the H2 driver for the JDBC connection. The vulnerability has been fixed in version 2.10.12. | 2025-08-25 | not yet calculated | CVE-2025-57772 |
| dataease--dataease | DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.12, because DB2 parameters are not filtered, a JNDI injection attack can be directly launched. JNDI triggers an AspectJWeaver deserialization attack, writing to various files. This vulnerability requires commons-collections 4.x and aspectjweaver-1.9.22.jar. The vulnerability has been fixed in version 2.10.12. | 2025-08-25 | not yet calculated | CVE-2025-57773 |
| Diebold Nixdorf--Vynamic Security Suite | Diebold Nixdorf Vynamic Security Suite through 4.3.0 SR06 contains functionality that allows the removal of critical system files before the filesystem is properly mounted (e.g., leveraging a delete call in /etc/rc.d/init.d/mountfs to remove the /etc/fstab file). This can allow code execution and, in some versions, enable recovery of TPM Disk Encryption keys and decryption of the Windows system partition. | 2025-08-29 | not yet calculated | CVE-2024-46916 |
| Diebold Nixdorf--Vynamic Security Suite | Diebold Nixdorf Vynamic Security Suite through 4.3.0 SR01 does not validate file attributes or the contents of /root during integrity validation. This allows code execution, recovery of TPM Disk Encryption keys, decryption of the Windows system partition, and full control of the Windows OS, e.g., through ~/.profile changes. | 2025-08-29 | not yet calculated | CVE-2024-46917 |
| Digital Arts Inc.--i- 6.0 | Multiple i-フィルター products contain an issue with incorrect default permissions. If this vulnerability is exploited, a local authenticated attacker may replace a service executable on the system where the product is running, potentially allowing arbitrary code execution with SYSTEM privileges. | 2025-08-27 | not yet calculated | CVE-2025-57846 |
| Dogfood CRM--Dogfood CRM | Dogfood CRM version 2.0.10 contains a remote command execution vulnerability in the spell.php script used by its mail subsystem. The vulnerability arises from unsanitized user input passed via a POST request to the data parameter, which is processed by the underlying shell without adequate escaping. This allows attackers to inject arbitrary shell commands and execute them on the server. The flaw is exploitable without authentication and was discovered by researcher LSO. | 2025-08-30 | not yet calculated | CVE-2009-20010 |
| DOS Co., Ltd.--SS1 | Inadequate encryption strength issue exists in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier). If this vulnerability is exploited, a function that requires authentication may be accessed by a remote unauthenticated attacker. | 2025-08-28 | not yet calculated | CVE-2025-46409 |
| DOS Co., Ltd.--SS1 | Files or directories accessible to external parties issue exists in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier). If exploited, uploaded files and SS1 configuration files may be accessed by a remote unauthenticated attacker. | 2025-08-28 | not yet calculated | CVE-2025-52460 |
| DOS Co., Ltd.--SS1 | Incorrect permission assignment for critical resource issue exists in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier), which may allow users who can log in to a client terminal to obtain root privileges. | 2025-08-28 | not yet calculated | CVE-2025-53396 |
| DOS Co., Ltd.--SS1 | SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier) allows a remote unauthenticated attacker to upload arbitrary files and execute OS commands with SYSTEM privileges. | 2025-08-28 | not yet calculated | CVE-2025-53970 |
| DOS Co., Ltd.--SS1 | SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier) allows a remote unauthenticated attacker to upload arbitrary files and execute OS commands with SYSTEM privileges. | 2025-08-28 | not yet calculated | CVE-2025-54762 |
| DOS Co., Ltd.--SS1 | Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier). If this vulnerability is exploited, legitimate files may be overwritten by a remote authenticated attacker. | 2025-08-28 | not yet calculated | CVE-2025-54819 |
| DOS Co., Ltd.--SS1 | Improper limitation of a pathname to a restricted directory ('Path Traversal') issue exists in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier). If this vulnerability is exploited, arbitrary files may be viewed by a remote unauthenticated attacker. | 2025-08-28 | not yet calculated | CVE-2025-58072 |
| DOS Co., Ltd.--SS1 | Use of hard-coded password issue/vulnerability in SS1 Ver.16.0.0.10 and earlier (Media version:16.0.0a and earlier) allows a remote unauthenticated attacker to view arbitrary files with root privileges. | 2025-08-28 | not yet calculated | CVE-2025-58081 |
| eventlet--eventlet | Eventlet is a concurrent networking library for Python. Prior to version 0.40.3, the Eventlet WSGI parser is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer sections. This vulnerability could enable attackers to, bypass front-end security controls, launch targeted attacks against active site users, and poison web caches. This problem has been patched in Eventlet 0.40.3 by dropping trailers which is a breaking change if a backend behind eventlet.wsgi proxy requires trailers. A workaround involves not using eventlet.wsgi facing untrusted clients. | 2025-08-29 | not yet calculated | CVE-2025-58068 |
| Exiv2--exiv2 | Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. An out-of-bounds read was found in Exiv2 versions 0.28.5 and earlier. The out-of-bounds read is triggered when Exiv2 is used to write metadata into a crafted image file. An attacker could potentially exploit the vulnerability to cause a denial of service by crashing Exiv2, if they can trick the victim into running Exiv2 on a crafted image file. Note that this bug is only triggered when writing the metadata, which is a less frequently used Exiv2 operation than reading the metadata. The bug is fixed in version 0.28.6. | 2025-08-29 | not yet calculated | CVE-2025-54080 |
| Exiv2--exiv2 | Exiv2 is a C++ library and a command-line utility to read, write, delete and modify Exif, IPTC, XMP and ICC image metadata. A denial-of-service was found in Exiv2 version 0.28.5: a quadratic algorithm in the ICC profile parsing code in jpegBase::readMetadata() can cause Exiv2 to run for a long time. The denial-of-service is triggered when Exiv2 is used to read the metadata of a crafted jpg image file. The bug is fixed in version 0.28.6. | 2025-08-29 | not yet calculated | CVE-2025-55304 |
| Feijiu Medical Technology Co., Ltd.--Bian Que Feijiu Intelligent Emergency and Quality Control System | An unauthenticated SQL injection vulnerability exists in the GetLyfsByParams endpoint of Bian Que Feijiu Intelligent Emergency and Quality Control System, accessible via the /AppService/BQMedical/WebServiceForFirstaidApp.asmx interface. The backend fails to properly sanitize user-supplied input in the strOpid parameter, allowing attackers to inject arbitrary SQL statements. This can lead to data exfiltration, authentication bypass, and potentially remote code execution, depending on backend configuration. The vulnerability is presumed to affect builds released prior to June 2025 and is said to be remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-23 UTC. | 2025-08-27 | not yet calculated | CVE-2025-34162 |
| FreePBX--security-reporting | FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issue has been patched in endpoint versions 15.0.66, 16.0.89, and 17.0.3. | 2025-08-28 | not yet calculated | CVE-2025-57819 |
| Fujian Apex Software Co. Ltd.--LiveBOS | LiveBOS, an object-oriented business architecture middleware suite developed by Apex Software Co., Ltd., contains an arbitrary file upload vulnerability in its UploadFile.do;.js.jsp endpoint. This flaw affects the LiveBOS Server component and allows unauthenticated remote attackers to upload crafted files outside the intended directory structure via path traversal in the filename parameter. Successful exploitation may lead to remote code execution on the server, enabling full system compromise. The vulnerability is presumed to affect builds released prior to August 2024 and is said to be remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-08-23 UTC. | 2025-08-27 | not yet calculated | CVE-2024-13981 |
| GitHub--Enterprise Server | An improper access control vulnerability was identified in GitHub Enterprise Server that allowed users with access to any repository to retrieve limited code content from another repository by creating a diff between the repositories. To exploit this vulnerability, an attacker needed to know the name of a private repository along with its branches, tags, or commit SHAs that they could use to trigger compare/diff functionality and retrieve limited code without proper authorization. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18, and was fixed in versions 3.14.17, 3.15.12, 3.16.8 and 3.17.5. This vulnerability was reported via the GitHub Bug Bounty program. | 2025-08-26 | not yet calculated | CVE-2025-8447 |
| github.com/gorilla/csrf--github.com/gorilla/csrf | Hosts listed in TrustedOrigins implicitly allow requests from the corresponding HTTP origins, allowing network MitMs to perform CSRF attacks. After the CVE-2025-24358 fix, a network attacker that places a form at http://example.com can't get it to submit to https://example.com because the Origin header is checked with sameOrigin against a synthetic URL. However, if a host is added to TrustedOrigins, both its HTTP and HTTPS origins will be allowed, because the schema of the synthetic URL is ignored and only the host is checked. For example, if an application is hosted on https://example.com and adds example.net to TrustedOrigins, a network attacker can serve a form at http://example.net to perform the attack. Applications should migrate to net/http.CrossOriginProtection, introduced in Go 1.25. If that is not an option, a backport is available as a module at filippo.io/csrf, and a drop-in replacement for the github.com/gorilla/csrf API is available at filippo.io/csrf/gorilla. | 2025-08-29 | not yet calculated | CVE-2025-47909 |
| Google Cloud--Dataform | A path traversal vulnerability in the NPM package installation process of Google Cloud Dataform allows a remote attacker to read and write files in other customers' repositories via a maliciously crafted package.json file. | 2025-08-25 | not yet calculated | CVE-2025-9118 |
| Google--Android | In btif_hh_hsdata_rpt_copy_cb of bta_hh.cc, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege over Bluetooth with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2023-21125 |
| Google--Android | In multiple locations, there is a possible crash loop due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2024-49740 |
| Google--Android | In process_service_attr_rsp of sdp_discovery.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-0074 |
| Google--Android | In process_service_search_attr_req of sdp_server.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-0075 |
| Google--Android | In main of main.cpp, there is a possible way to bypass SELinux due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-0078 |
| Google--Android | In multiple locations, there is a possible way that avdtp and avctp channels could be unencrypted due to a logic error in the code. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-0079 |
| Google--Android | In multiple locations, there is a possible way to overlay the installation confirmation dialog due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-0080 |
| Google--Android | In dng_lossless_decoder::HuffDecode of dng_lossless_jpeg.cpp, there is a possible way to cause a crash due to uninitialized data. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-0081 |
| Google--Android | In multiple functions of StatusHint.java and TelecomServiceImpl.java, there is a possible way to reveal images across users due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-0082 |
| Google--Android | In multiple locations, there is a possible way to access content across user profiles due to URI double encoding. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-0083 |
| Google--Android | In multiple locations, there is a possible out of bounds write due to a use after free. This could lead to remote code execution over Bluetooth, if HFP support is enabled, with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-0084 |
| Google--Android | In onResult of AccountManagerService.java, there is a possible way to overwrite auth token due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-0086 |
| Google--Android | In handleBondStateChanged of AdapterService.java, there is a possible permission bypass due to misleading or insufficient UI. This could lead to remote (proximal/adjacent) information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-0092 |
| Google--Android | In handleBondStateChanged of AdapterService.java, there is a possible unapproved data access due to a missing permission check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-0093 |
| Google--Android | In sdp_snd_service_search_req of sdp_discovery.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-22403 |
| Google--Android | In avct_lcb_msg_ind of avct_lcb_act.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-22404 |
| Google--Android | In multiple locations, there is a possible way to execute arbitrary code due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-22405 |
| Google--Android | In bnepu_check_send_packet of bnep_utils.cc, there is a possible way to achieve code execution due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-22406 |
| Google--Android | In hidd_check_config_done of hidd_conn.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-22407 |
| Google--Android | In rfc_check_send_cmd of rfc_utils.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-22408 |
| Google--Android | In rfc_send_buf_uih of rfc_ts_frames.cc, there is a possible way to execute arbitrary code due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-22409 |
| Google--Android | In multiple locations, there is a possible way to execute arbitrary code due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-22410 |
| Google--Android | In process_service_attr_rsp of sdp_discovery.cc, there is a possible use after free due to a logic error in the code. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-22411 |
| Google--Android | In multiple functions of sdp_server.cc, there is a possible use after free due to a logic error in the code. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-22412 |
| Google--Android | In multiple functions of hyp-main.c, there is a possible privilege escalation due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-22413 |
| Google--Android | In checkWhetherCallingAppHasAccess of DownloadProvider.java, there is a possible bypass of user consent when opening files in shared storage due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-26 | not yet calculated | CVE-2025-26417 |
| Google--Chrome | Use after free in ANGLE in Google Chrome prior to 139.0.7258.154 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical) | 2025-08-26 | not yet calculated | CVE-2025-9478 |
| H3C Group--Intelligent Management Center (iMC) | H3C Intelligent Management Center (IMC) versions up to and including E0632H07 contains a remote command execution vulnerability in the /byod/index.xhtml endpoint. Improper handling of JSF ViewState allows unauthenticated attackers to craft POST requests with forged javax.faces.ViewState parameters, potentially leading to arbitrary command execution. This flaw does not require authentication and may be exploited without session cookies. An affected version range is undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-08-28 UTC. | 2025-08-27 | not yet calculated | CVE-2024-13980 |
| Hangzhou Shengqiao Technology Co. Ltd.--St. Joe ERP System ("ERP") | A SQL injection vulnerability exists in the St. Joe ERP system ("圣乔ERP系统") that allows unauthenticated remote attackers to execute arbitrary SQL commands via crafted HTTP POST requests to the login endpoint. The application fails to properly sanitize user-supplied input before incorporating it into SQL queries, enabling direct manipulation of the backend database. Successful exploitation may result in unauthorized data access, modification of records, or limited disruption of service. An affected version range is undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-04-14 UTC. | 2025-08-27 | not yet calculated | CVE-2024-13979 |
| Hitron--CGNF-TWN Cable Modem | Hitron CGNF-TWN 3.1.1.43-TWN-pre3 contains a command injection vulnerability in the telnet service. The issue arises due to improper input validation within the telnet command handling mechanism. An attacker can exploit this vulnerability by injecting arbitrary commands through the telnet interface when prompted for inputs or commands. Successful exploitation could lead to remote code execution (RCE) under the privileges of the telnet user, potentially allowing unauthorized access to system settings and sensitive information. | 2025-08-25 | not yet calculated | CVE-2025-44179 |
| Hyundai--Hyundai Navigation App | In Hyundai Navigation App STD5W.EUR.HMC.230516.afa908d, an attacker can inject HTML payloads in the profile name field in navigation app which then get rendered. | 2025-08-27 | not yet calculated | CVE-2025-55618 |
| iND Co.,Ltd--HL330-DLS (for module MC7700) | Multiple products provided by iND Co.,Ltd contain an insecure storage of sensitive information vulnerability. If exploited, configuration information, such as admin password, may be disclosed. As for the details of affected product names and versions, refer to the information under [Product Status]. | 2025-08-29 | not yet calculated | CVE-2025-53507 |
| iND Co.,Ltd--HL330-DLS (for module MC7700) | Multiple products provided by iND Co.,Ltd contain an OS command injection vulnerability. If exploited, an arbitrary OS command may be executed and sensitive information may be obtained. As for the details of affected product names and versions, refer to the information under [Product Status]. | 2025-08-29 | not yet calculated | CVE-2025-53508 |
| Invoice Ninja--Invoice Ninja | Invoice Ninja's configuration on macOS, specifically the presence of entitlement "com.apple.security.get-task-allow", allows local attackers with unprivileged access (e.g. via a malicious application) to attach a debugger, read or modify the process memory, inject code in the application's context despite being signed with Hardened Runtime and bypass Transparency, Consent, and Control (TCC). Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted permissions requires user interaction with a system prompt asking for permission. According to Apple documentation, when a non-root user runs an app with the debugging tool entitlement, the system presents an authorization dialog asking for a system administrator's credentials. Since there is no prompt when the target process has "get-task-allow" entitlement, the presence of this entitlement was decided to be treated as a vulnerability because it removes one step needed to perform an attack. This issue was fixed in version 5.0.175 | 2025-08-26 | not yet calculated | CVE-2025-8700 |
| Kapsch--TrafficCom RIS-9160, RIS-9260 | Incorrect access control in the SPI Flash Chip of Kapsch TrafficCom RIS-9160 & RIS-9260 Roadside Units (RSUs) v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 allows physically proximate attackers to arbitrarily modify SPI flash regions, leading to a degradation of the security posture of the device. | 2025-08-26 | not yet calculated | CVE-2025-25733 |
| Konica Minolta, Inc.--Multiple products in bizhub series | Uncaught exception issue exists in Multiple products in bizhub series. If a malformed file is imported as an S/MIME Email certificate, it may cause a denial-of-service issue that disable the Web Connection feature. | 2025-08-29 | not yet calculated | CVE-2025-54777 |
| Liferay--Portal | Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 has a security vulnerability that allowing for improper access through the expandoTableLocalService. | 2025-08-29 | not yet calculated | CVE-2025-43773 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tls: separate no-async decryption request handling from async If we're not doing async, the handling is much simpler. There's no reference counting, we just need to wait for the completion to wake us up and return its result. We should preferably also use a separate crypto_wait. I'm not seeing a UAF as I did in the past, I think aec7961916f3 ("tls: fix race between async notify and socket close") took care of it. This will make the next fix easier. | 2025-08-28 | not yet calculated | CVE-2024-58240 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Avoid stack buffer overflow from kernel cmdline While the kernel command line is considered trusted in most environments, avoid writing 1 byte past the end of "acpiid" if the "str" argument is maximum length. | 2025-08-26 | not yet calculated | CVE-2025-38676 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid out-of-boundary access in dnode page As Jiaming Zhang reported: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x1c1/0x2a0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x17e/0x800 mm/kasan/report.c:480 kasan_report+0x147/0x180 mm/kasan/report.c:593 data_blkaddr fs/f2fs/f2fs.h:3053 [inline] f2fs_data_blkaddr fs/f2fs/f2fs.h:3058 [inline] f2fs_get_dnode_of_data+0x1a09/0x1c40 fs/f2fs/node.c:855 f2fs_reserve_block+0x53/0x310 fs/f2fs/data.c:1195 prepare_write_begin fs/f2fs/data.c:3395 [inline] f2fs_write_begin+0xf39/0x2190 fs/f2fs/data.c:3594 generic_perform_write+0x2c7/0x910 mm/filemap.c:4112 f2fs_buffered_write_iter fs/f2fs/file.c:4988 [inline] f2fs_file_write_iter+0x1ec8/0x2410 fs/f2fs/file.c:5216 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x546/0xa90 fs/read_write.c:686 ksys_write+0x149/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf3/0x3d0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f The root cause is in the corrupted image, there is a dnode has the same node id w/ its inode, so during f2fs_get_dnode_of_data(), it tries to access block address in dnode at offset 934, however it parses the dnode as inode node, so that get_dnode_addr() returns 360, then it tries to access page address from 360 + 934 * 4 = 4096 w/ 4 bytes. To fix this issue, let's add sanity check for node id of all direct nodes during f2fs_get_dnode_of_data(). | 2025-08-30 | not yet calculated | CVE-2025-38677 |
| LSTM-Kirigaya--openmcp-client | LSTM-Kirigaya's openmcp-client is a vscode plugin for mcp developer. Prior to version 0.1.12, when users on a Windows platform connect to an attacker controlled MCP server, attackers could provision a malicious authorization server endpoint to silently achieve an OS command injection attack in the open() invocation, leading to client system compromise. This issue has been patched in version 0.1.12. | 2025-08-28 | not yet calculated | CVE-2025-58062 |
| LumaSoft--fotoShare Cloud | Client-side password validation (CWE-602) in lumasoft fotoShare Cloud 2025-03-13 allowing unauthenticated attackers to view password-protected photo albums. | 2025-08-27 | not yet calculated | CVE-2025-56694 |
| lycheeverse--lychee-action | lychee link checking action checks links in Markdown, HTML, and text files using lychee. Prior to version 2.0.2, there is a potential attack of arbitrary code injection vulnerability in lychee-setup of the composite action at action.yml. This issue has been patched in version 2.0.2. | 2025-08-28 | not yet calculated | CVE-2024-48908 |
| MacVim--MacVim | MacVim's configuration on macOS, specifically the presence of entitlement "com.apple.security.get-task-allow", allows local attackers with unprivileged access (e.g. via a malicious application) to attach a debugger, read or modify the process memory, inject code in the application's context despite being signed with Hardened Runtime and bypass Transparency, Consent, and Control (TCC). Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted permissions requires user interaction with a system prompt asking for permission. According to Apple documentation, when a non-root user runs an app with the debugging tool entitlement, the system presents an authorization dialog asking for a system administrator's credentials. Since there is no prompt when the target process has "get-task-allow" entitlement, the presence of this entitlement was decided to be treated as a vulnerability because it removes one step needed to perform an attack. This issue was fixed in build r181.2 | 2025-08-26 | not yet calculated | CVE-2025-8597 |
| MANWAR--CGI::Simple | CGI::Simple versions before 1.282 for Perl has a HTTP response splitting flaw This vulnerability is a confirmed HTTP response splitting flaw in CGI::Simple that allows HTTP response header injection, which can be used for reflected XSS or open redirect under certain conditions. Although some validation exists, it can be bypassed using URL-encoded values, allowing an attacker to inject untrusted content into the response via query parameters. As a result, an attacker can inject a line break (e.g. %0A) into the parameter value, causing the server to split the HTTP response and inject arbitrary headers or even an HTML/JavaScript body, leading to reflected cross-site scripting (XSS), open redirect or other attacks. The issue documented in CVE-2010-4410 https://www.cve.org/CVERecord?id=CVE-2010-4410 is related but the fix was incomplete. Impact By injecting %0A (newline) into a query string parameter, an attacker can: * Break the current HTTP header * Inject a new header or entire body * Deliver a script payload that is reflected in the server's response That can lead to the following attacks: * reflected XSS * open redirect * cache poisoning * header manipulation | 2025-08-29 | not yet calculated | CVE-2025-40927 |
| Meitrack--T366G-L GPS Tracker | Meitrack T366G-L GPS Tracker devices contain an SPI flash chip (Winbond 25Q64JVSIQ) that is accessible without authentication or tamper protection. An attacker with physical access to the device can use a standard SPI programmer to extract the firmware using flashrom. This results in exposure of sensitive configuration data such as APN credentials, backend server information, and network parameter | 2025-08-28 | not yet calculated | CVE-2025-51643 |
| Microsoft--Windows | Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of .LNK files. Crafted data in an .LNK file can cause hazardous content in the file to be invisible to a user who inspects the file via the Windows-provided user interface. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25373. | 2025-08-26 | not yet calculated | CVE-2025-9491 |
| MINOVA Information Services GmbH--TTA | Information disclosure and exposure of authentication FTP credentials over the debug port 1604 in the MINOVA TTA service. This allows unauthenticated remote access to an active FTP account containing sensitive internal data and import structures. In environments where this FTP server is part of automated business processes (e.g. EDI or data integration), this could lead to data manipulation, extraction, or abuse. Debug ports 1602, 1603 and 1636 also expose service architecture information and system activity logs | 2025-08-25 | not yet calculated | CVE-2025-7426 |
| Mitrastar--GPT-2741GNAC-N2 | Mitrastar GPT-2741GNAC-N2 devices are provided with access through ssh into a restricted default shell.The command "deviceinfo show file" is supposed to be used from restricted shell to show files and directories. By providing " /bin/sh" (quotes included) to the argument of this command will drop a root shell. | 2025-08-26 | not yet calculated | CVE-2025-50753 |
| mlc-ai--xgrammar | XGrammar is an open-source library for efficient, flexible, and portable structured generation. Prior to version 0.1.21, XGrammar has an infinite recursion issue in the grammar. This issue has been resolved in version 0.1.21. | 2025-08-25 | not yet calculated | CVE-2025-57809 |
| Mosh-Pro--Mosh-Pro | The configuration of Mosh-Pro on macOS, specifically the "RunAsNode" fuse enabled, allows a local attacker with unprivileged access to execute arbitrary code that inherits Mosh-Pro TCC (Transparency, Consent, and Control) permissions. Acquired resource access is limited to previously granted permissions by the user. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Mosh-Pro, potentially disguising attacker's malicious intent. This issue was detected in 1.3.2 version of Mosh-Pro. Since authors did not respond to messages from CNA, patching status is unknown. | 2025-08-26 | not yet calculated | CVE-2025-53811 |
| Moxa--Utility for DRP-A100 Series | An Unquoted Search Path vulnerability has been identified in the utility for Moxa's industrial computers (Windows). Due to the unquoted path configuration in the SerialInterfaceService.exe utility, a local attacker with limited privileges could place a malicious executable in a higher-priority directory within the search path. When the Serial Interface service starts, the malicious executable could be run with SYSTEM privileges. Successful exploitation could allow privilege escalation or enable an attacker to maintain persistence on the affected system. While successful exploitation can severely impact the confidentiality, integrity, and availability of the affected device itself, there is no loss of confidentiality, integrity, or availability within any subsequent systems. | 2025-08-25 | not yet calculated | CVE-2025-5191 |
| n/a--AbanteCart | Directory traversal vulnerability in AbanteCart version 1.4.2 allows unauthenticated attackers to gain access to sensitive system files via the template parameter to index.php. | 2025-08-26 | not yet calculated | CVE-2025-50971 |
| n/a--AbanteCart | SQL Injection vulnerability in AbanteCart 1.4.2, allows unauthenticated attackers to execute arbitrary SQL commands via the tmpl_id parameter to index.php. Three techniques have been demonstrated: error-based injection using a crafted FLOOR-based payload, time-based blind injection via SLEEP(), and UNION-based injection to extract arbitrary data. | 2025-08-27 | not yet calculated | CVE-2025-50972 |
| n/a--Adminer | Adminer 4.8.1, when using Monolog for logging, allows a Denial of Service (memory consumption) via a crafted serialized payload (e.g., using s:1000000000), leading to a PHP Object Injection issue. Remote, unauthenticated attackers can trigger this by sending a malicious serialized object, which forces excessive memory usage, rendering Adminer's interface unresponsive and causing a server-level DoS. While the server may recover after several minutes, multiple simultaneous requests can cause a complete crash requiring manual intervention. | 2025-08-25 | not yet calculated | CVE-2025-43960 |
| n/a--Badaso CMS | An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PHP code via the file-upload endpoint, bypassing content-type validation. When such a file is accessed via its URL, the server executes the PHP payload, enabling an attacker to run arbitrary system commands and achieve full compromise of the underlying host. This has been demonstrated by embedding a backdoor within a PDF and renaming it with a .php extension. | 2025-08-26 | not yet calculated | CVE-2025-52353 |
| n/a--Bevy | The Bevy Event service through 2025-07-22, as used for eBay Seller Events and other activities, allows CSRF to delete all notifications via the /notifications/delete/ URI. | 2025-08-27 | not yet calculated | CVE-2025-54598 |
| n/a--copyparty | Cross Site Scripting vulnerability in copyparty v.1.9.1 allows a local attacker to execute arbitrary code via a crafted payload to the WEEKEND-PLANS function. | 2025-08-29 | not yet calculated | CVE-2023-41471 |
| n/a--CraftCMS Freeform | Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary code injection for all users that have access to editing a form (submission title). | 2025-08-27 | not yet calculated | CVE-2025-52122 |
| n/a--diskover-web | diskover-web v2.3.0 Community Edition is vulnerable to multiple boolean-based blind SQL injection flaws in its Elasticsearch configuration form. Unsanitized user input in POST parameters such as ES_PASS, ES_MAXSIZE, ES_TRANSLOGSIZE, ES_TIMEOUT, ES_USER, ES_HOST, ES_PORT, ES_SCROLLSIZE, ES_CHUNKSIZE and others can be crafted to inject arbitrary SQLite expressions wrapped in JSON functions. By exploiting these injection points, an attacker can infer or extract sensitive information from the underlying database without authentication. This issue stems from improper input validation and parameterization in the application's JSON-based query construction. | 2025-08-27 | not yet calculated | CVE-2025-50984 |
| n/a--diskover-web | diskover-web v2.3.0 Community Edition is vulnerable to multiple reflected cross-site scripting (XSS) flaws in its web interface. Unsanitized GET parameters including maxage, maxindex, index, path, q (query), and doctype are directly echoed into the HTML response, allowing attackers to inject and execute arbitrary JavaScript when a victim visits a maliciously crafted URL. | 2025-08-27 | not yet calculated | CVE-2025-50985 |
| n/a--diskover-web | diskover-web v2.3.0 Community Edition suffers from multiple stored cross-site scripting (XSS) vulnerabilities in its administrative settings interface. Various configuration fields such as ES_HOST, ES_INDEXREFRESH, ES_PORT, ES_SCROLLSIZE, ES_TRANSLOGSIZE, ES_TRANSLOGSYNCINT, EXCLUDES_FILES, FILE_TYPES[], INCLUDES_DIRS, INCLUDES_FILES, and TIMEZONE do not properly sanitize user-supplied input. Malicious payloads submitted via these parameters are persisted in the application and executed whenever an administrator views or edits the settings page. | 2025-08-27 | not yet calculated | CVE-2025-50986 |
| n/a--docmost | Cross Site Scripting vulnerability in docmost v.0.21.0 and before allows an attacker to execute arbitrary code | 2025-08-25 | not yet calculated | CVE-2025-55574 |
| n/a--Evope Core | An issue in Evope Core v.1.1.3.20 allows a local attacker to obtain sensitive information via the use of hard coded cryptographic keys. | 2025-08-29 | not yet calculated | CVE-2025-56577 |
| n/a--FormCMS | FormCms v0.5.5 contains a stored cross-site scripting (XSS) vulnerability in the avatar upload feature. Authenticated users can upload .html files containing malicious JavaScript, which are accessible via a public URL. When a privileged user accesses the file, the script executes in their browser context. | 2025-08-28 | not yet calculated | CVE-2025-56236 |
| n/a--FoxCMS | FoxCMS 1.2.6, there is a Cross Site Scripting vulnerability in /index.php/article. This allows attackers to execute arbitrary code. | 2025-08-25 | not yet calculated | CVE-2025-55409 |
| n/a--FoxCMS | In FoxCMS 1.2.6, there is a reflected Cross Site Scripting (XSS) vulnerability in /index.php/plus. | 2025-08-27 | not yet calculated | CVE-2025-55422 |
| n/a--Gitblit | In Gitblit v1.7.1, a reflected cross-site scripting (XSS) vulnerability exists in the way repository path names are handled. By injecting a specially crafted path payload an attacker can cause arbitrary JavaScript to execute when a victim views the manipulated URL. This flaw stems from insufficient input sanitization of filename elements. | 2025-08-27 | not yet calculated | CVE-2025-50978 |
| n/a--Helpy.io | Cross Site Scripting vulnerability in Helpy.io v.2.8.0 allows a remote attacker to escalate privileges via the New Topic Ticket funtion. | 2025-08-26 | not yet calculated | CVE-2025-52184 |
| n/a--IPFire | The Calamaris log exporter CGI (/cgi-bin/logs.cgi/calamaris.dat) in IPFire 2.29 does not properly sanitize user-supplied input before incorporating parameter values into a shell command. An unauthenticated remote attacker can inject arbitrary OS commands by embedding shell metacharacters in any of the following parameters BYTE_UNIT, DAY_BEGIN, DAY_END, HIST_LEVEL, MONTH_BEGIN, MONTH_END, NUM_CONTENT, NUM_DOMAINS, NUM_HOSTS, NUM_URLS, PERF_INTERVAL, YEAR_BEGIN, YEAR_END. | 2025-08-26 | not yet calculated | CVE-2025-50974 |
| n/a--IPFire | IPFire 2.29 web-based firewall interface (firewall.cgi) fails to sanitize several rule parameters such as PROT, SRC_PORT, TGT_PORT, dnatport, key, ruleremark, src_addr, std_net_tgt, and tgt_addr, allowing an authenticated administrator to inject persistent JavaScript. This stored XSS payload is executed whenever another admin views the firewall rules page, enabling session hijacking, unauthorized actions within the interface, or further internal pivoting. Exploitation requires only high-privilege GUI access, and the complexity of the attack is low. | 2025-08-26 | not yet calculated | CVE-2025-50975 |
| n/a--IPFire | IPFire 2.29 DNS management interface (dns.cgi) fails to properly sanitize user-supplied input in the NAMESERVER, REMARK, and TLS_HOSTNAME query parameters, resulting in a reflected cross-site scripting (XSS) vulnerability. | 2025-08-26 | not yet calculated | CVE-2025-50976 |
| n/a--n/a | Incorrect access control in the EEPROM component of Kapsch TrafficCom RIS-9160 & RIS-9260 Roadside Units (RSUs) v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 allows attackers to replace password hashes stored in the EEPROM with hashes of their own, leading to the escalation of privileges to root. | 2025-08-26 | not yet calculated | CVE-2025-25732 |
| n/a--n/a | Kapsch TrafficCom RIS-9160 & RIS-9260 Roadside Units (RSUs) v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 was discovered to contain an unauthenticated EFI shell which allows attackers to execute arbitrary code or escalate privileges during the boot process. | 2025-08-26 | not yet calculated | CVE-2025-25734 |
| n/a--n/a | Kapsch TrafficCom RIS-9160 & RIS-9260 Roadside Units (RSUs) v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 were discovered to lack SPI Protected Range Registers (PRRs), allowing attackers with software running on the system to modify SPI flash in real-time. | 2025-08-26 | not yet calculated | CVE-2025-25735 |
| n/a--n/a | Kapsch TrafficCom RIS-9260 RSU LEO v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 were discovered to contain Android Debug Bridge (ADB) pre-installed (/mnt/c3platpersistent/opt/platform-tools/adb) and enabled by default, allowing unauthenticated root shell access to the cellular modem via the default 'kapsch' user. | 2025-08-26 | not yet calculated | CVE-2025-25736 |
| n/a--n/a | Kapsch TrafficCom RIS-9160 & RIS-9260 Roadside Units (RSUs) v3.2.0.829.23, v3.8.0.1119.42, and v4.6.0.1211.28 were discovered to lack secure password requirements for its BIOS Supervisor and User accounts, allowing attackers to bypass authentication via a bruteforce attack. | 2025-08-26 | not yet calculated | CVE-2025-25737 |
| n/a--n/a | A template injection vulnerability leading to reflected cross-site scripting (XSS) has been identified in version 1.7.1, requiring authenticated admin access for exploitation. The vulnerability exists in the 'r' parameter and allows attackers to inject malicious Angular expressions that execute JavaScript code in the context of the application. The flaw can be exploited through GET requests to the summary endpoint as well as POST requests to specific Wicket interface endpoints, though the GET method provides easier weaponization. This vulnerability enables authenticated administrators to execute arbitrary client-side code, potentially leading to session hijacking, data theft, or further privilege escalation attacks. | 2025-08-27 | not yet calculated | CVE-2025-50977 |
| n/a--n/a | SQL Injection vulnerability exists in the sortKey parameter of the GET /api/v1/wanted/cutoff API endpoint in readarr 0.4.15.2787. The endpoint fails to properly sanitize user-supplied input, allowing attackers to inject and execute arbitrary SQL commands against the backend SQLite database. Sqlmap confirmed exploitation via stacked queries, demonstrating that the parameter can be abused to run arbitrary SQL statements. A heavy query was executed using SQLite's RANDOMBLOB() and HEX() functions to simulate a time-based payload, indicating deep control over database interactions. | 2025-08-27 | not yet calculated | CVE-2025-50983 |
| n/a--n8n-workflow | n8n-workflows Main Commit ee25413 allows attackers to execute a directory traversal via the download_workflow function within api_server.py | 2025-08-26 | not yet calculated | CVE-2025-55526 |
| n/a--NodeBB | NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). The search query parameter is not properly sanitized, allowing unauthenticated, remote attackers to inject boolean-based blind and PostgreSQL error-based payloads. | 2025-08-27 | not yet calculated | CVE-2025-50979 |
| n/a--NotesCMS | A vulnerability in NotesCMS and specifically in the page /index.php?route=notes. The manipulation of the title of the service descriptions leads to a stored XSS vulnerability. The issue was confirmed to be present in the source code as of commit 7d821a0f028b0778b245b99ab3d3bff1ac10e2d3 (dated 2024-05-08) and was fixed in commit 95322c5121dbd7070f3bd54f2848079654a0a8ea (dated 2025-03-31). The attack can be launched remotely. | 2025-08-26 | not yet calculated | CVE-2025-52035 |
| n/a--NotesCMS | A vulnerability has been found in NotesCMS and classified as medium. Affected by this vulnerability is the page /index.php?route=categories. The manipulation of the title of the service descriptions leads to a stored XSS vulnerability. The issue was confirmed to be present in the source code as of commit 7d821a0f028b0778b245b99ab3d3bff1ac10e2d3 (dated 2024-05-08), and was fixed in commit 95322c5121dbd7070f3bd54f2848079654a0a8ea (dated 2025-03-31). The attack can be launched remotely. CWE Definition of the Vulnerability: CWE-79. | 2025-08-26 | not yet calculated | CVE-2025-52036 |
| n/a--NotesCMS | A vulnerability has been found in NotesCMS and classified as medium. Affected by this vulnerability is the page /index.php?route=sites. The manipulation of the title of the service descriptions leads to a stored XSS vulnerability. The issue was confirmed to be present in the source code as of commit 7d821a0f028b0778b245b99ab3d3bff1ac10e2d3 (dated 2024-05-08), and was fixed in commit 95322c5121dbd7070f3bd54f2848079654a0a8ea (dated 2025-03-31). The attack can be launched remotely. CWE Definition of the Vulnerability: CWE-79. | 2025-08-26 | not yet calculated | CVE-2025-52037 |
| n/a--O2OA | O2OA v9.0.3 was discovered to contain a remote code execution (RCE) vulnerability via the mainOutput() function. | 2025-08-27 | not yet calculated | CVE-2024-37777 |
| n/a--oa_system oasys | SQL injection vulnerability in oa_system oasys v.1.1 allows a remote attacker to execute arbitrary code via the allDirector() method declaration in src/main/java/cn/gson/oasys/mappers/AddressMapper.java | 2025-08-29 | not yet calculated | CVE-2025-44033 |
| n/a--OPNsense | OPNsense 25.1 contains an authenticated command injection vulnerability in its Bridge Interface Edit endpoint (interfaces_bridge_edit.php). The span POST parameter is concatenated into a system-level command without proper sanitization or escaping, allowing an administrator to inject arbitrary shell operators and payloads. Successful exploitation grants RCE with the privileges of the web service (typically root), potentially leading to full system compromise or lateral movement. This vulnerability arises from inadequate input validation and improper handling of user-supplied data in backend command invocations. | 2025-08-27 | not yet calculated | CVE-2025-50989 |
| n/a--PerfreeBlog | PerfreeBlog v4.0.11 has a directory traversal vulnerability in the getThemeFilesByName function. | 2025-08-25 | not yet calculated | CVE-2025-29420 |
| n/a--PerfreeBlog | PerfreeBlog v4.0.11 has an arbitrary file read vulnerability in the getThemeFileContent function. | 2025-08-25 | not yet calculated | CVE-2025-29421 |
| n/a--RaspAP | In RaspAP raspap-webgui 3.3.2 and earlier, a command injection vulnerability exists in the includes/hostapd.php script. The vulnerability is due to improper sanitizing of user input passed via the interface parameter. | 2025-08-27 | not yet calculated | CVE-2025-50428 |
| n/a--Rebuild | Incorrect access control in the prehandle function of Rebuild v3.7.7 allows attackers to bypass authentication via a crafted GET request sent to /commons/ip-location. | 2025-08-25 | not yet calculated | CVE-2024-46412 |
| n/a--Rebuild | Rebuild v3.7.7 was discovered to contain a Server-Side Request Forgery (SSRF) via the type parameter in the com.rebuild.web.admin.rbstore.RBStoreController#loadDataIndex method. | 2025-08-25 | not yet calculated | CVE-2024-46413 |
| n/a--Rebuild | An issue was discovered in getrebuild/rebuild 4.0.4. The affected source code class is com.rebuild.web.RebuildWebInterceptor, and the affected function is preHandle In the filter code, use CodecUtils.urlDecode(request.getRequestURI()) to obtain the URL-decoded request path, and then determine whether the path endsWith /error. If so, execute return true to skip this Interceptor. Else, redirect to /user/login api. Allowing unauthenticated attackers to gain sensitive information or escalated privileges. | 2025-08-25 | not yet calculated | CVE-2025-50900 |
| n/a--simple-admin-core | An issue was discovered in simple-admin-core v1.2.0 thru v1.6.7. The /sys-api/role/update interface in the simple-admin-core system has a limited SQL injection vulnerability, which may lead to partial data leakage or disruption of normal system operations. | 2025-08-27 | not yet calculated | CVE-2025-51667 |
| n/a--SMM Panel | SQL Injection vulnerability in SMM Panel 3.1 allowing remote attackers to gain sensitive information via a crafted HTTP request with action=service_detail. | 2025-08-25 | not yet calculated | CVE-2025-55575 |
| n/a--sparkshop | Insecure Permissions vulnerability in sparkshop v.1.1.7 allows a remote attacker to execute arbitrary code via the Common.php component | 2025-08-25 | not yet calculated | CVE-2025-50722 |
| n/a--spimsimulator | spimsimulator spim v9.1.24 and before is vulnerable to Buffer Overflow in the READ_SYSCALL and WRITE_SYSCALL system calls. The application verifies the legitimacy of the starting and ending addresses for memory read/write operations. By configuring the starting and ending addresses for memory read/write to point to distinct memory segments within the virtual machine, it is possible to circumvent these checks. | 2025-08-28 | not yet calculated | CVE-2025-29364 |
| n/a--System PDV | An issue in System PDV v1.0 allows a remote attacker to obtain sensitive information via the hash parameter in a URL. The application contains an Insecure Direct Object Reference (IDOR) vulnerability, which occurs due to a lack of proper authorization checks when accessing objects referenced by this parameter. This allows direct access to other users' data or internal resources without proper permission. Successful exploitation of this flaw may result in the exposure of sensitive information. | 2025-08-25 | not yet calculated | CVE-2025-45968 |
| n/a--Telpo MDM | Telpo MDM 1.4.6 thru 1.4.9 for Android contains sensitive administrator credentials and MQTT server connection details (IP/port) that are stored in plaintext within log files on the device's external storage. This allows attackers with access to these logs to: 1. Authenticate to the MDM web platform to execute administrative operations (device shutdown/factory reset/software installation); 2. Connect to the MQTT server to intercept/publish device data. | 2025-08-26 | not yet calculated | CVE-2025-55443 |
| n/a--WebErpMesv2 | File upload vulnerability in WebErpMesv2 1.17 in the app/Http/Controllers/FactoryController.php controller. This flaw allows an authenticated attacker to upload arbitrary files, including PHP scripts, which can be accessed via direct GET requests, potentially resulting in remote code execution (RCE) on the web server. | 2025-08-25 | not yet calculated | CVE-2025-52130 |
| Nagios--Nagios XI | Nagios XI < 2024R1.3.2 contains a remote code execution vulnerability by chaining two flaws: an arbitrary file upload and a path traversal in the Core Config Snapshots interface. The issue arises from insufficient validation of file paths and extensions during MIB upload and snapshot rename operations. Exploitation results in the placement of attacker-controlled PHP files in a web-accessible directory, executed as the www-data user. | 2025-08-28 | not yet calculated | CVE-2024-13986 |
| NAVER--NAVER MYBOX Explorer | NAVER MYBOX Explorer for Windows before 3.0.8.133 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM by invoking arbitrary DLLs due to improper privilege checks. | 2025-08-28 | not yet calculated | CVE-2025-58322 |
| NAVER--NAVER MYBOX Explorer | NAVER MYBOX Explorer for Windows before 3.0.8.133 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM by executing arbitrary files due to improper privilege checks. | 2025-08-29 | not yet calculated | CVE-2025-58323 |
| NetScaler--ADC | Memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or AAA virtual server (OR) NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with IPv6 services or servicegroups bound with IPv6 servers (OR) NetScaler ADC and NetScaler Gateway 13.1, 14.1, 13.1-FIPS and NDcPP: LB virtual servers of type (HTTP, SSL or HTTP_QUIC) bound with DBS IPv6 services or servicegroups bound with IPv6 DBS servers (OR) CR virtual server with type HDX | 2025-08-26 | not yet calculated | CVE-2025-7775 |
| NetScaler--ADC | Memory overflow vulnerability leading to unpredictable or erroneous behavior and Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) with PCoIP Profile bounded to it | 2025-08-26 | not yet calculated | CVE-2025-7776 |
| NetScaler--ADC | Improper access control on the NetScaler Management Interface in NetScaler ADC and NetScaler Gateway when an attacker can get access to the appliance NSIP, Cluster Management IP or local GSLB Site IP or SNIP with Management Access | 2025-08-26 | not yet calculated | CVE-2025-8424 |
| NetSupport Ltd.--NetSupport Manager | A heap-based buffer overflow vulnerability in NetSupport Manager 14.x versions prior to 14.12.0000 allows a remote, unauthenticated attacker to cause a denial of service (DoS) or potentially result in arbitrary code execution. | 2025-08-29 | not yet calculated | CVE-2025-34164 |
| NetSupport Ltd.--NetSupport Manager | A stack-based buffer overflow vulnerability in NetSupport Manager 14.x versions prior to 14.12.0000 allows a remote, unauthenticated attacker to cause a denial of service (DoS) or potentially leak a limited amount of memory. | 2025-08-29 | not yet calculated | CVE-2025-34165 |
| norrnext.com--Quantum Mamanger component for Joomla | A stored XSS vulnerability in Quantum Manager component 1.0.0-3.2.0 for Joomla was discovered. The SVG upload feature does not sanitize uploads. | 2025-08-25 | not yet calculated | CVE-2025-54300 |
| norrnext.com--Quantum Mamanger component for Joomla | A stored XSS vulnerability in Quantum Manager component 1.0.0-3.2.0 for Joomla was discovered. File names are not properly escaped. | 2025-08-25 | not yet calculated | CVE-2025-54301 |
| Nozbe--Nozbe | The configuration of Nozbe on macOS, specifically the "RunAsNode" fuse enabled, allows a local attacker with unprivileged access to execute arbitrary code that inherits Nozbe TCC (Transparency, Consent, and Control) permissions. Acquired resource access is limited to previously granted permissions by the user. Access to other resources beyond granted-permissions requires user interaction with a system prompt asking for permission. This issue was fixed in version 2025.11 of Nozbe. | 2025-08-26 | not yet calculated | CVE-2025-53813 |
| NSFOCUS--SecGate3600 Firewall | SecGate3600, a network firewall product developed by NSFOCUS, contains a sensitive information disclosure vulnerability in the /cgi-bin/authUser/authManageSet.cgi endpoint. The affected component fails to enforce authentication checks on POST requests to retrieve user data. An unauthenticated remote attacker can exploit this flaw to obtain sensitive information, including user identifiers and configuration details, by sending crafted requests to the vulnerable endpoint. An affected version range is undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-06-18 UTC. | 2025-08-27 | not yet calculated | CVE-2023-7308 |
| Oberon microsystems AG--Oberon PSA Crypto | Padding oracle attack vulnerability in Oberon microsystem AG's Oberon PSA Crypto library in all versions since 1.0.0 and prior to 1.5.1 allows an attacker to recover plaintexts via timing measurements of AES-CBC PKCS#7 decrypt operations. | 2025-08-29 | not yet calculated | CVE-2025-7383 |
| Oberon microsystems AG--Oberon PSA Crypto | Erroneously using an all-zero seed for RSA-OEAP padding instead of the generated random bytes, in Oberon microsystems AG's Oberon PSA Crypto library in all versions up to 1.5.1, results in deterministic RSA and thus in a loss of confidentiality for guessable messages, recognition of repeated messages, and loss of security proofs. | 2025-08-29 | not yet calculated | CVE-2025-9071 |
| Oberon microsystems AG--ocrypto | Padding oracle attack vulnerability in Oberon microsystem AG's ocrypto library in all versions since 3.1.0 and prior to 3.9.2 allows an attacker to recover plaintexts via timing measurements of AES-CBC PKCS#7 decrypt operations. | 2025-08-29 | not yet calculated | CVE-2025-7071 |
| opencast--opencast | Opencast is a free, open-source platform to support the management of educational audio and video content. In version 18.0 and versions before 17.7, the protections against path traversal attacks in the UI config module are insufficient, still partially allowing for attacks in very specific cases. The path is checked without checking for the file separator. This could allow attackers access to files within another folder which starts with the same path. This issue has been fixed in versions 17.7 and 18.1. To mitigate this issue, check for folders that start with the same path as the ui-config folder. | 2025-08-29 | not yet calculated | CVE-2025-55202 |
| OpenSolution--QuickCMS | QuickCMS is vulnerable to Reflected XSS via sSort parameter in admin's panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-08-28 | not yet calculated | CVE-2025-54540 |
| OpenSolution--QuickCMS | QuickCMS is vulnerable to Cross-Site Request Forgery in page deletion functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request deleting an article. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-08-28 | not yet calculated | CVE-2025-54541 |
| OpenSolution--QuickCMS | QuickCMS sends password and login via GET Request. This allows a local attacker with access to the victim's browser history to obtain the necessary credentials to log in as the user. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-08-28 | not yet calculated | CVE-2025-54542 |
| OpenSolution--QuickCMS | QuickCMS is vulnerable to Stored XSS via sDescriptionMeta parameter in page editor SEO functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-08-28 | not yet calculated | CVE-2025-54543 |
| OpenSolution--QuickCMS | QuickCMS is vulnerable to Stored XSS via aDirFilesDescriptions parameter in files editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-08-28 | not yet calculated | CVE-2025-54544 |
| OpenSolution--QuickCMS | QuickCMS is vulnerable to Reflected XSS via sLangEdit parameter in admin's panel functionality. A malicious attacker can craft a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-08-28 | not yet calculated | CVE-2025-55175 |
| OpenText--OpenText Enterprise Security Manager | A Stored Cross-Site Scripting (XSS) vulnerability has been identified in OpenText Enterprise Security Manager. The vulnerability could be remotely exploited. | 2025-08-25 | not yet calculated | CVE-2025-3478 |
| OpenText--OpenText Enterprise Security Manager | An Information Exposure vulnerability has been identified in OpenText Enterprise Security Manager. The vulnerability could be remotely exploited. | 2025-08-25 | not yet calculated | CVE-2025-8997 |
| OpenText--Self Service Password Reset | Improper Input Validation vulnerability in OpenText Self Service Password Reset allows Authentication Bypass.This issue affects Self Service Password Reset from before 4.8 patch 3. | 2025-08-29 | not yet calculated | CVE-2025-5808 |
| parallax--jsPDF | jsPDF is a library to generate PDFs in JavaScript. Prior to 3.0.2, user control of the first argument of the addImage method results in CPU utilization and denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful PNG file that results in high CPU utilization and denial of service. The vulnerability was fixed in jsPDF 3.0.2. | 2025-08-26 | not yet calculated | CVE-2025-57810 |
| Payload CMS--Payload | Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can be changed). This issue has been fixed in version 3.44.0 of Payload. | 2025-08-29 | not yet calculated | CVE-2025-4643 |
| Payload CMS--Payload | A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT. As a result, the next newly created user would receive the same identifier, allowing the attacker to reuse the JWT to authenticate and perform actions as that user. This issue has been fixed in version 3.44.0 of Payload. | 2025-08-29 | not yet calculated | CVE-2025-4644 |
| PCRE2Project--pcre2 | The PCRE2 library is a set of C functions that implement regular expression pattern matching. In version 10.45, a heap-buffer-overflow read vulnerability exists in the PCRE2 regular expression matching engine, specifically within the handling of the (*scs:...) (Scan SubString) verb when combined with (*ACCEPT) in src/pcre2_match.c. This vulnerability may potentially lead to information disclosure if the out-of-bounds data read during the memcmp affects the final match result in a way observable by the attacker. This issue has been resolved in version 10.46. | 2025-08-27 | not yet calculated | CVE-2025-58050 |
| PFU Limited--ScanSnap Manager installers | Incorrect privilege assignment vulnerability exists in ScanSnap Manager installers versions prior to V6.5L61. If this vulnerability is exploited, an authenticated local attacker may escalate privileges and execute an arbitrary command. | 2025-08-27 | not yet calculated | CVE-2025-57797 |
| phpgurukul--Hospital Management System | phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in add-doctor.php via the docname parameter. | 2025-08-25 | not yet calculated | CVE-2025-56212 |
| phpgurukul--Hospital Management System | phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in index.php via the username parameter. | 2025-08-25 | not yet calculated | CVE-2025-56214 |
| phpgurukul--Hospital Management System | phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in contact.php via the pagetitle parameter. | 2025-08-25 | not yet calculated | CVE-2025-56215 |
| phpgurukul--Hospital Management System | phpgurukul Hospital Management System 4.0 is vulnerable to SQL Injection in about-us.php via the pagetitle parameter. | 2025-08-25 | not yet calculated | CVE-2025-56216 |
| PHPOffice--PhpSpreadsheet | PhpOffice/PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0, SSRF can occur when a processed HTML document is read and displayed in the browser. The vulnerability lies in the setPath method of the PhpOffice\PhpSpreadsheet\Worksheet\Drawing class, where a crafted string from the user is passed to the HTML reader. This issue has been patched in versions 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0. | 2025-08-25 | not yet calculated | CVE-2025-54370 |
| ProjectsAndPrograms--School Management System | A Reflected Cross-site Scripting (XSS) vulnerability exists in the themeSet.php file of ProjectsAndPrograms School Management System 1.0. The application fails to sanitize user-supplied input in the theme POST parameter, allowing an attacker to inject and execute arbitrary JavaScript in a victim's browser. | 2025-08-28 | not yet calculated | CVE-2025-51967 |
| PuneethReddyHC--Online Shopping System Advanced | A SQL Injection vulnerability exists in the action.php file of PuneethReddyHC Online Shopping System Advanced 1.0. The application fails to properly sanitize user-supplied input in the proId POST parameter, allowing attackers to inject arbitrary SQL expressions. | 2025-08-28 | not yet calculated | CVE-2025-51968 |
| PuneethReddyHC--Online Shopping System Advanced | A SQL Injection vulnerability exists in the product.php page of PuneethReddyHC Online Shopping System Advanced 1.0. This flaw is present in the product_id GET parameter, which is not properly validated before being included in a SQL statement. | 2025-08-28 | not yet calculated | CVE-2025-51969 |
| PuneethReddyHC--Online Shopping System Advanced | A reflected Cross-Site Scripting (XSS) vulnerability exists in register.php of PuneethReddyHC Online Shopping System Advanced 1.0. Unsanitized user input in the f_name parameter is reflected in the server response without proper HTML encoding or output escaping. This allows remote attackers to inject arbitrary JavaScript code. | 2025-08-28 | not yet calculated | CVE-2025-51971 |
| PuneethReddyHC--Online Shopping System Advanced | A SQL Injection vulnerability exists in the login.php of PuneethReddyHC Online Shopping System Advanced 1.0 due to improper sanitization of user-supplied input in the keyword POST parameter. | 2025-08-28 | not yet calculated | CVE-2025-51972 |
| python-hyper--h2 | h2 is a pure-Python implementation of a HTTP/2 protocol stack. Prior to version 4.3.0, an HTTP/2 request splitting vulnerability allows attackers to perform request smuggling attacks by injecting CRLF characters into headers. This occurs when servers downgrade HTTP/2 requests to HTTP/1.1 without properly validating header names/values, enabling attackers to manipulate request boundaries and bypass security controls. This issue has been patched in version 4.3.0. | 2025-08-25 | not yet calculated | CVE-2025-57804 |
| Qi'anxin--TianQing Management Center | QiAnXin TianQing Management Center versions up to and including 6.7.0.4130 contain a path traversal vulnerability in the rptsvr component that allows unauthenticated attackers to upload files to arbitrary locations on the server. The /rptsvr/upload endpoint fails to sanitize the filename parameter in multipart form-data requests, enabling path traversal. This allows attackers to place executable files in web-accessible directories, potentially leading to remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-08-23 UTC. | 2025-08-27 | not yet calculated | CVE-2024-13984 |
| Qingdao Dongsheng Weiye Software Co., Ltd.--Dongsheng Logistics Software | Dongsheng Logistics Software exposes an unauthenticated endpoint at /CommMng/Print/UploadMailFile that fails to enforce proper file type validation and access control. An attacker can upload arbitrary files, including executable scripts such as .ashx, via a crafted multipart/form-data POST request. This allows remote code execution on the server, potentially leading to full system compromise. The vulnerability is presumed to affect builds released prior to July 2025 and is said to be remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-23 UTC. | 2025-08-27 | not yet calculated | CVE-2025-34163 |
| QNAP Systems Inc.--File Station 5 | A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4907 and later | 2025-08-29 | not yet calculated | CVE-2025-29874 |
| QNAP Systems Inc.--File Station 5 | A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4907 and later | 2025-08-29 | not yet calculated | CVE-2025-29875 |
| QNAP Systems Inc.--File Station 5 | A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4907 and later | 2025-08-29 | not yet calculated | CVE-2025-29878 |
| QNAP Systems Inc.--File Station 5 | A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4907 and later | 2025-08-29 | not yet calculated | CVE-2025-29879 |
| QNAP Systems Inc.--File Station 5 | A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4907 and later | 2025-08-29 | not yet calculated | CVE-2025-29886 |
| QNAP Systems Inc.--File Station 5 | A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4907 and later | 2025-08-29 | not yet calculated | CVE-2025-29888 |
| QNAP Systems Inc.--File Station 5 | A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4907 and later | 2025-08-29 | not yet calculated | CVE-2025-29889 |
| QNAP Systems Inc.--File Station 5 | An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4907 and later | 2025-08-29 | not yet calculated | CVE-2025-29890 |
| QNAP Systems Inc.--File Station 5 | An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4907 and later | 2025-08-29 | not yet calculated | CVE-2025-29899 |
| QNAP Systems Inc.--File Station 5 | An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4907 and later | 2025-08-29 | not yet calculated | CVE-2025-29900 |
| QNAP Systems Inc.--File Station 5 | A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4933 and later | 2025-08-26 | not yet calculated | CVE-2025-29901 |
| QNAP Systems Inc.--HybridDesk Station | A command injection vulnerability has been reported to affect HybridDesk Station. If an attacker gains local network access, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: HybridDesk Station 4.2.18 and later | 2025-08-29 | not yet calculated | CVE-2025-44015 |
| QNAP Systems Inc.--License Center | A cross-site scripting (XSS) vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: License Center 1.8.51 and later License Center 1.9.51 and later | 2025-08-29 | not yet calculated | CVE-2025-22483 |
| QNAP Systems Inc.--Photo Station | A cross-site scripting (XSS) vulnerability has been reported to affect Photo Station. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following version: Photo Station 6.4.5 ( 2025/01/02 ) and later | 2025-08-29 | not yet calculated | CVE-2024-12923 |
| QNAP Systems Inc.--Qsync Central | An SQL injection vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: Qsync Central 4.5.0.7 ( 2025/04/23 ) and later | 2025-08-29 | not yet calculated | CVE-2025-29893 |
| QNAP Systems Inc.--Qsync Central | An SQL injection vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: Qsync Central 4.5.0.7 ( 2025/04/23 ) and later | 2025-08-29 | not yet calculated | CVE-2025-29894 |
| QNAP Systems Inc.--Qsync Central | An uncontrolled resource consumption vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 4.5.0.7 ( 2025/04/23 ) and later | 2025-08-29 | not yet calculated | CVE-2025-29898 |
| QNAP Systems Inc.--Qsync Central | An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: Qsync Central 4.5.0.7 ( 2025/04/23 ) and later | 2025-08-29 | not yet calculated | CVE-2025-30260 |
| QNAP Systems Inc.--Qsync Central | An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.0 ( 2025/06/13 ) and later | 2025-08-29 | not yet calculated | CVE-2025-30261 |
| QNAP Systems Inc.--Qsync Central | A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.0 ( 2025/06/13 ) and later | 2025-08-29 | not yet calculated | CVE-2025-30262 |
| QNAP Systems Inc.--Qsync Central | A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.0 ( 2025/06/13 ) and later | 2025-08-29 | not yet calculated | CVE-2025-30263 |
| QNAP Systems Inc.--Qsync Central | A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 4.5.0.7 ( 2025/04/23 ) and later | 2025-08-29 | not yet calculated | CVE-2025-30275 |
| QNAP Systems Inc.--Qsync Central | An improper certificate validation vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: Qsync Central 4.5.0.7 ( 2025/04/23 ) and later | 2025-08-29 | not yet calculated | CVE-2025-30277 |
| QNAP Systems Inc.--Qsync Central | An improper certificate validation vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: Qsync Central 4.5.0.7 ( 2025/04/23 ) and later | 2025-08-29 | not yet calculated | CVE-2025-30278 |
| QNAP Systems Inc.--Qsync Central | A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 4.5.0.7 ( 2025/04/23 ) and later | 2025-08-29 | not yet calculated | CVE-2025-33033 |
| QNAP Systems Inc.--Qsync Central | A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 4.5.0.7 ( 2025/04/23 ) and later | 2025-08-29 | not yet calculated | CVE-2025-33036 |
| QNAP Systems Inc.--Qsync Central | A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 4.5.0.7 ( 2025/04/23 ) and later | 2025-08-29 | not yet calculated | CVE-2025-33037 |
| QNAP Systems Inc.--Qsync Central | A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 4.5.0.7 ( 2025/04/23 ) and later | 2025-08-29 | not yet calculated | CVE-2025-33038 |
| QNAP Systems Inc.--QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.5.3145 build 20250526 and later QuTS hero h5.2.5.3138 build 20250519 and later | 2025-08-29 | not yet calculated | CVE-2025-29882 |
| QNAP Systems Inc.--QTS | A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.5.3145 build 20250526 and later QuTS hero h5.2.5.3138 build 20250519 and later | 2025-08-29 | not yet calculated | CVE-2025-30264 |
| QNAP Systems Inc.--QTS | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.5.3145 build 20250526 and later QuTS hero h5.2.5.3138 build 20250519 and later | 2025-08-29 | not yet calculated | CVE-2025-30265 |
| QNAP Systems Inc.--QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.5.3145 build 20250526 and later QuTS hero h5.2.5.3138 build 20250519 and later | 2025-08-29 | not yet calculated | CVE-2025-30267 |
| QNAP Systems Inc.--QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.5.3145 build 20250526 and later QuTS hero h5.2.5.3138 build 20250519 and later | 2025-08-29 | not yet calculated | CVE-2025-30268 |
| QNAP Systems Inc.--QTS | A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.5.3145 build 20250526 and later QuTS hero h5.2.5.3138 build 20250519 and later | 2025-08-29 | not yet calculated | CVE-2025-30270 |
| QNAP Systems Inc.--QTS | A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.5.3145 build 20250526 and later QuTS hero h5.2.5.3138 build 20250519 and later | 2025-08-29 | not yet calculated | CVE-2025-30271 |
| QNAP Systems Inc.--QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.5.3145 build 20250526 and later QuTS hero h5.2.5.3138 build 20250519 and later | 2025-08-29 | not yet calculated | CVE-2025-30272 |
| QNAP Systems Inc.--QTS | An out-of-bounds write vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify or corrupt memory. We have already fixed the vulnerability in the following versions: QTS 5.2.5.3145 build 20250526 and later QuTS hero h5.2.5.3138 build 20250519 and later | 2025-08-29 | not yet calculated | CVE-2025-30273 |
| QNAP Systems Inc.--QTS | A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.5.3145 build 20250526 and later QuTS hero h5.2.5.3138 build 20250519 and later | 2025-08-29 | not yet calculated | CVE-2025-30274 |
| QNAP Systems Inc.--QTS | A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: QTS 5.2.5.3145 build 20250526 and later QuTS hero h5.2.5.3138 build 20250519 and later | 2025-08-29 | not yet calculated | CVE-2025-33032 |
| QNAP Systems Inc.--QuRouter | A command injection vulnerability has been reported to affect QuRouter 2.5.1. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuRouter 2.5.1.060 and later | 2025-08-29 | not yet calculated | CVE-2025-29887 |
| QNAP Systems Inc.--VioStor | An improper authentication vulnerability has been reported to affect VioStor. If a remote attacker, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: VioStor 5.1.6 build 20250621 and later | 2025-08-29 | not yet calculated | CVE-2025-52856 |
| QNAP Systems Inc.--VioStor | A path traversal vulnerability has been reported to affect VioStor. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: VioStor 5.1.6 build 20250621 and later | 2025-08-29 | not yet calculated | CVE-2025-52861 |
| Raxnet/Ian Berry--Cacti | Cacti versions prior to 0.8.6-d contain a remote command execution vulnerability in the graph_view.php script. An authenticated user can inject arbitrary shell commands via the graph_start GET parameter, which is improperly handled during graph rendering. This flaw allows attackers to execute commands on the underlying operating system with the privileges of the web server process, potentially compromising system integrity. | 2025-08-30 | not yet calculated | CVE-2005-10004 |
| run-llama--run-llama/llama_index | A denial of service vulnerability exists in the JSONReader component of the run-llama/llama_index repository, specifically in version v0.12.37. The vulnerability is caused by uncontrolled recursion when parsing deeply nested JSON files, which can lead to Python hitting its maximum recursion depth limit. This results in high resource consumption and potential crashes of the Python process. The issue is resolved in version 0.12.38. | 2025-08-25 | not yet calculated | CVE-2025-5302 |
| Sangfor Technologies Co. Ltd.--Sangfor Behavior Management System (DC Management System) | Sangfor Behavior Management System (also referred to as DC Management System in Chinese-language documentation) contains an XML external entity (XXE) injection vulnerability in the /src/sangforindex endpoint. A remote unauthenticated attacker can submit crafted XML data containing external entity definitions, leading to potential disclosure of internal files, server-side request forgery (SSRF), or other impacts depending on parser behavior. The vulnerability is due to improper configuration of the XML parser, which allows resolution of external entities without restriction. This product is now integrated into their IAM (Internet Access Management) platform and an affected version range is undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2023-09-06 UTC. | 2025-08-27 | not yet calculated | CVE-2023-7307 |
| SelectZero--Data Observability Platform | SelectZero Data Observability Platform before 2025.5.2 is vulnerable to HTML Injection. Legacy UI fields improperly handle user-supplied input, allowing injection of arbitrary HTML. | 2025-08-26 | not yet calculated | CVE-2025-52217 |
| SelectZero--Data Observability Platform | SelectZero Data Observability Platform before 2025.5.2 is vulnerable to Content Spoofing / Text Injection. Improper sanitization of unspecified parameters allows attackers to inject arbitrary text or limited HTML into the login page. | 2025-08-26 | not yet calculated | CVE-2025-52218 |
| SelectZero--Data Observability Platform | SelectZero SelectZero Data Observability Platform before 2025.5.2 contains an Open Redirect vulnerability. Legacy UI fields can be used to create arbitrary external links via HTML Injection. | 2025-08-26 | not yet calculated | CVE-2025-52219 |
| Shanghai Aishu Information Technology Co., Ltd.--AnyShare | AnyShare contains a critical unauthenticated remote code execution vulnerability in the ServiceAgent API exposed on port 10250. The endpoint /api/ServiceAgent/start_service accepts user-supplied input via POST and fails to sanitize command-like payloads. An attacker can inject shell syntax that is interpreted by the backend, enabling arbitrary command execution. The vulnerability is presumed to affect builds released prior to August 2025 and is said to be remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-11 UTC. | 2025-08-27 | not yet calculated | CVE-2025-34160 |
| SolidInvoice--SolidInvoice | SolidInvoice 2.3.7 and fixed in v.2.3.8 is vulnerable to Cross Site Scripting (XSS) in the Tax Rate functionality. | 2025-08-29 | not yet calculated | CVE-2025-55579 |
| SolidInvoice--SolidInvoice | SolidInvoice 2.3.7 and v.2.3.8 is vulnerable to Cross Site Scripting (XSS) in the client's functionality. | 2025-08-29 | not yet calculated | CVE-2025-55580 |
| SourceCodester--FAQ Management System | A Stored Cross-Site Scripting (XSS) vulnerability in SourceCodester FAQ Management System 1.0 allows an authenticated attacker to inject malicious JavaScript into the 'question' and 'answer' fields via the update-faq.php endpoint. | 2025-08-26 | not yet calculated | CVE-2025-57425 |
| SUNNET Technology Co., Ltd.--Corporate Training Management System | A missing authentication for critical function vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to access deployment functionality without prior authentication. | 2025-08-30 | not yet calculated | CVE-2025-54942 |
| SUNNET Technology Co., Ltd.--Corporate Training Management System | A missing authorization vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to perform unauthorized application deployment due to the absence of proper access control checks. | 2025-08-30 | not yet calculated | CVE-2025-54943 |
| SUNNET Technology Co., Ltd.--Corporate Training Management System | An unrestricted upload of file with dangerous type vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to write malicious code in a specific file, which may lead to arbitrary code execution. | 2025-08-30 | not yet calculated | CVE-2025-54944 |
| SUNNET Technology Co., Ltd.--Corporate Training Management System | An external control of file name or path vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to execute arbitrary system commands via a malicious file by controlling the destination file path. | 2025-08-30 | not yet calculated | CVE-2025-54945 |
| SUNNET Technology Co., Ltd.--Corporate Training Management System | A SQL injection vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to execute arbitrary SQL commands. | 2025-08-30 | not yet calculated | CVE-2025-54946 |
| Sunway--ForceControl | Sunway ForceControl version 6.1 SP3 and earlier contains a stack-based buffer overflow vulnerability in the SNMP NetDBServer service, which listens on TCP port 2001. The flaw is triggered when the service receives a specially crafted packet using opcode 0x57 with an overly long payload. Due to improper bounds checking during packet parsing, attacker-controlled data overwrites the Structured Exception Handler (SEH), allowing arbitrary code execution in the context of the service. This vulnerability can be exploited remotely without authentication and may lead to full system compromise on affected Windows hosts. | 2025-08-30 | not yet calculated | CVE-2011-10032 |
| sveltejs--devalue | Svelte devalue is a utility library. Prior to version 5.3.2, a string passed to devalue.parse could represent an object with a __proto__ property and devalue.parse does not check that an index is numeric. This could result in assigning prototypes to objects and properties, leading to prototype pollution. This issue has been fixed in version 5.3.2 | 2025-08-26 | not yet calculated | CVE-2025-57820 |
| Tenda--AC10 | Tenda AC10 v4.0 firmware v16.03.10.20 was discovered to contain a stack overflow via the function get_parentControl_list_Info. | 2025-08-28 | not yet calculated | CVE-2025-57215 |
| Tenda--AC10 | Tenda AC10 v4.0 firmware v16.03.10.09_multi_TDE01 was discovered to contain a stack overflow via the Password parameter in the function R7WebsSecurityHandler. | 2025-08-28 | not yet calculated | CVE-2025-57217 |
| Tenda--AC10 | Tenda AC10 v4.0 firmware v16.03.10.09_multi_TDE01 was discovered to contain a stack overflow via the security_5g parameter in the function sub_46284C. | 2025-08-28 | not yet calculated | CVE-2025-57218 |
| Tenda--AC10 | Incorrect access control in the endpoint /goform/ate of Tenda AC10 v4.0 firmware v16.03.10.09_multi_TDE01 allows attackers to escalate privileges or access sensitive components via a crafted request. | 2025-08-28 | not yet calculated | CVE-2025-57219 |
| Tenda--AC10 | An input validation flaw in the 'ate' service of Tenda AC10 v4.0 firmware v16.03.10.09_multi_TDE01 to escalate privileges to root via a crafted UDP packet. | 2025-08-28 | not yet calculated | CVE-2025-57220 |
| Tenda--AC6 | Tenda AC6 V15.03.06.23_multi was discovered to contain a buffer overflow via the list parameter in the fromSetIpMacBind function. | 2025-08-27 | not yet calculated | CVE-2025-55495 |
| Tenda--AC8 | An issue was discovered in Tenda AC8 v4.0 AC1200 Dual-band Gigabit Wireless Router AC8v4.0 Firmware 16.03.33.05. The root password of the device is calculated with a static string and the last two octets of the MAC address of the device. This allows an unauthenticated attacker to authenticate with network services on the device. | 2025-08-28 | not yet calculated | CVE-2025-52054 |
| The-Scratch-Channel--tsc-web-client | The Scratch Channel is a news website. In versions 1 and 1.1, a POST request to the endpoint used to publish articles, can be used to post an article in any category with any date, regardless of who's logged in. This issue has been patched in version 1.2. | 2025-08-25 | not yet calculated | CVE-2025-57805 |
| tokio-rs--tracing | tracing is a framework for instrumenting Rust programs to collect structured, event-based diagnostic information. Prior to version 0.3.20, tracing-subscriber was vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to manipulate terminal title bars, clear screens or modify terminal display, and potentially mislead users through terminal manipulation. tracing-subscriber version 0.3.20 fixes this vulnerability by escaping ANSI control characters when writing events to destinations that may be printed to the terminal. A workaround involves avoiding printing logs to terminal emulators without escaping ANSI control sequences. | 2025-08-29 | not yet calculated | CVE-2025-58160 |
| TP-Link Systems Inc.--Archer C7(EU) V2 | The authenticated remote command execution (RCE) vulnerability exists in the Parental Control page on TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9. This issue affects Archer C7(EU) V2: before 241108 and TL-WR841N/ND(MS) V9: before 241108. Both products have reached the status of EOL (end-of-life). It's recommending to purchase the new product to ensure better performance and security. If replacement is not an option in the short term, please use the second reference link to download and install the patch(es). | 2025-08-29 | not yet calculated | CVE-2025-9377 |
| TP-Link Systems Inc.--TP-Link KP303 (US) Smartplug | The TP-Link KP303 Smartplug can be issued unauthenticated protocol commands that may cause unintended power-off condition and potential information leak. This issue affects TP-Link KP303 (US) Smartplug: before 1.1.0. | 2025-08-25 | not yet calculated | CVE-2025-8627 |
| TRENDnet--TV-IP410 | TRENDnet TV-IP410 vA1.0R was discovered to contain an OS command injection vulnerability via the /server/cgi-bin/testserv.cgi component. | 2025-08-29 | not yet calculated | CVE-2024-46484 |
| Ubiquiti Inc--UISP Application | An Improper Input Validation in UISP Application could allow a Command Injection by a malicious actor with High Privileges and local access. | 2025-08-28 | not yet calculated | CVE-2025-48979 |
| WM Downloader--WM Downloader | WM Downloader version 3.1.2.2 is vulnerable to a buffer overflow when processing a specially crafted .m3u playlist file. The application fails to properly validate input length, allowing an attacker to overwrite structured exception handler (SEH) records and execute arbitrary code. Exploitation occurs locally when a user opens the malicious file, and the payload executes with the privileges of the current user. | 2025-08-30 | not yet calculated | CVE-2010-10017 |
| Zhejiang Dahua Technology Co., Ltd.--EIMS | A command injection vulnerability in Dahua EIMS versions prior to 2240008 allows unauthenticated remote attackers to execute arbitrary system commands via the capture_handle.action interface. The flaw stems from improper input validation in the captureCommand parameter, which is processed without sanitization or authentication. By sending crafted HTTP requests, attackers can inject OS-level commands that are executed on the server, leading to full system compromise. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-04-06 UTC. | 2025-08-27 | not yet calculated | CVE-2024-13985 |
| Zhejiang Dahua Technology Co., Ltd.--Smart Park Integrated Management Platform | A path traversal vulnerability exists in the Dahua Smart Park Integrated Management Platform (also referred to as the Dahua Smart Campus Integrated Management Platform), affecting the SOAP-based GIS bitmap upload interface. The flaw allows unauthenticated remote attackers to upload arbitrary files to the server via crafted SOAP requests, including executable JSP payloads. Successful exploitation may lead to remote code execution (RCE) and full compromise of the affected system. The vulnerability is presumed to affect builds released prior to September 2023 and is said to be remediated in newer versions of the product, though the exact affected range remains undefined. Exploitation evidence was first observed by the Shadowserver Foundation on 2024-02-15 UTC. | 2025-08-27 | not yet calculated | CVE-2023-7309 |
| Zhengzhou Jinhui Computer System Engineering Co. Ltd. ; Beijing Dazheng Human Language Technology Academy--Green Dam Youth Escort | Green Dam Youth Escort version 3.17 is vulnerable to a stack-based buffer overflow when processing overly long URLs. The flaw resides in the URL filtering component, which fails to properly validate input length before copying user-supplied data into a fixed-size buffer. A remote attacker can exploit this vulnerability by enticing a user to visit a specially crafted webpage containing a long URL, resulting in arbitrary code execution. | 2025-08-30 | not yet calculated | CVE-2009-20008 |
Vulnerability Summary for the Week of August 18, 2025
Posted on Monday August 25, 2025
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 7ritn--VaulTLS | VaulTLS is a modern solution for managing mTLS (mutual TLS) certificates. Prior to 0.9.1, user accounts created through the User web UI have an empty but not NULL password set, attackers can use this to login with an empty password. This is combined with that fact, that previously disabling the password based login only effected the frontend, but still allowed login via the API. This vulnerability is fixed in 0.9.1. | 2025-08-18 | 9.4 | CVE-2025-55299 |
| _CreativeMedia_--Elite Video Player | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in _CreativeMedia_ Elite Video Player allows Reflected XSS. This issue affects Elite Video Player: from n/a through 10.0.5. | 2025-08-20 | 7.1 | CVE-2025-54044 |
| ads.txt Guru--ads.txt Guru Connect | Cross-Site Request Forgery (CSRF) vulnerability in ads.txt Guru ads.txt Guru Connect allows Cross Site Request Forgery. This issue affects ads.txt Guru Connect: from n/a through 1.1.1. | 2025-08-20 | 9.6 | CVE-2025-49381 |
| advplyr--audiobookshelf | Audiobookshelf is an open-source self-hosted audiobook server. In versions 2.6.0 through 2.26.3, the application does not properly restrict redirect callback URLs during OIDC authentication. An attacker can craft a login link that causes Audiobookshelf to store an arbitrary callback in a cookie, which is later used to redirect the user after authentication. The server then issues a 302 redirect to the attacker-controlled URL, appending sensitive OIDC tokens as query parameters. This allows an attacker to obtain the victim's tokens and perform full account takeover, including creating persistent admin users if the victim is an administrator. Tokens are further leaked via browser history, Referer headers, and server logs. This vulnerability impacts all Audiobookshelf deployments using OIDC; no IdP misconfiguration is required. The issue is fixed in version 2.28.0. No known workarounds exist. | 2025-08-22 | 8.8 | CVE-2025-57800 |
| aiven--aiven-db-migrate | aiven-db-migrate is an Aiven database migration tool. Prior to 1.0.7, there is a privilege escalation vulnerability that allows a user to elevate to superuser inside PostgreSQL databases during a migration from an untrusted source server. By exploiting a lack of search_path restriction, an attacker can override pg_catalog and execute untrusted operators as a superuser. This vulnerability is fixed in 1.0.7. | 2025-08-18 | 9.1 | CVE-2025-55282 |
| aiven--aiven-db-migrate | aiven-db-migrate is an Aiven database migration tool. Prior to 1.0.7, there is a privilege escalation vulnerability that allows elevation to superuser inside PostgreSQL databases during a migration from an untrusted source server. The vulnerability stems from psql executing commands embedded in a dump from the source server. This vulnerability is fixed in 1.0.7. | 2025-08-18 | 9.1 | CVE-2025-55283 |
| Alex Githatu--BuddyPress XProfile Custom Image Field | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Alex Githatu BuddyPress XProfile Custom Image Field allows Path Traversal. This issue affects BuddyPress XProfile Custom Image Field: from n/a through 3.0.1. | 2025-08-20 | 8.6 | CVE-2025-48158 |
| amans2k--FunnelKit Automations Email Marketing Automation and CRM for WordPress & WooCommerce | Multiple FunnelKit plugins are vulnerable to Sensitive Information Exposure via the wf_get_cookie shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including authentication cookies of other site users, which may make privilege escalation possible. Please note both FunnelKit - Funnel Builder for WooCommerce Checkout AND FunnelKit Automations - Email Marketing Automation and CRM for WordPress & WooCommerce are affected by this. | 2025-08-19 | 8.8 | CVE-2025-7654 |
| An-Themes--Pin WP | Unrestricted Upload of File with Dangerous Type vulnerability in An-Themes Pin WP allows Upload a Web Shell to a Web Server.This issue affects Pin WP: from n/a before 7.2. | 2025-08-21 | 9.9 | CVE-2025-53251 |
| arraytics--Eventin AI Powered Event Manager, Events Calendar, Booking and Tickets Plugin | The Events Calendar, Event Booking, Registrations and Event Tickets - Eventin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.0.37 via the proxy_image function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-08-23 | 7.2 | CVE-2025-7813 |
| Ashlar-Vellum--Cobalt | In Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions prior to 12.6.1204.204, the affected applications lack proper validation of user-supplied data when parsing AR files. This could lead to an out-of-bounds read. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-08-18 | 7.8 | CVE-2025-41392 |
| Ashlar-Vellum--Cobalt | In Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions prior to 12.6.1204.204, the affected applications lack proper validation of user-supplied data when parsing VC6 files. This could lead to a heap-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-08-18 | 7.8 | CVE-2025-46269 |
| Ashlar-Vellum--Cobalt | In Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions prior to 12.6.1204.204, the affected applications lack proper validation of user-supplied data when parsing XE files. This could lead to a heap-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-08-18 | 7.8 | CVE-2025-52584 |
| Ashlar-Vellum--Cobalt | In Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions prior to 12.6.1204.204, the affected applications lack proper validation of user-supplied data when parsing CO files. This could lead to an out-of-bounds write. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-08-18 | 7.8 | CVE-2025-53705 |
| AVEVA--PI Integrator | The vulnerability, if exploited, could allow an authenticated miscreant (with privileges to create or access publication targets of type Text File or HDFS) to upload and persist files that could potentially be executed. | 2025-08-21 | 7.1 | CVE-2025-54460 |
| Basix--NEX-Forms | Cross-Site Request Forgery (CSRF) vulnerability in Basix NEX-Forms allows Cross Site Request Forgery. This issue affects NEX-Forms: from n/a through 9.1.3. | 2025-08-20 | 8.8 | CVE-2025-49399 |
| bdthemes--ZoloBlocks | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in bdthemes ZoloBlocks allows PHP Local File Inclusion. This issue affects ZoloBlocks: from n/a through 2.3.2. | 2025-08-20 | 7.5 | CVE-2025-53210 |
| Belkin--AX1800 | A vulnerability was determined in Belkin AX1800 1.1.00.016. Affected by this vulnerability is an unknown functionality of the component Firmware Update Handler. This manipulation causes insufficient verification of data authenticity. The attack can be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-24 | 7.2 | CVE-2025-9379 |
| bencevans--screenshot-desktop | screenshot-desktop allows capturing a screenshot of your local machine. This vulnerability is a command injection issue. When user-controlled input is passed into the format option of the screenshot function, it is interpolated into a shell command without sanitization. This results in arbitrary command execution with the privileges of the calling process. This vulnerability is fixed in 1.15.2. | 2025-08-19 | 9.8 | CVE-2025-55294 |
| Benjamin Denis--SEOPress for MainWP | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Benjamin Denis SEOPress for MainWP allows PHP Local File Inclusion. This issue affects SEOPress for MainWP: from n/a through 1.4. | 2025-08-20 | 7.5 | CVE-2025-48298 |
| bobbingwide--oik | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bobbingwide oik allows Reflected XSS. This issue affects oik: from n/a through 4.15.2. | 2025-08-20 | 7.1 | CVE-2025-54670 |
| Brainstorm Force--SureDash | Incorrect Privilege Assignment vulnerability in Brainstorm Force SureDash allows Privilege Escalation. This issue affects SureDash: from n/a through 1.0.3. | 2025-08-20 | 8.8 | CVE-2025-48164 |
| Bravis-Themes--Bravis User | The Bravis User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.0. This is due to the plugin not properly logging a user in with the data that was previously verified through the facebook_ajax_login_callback(). This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site, and access to the administrative user's email. | 2025-08-23 | 8.1 | CVE-2025-5060 |
| Case-Themes--Case Theme User | The Case Theme User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.3. This is due to the plugin not properly logging a user in with the data that was previously verified through the facebook_ajax_login_callback(). This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site, and access to the administrative user's email. | 2025-08-23 | 9.8 | CVE-2025-5821 |
| Centreon--web | On the monitoring event logs page, it is possible to alter the http request to insert a payload in the DB. Caused by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Centreon web (Monitoring event logs modules) allows SQL Injection. This issue affects web: from 24.10.0 before 24.10.9, from 24.04.0 before 24.04.16, from 23.10.0 before 23.10.26. | 2025-08-22 | 8.8 | CVE-2025-6791 |
| Centreon--web | User with high privileges is able to introduce a SQLi using the Meta Service indicator page. Caused by an Improper Neutralization of Special Elements used in an SQL Command.This issue affects web: from 24.10.0 before 24.10.9, from 24.04.0 before 24.04.16, from 23.10.0 before 23.10.26. | 2025-08-22 | 7.2 | CVE-2025-4650 |
| CocoBasic--Caliris | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CocoBasic Caliris allows PHP Local File Inclusion. This issue affects Caliris: from n/a through 1.5. | 2025-08-20 | 8.1 | CVE-2025-48160 |
| Cozmoslabs--Paid Member Subscriptions | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Cozmoslabs Paid Member Subscriptions allows PHP Local File Inclusion. This issue affects Paid Member Subscriptions: from n/a through 2.15.4. | 2025-08-20 | 7.5 | CVE-2025-54017 |
| cozmoslabs--WP Webhooks Automate repetitive tasks by creating powerful automation workflows directly within WordPress | The WP Webhooks plugin for WordPress is vulnerable to arbitrary file copy due to missing validation of user-supplied input in all versions up to, and including, 3.3.5. This makes it possible for unauthenticated attackers to copy arbitrary files on the affected site's server to arbitrary locations. This can be used to copy the contents of wp-config.php into a text file which can then be accessed in a browser to reveal database credentials. | 2025-08-21 | 9.8 | CVE-2025-8895 |
| CreativeMindsSolutions--CM Map Locations | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Map Locations allows Reflected XSS. This issue affects CM Map Locations: from n/a through 2.1.6. | 2025-08-20 | 7.1 | CVE-2025-48151 |
| Crocoblock--JetEngine | Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Crocoblock JetEngine allows Code Injection. This issue affects JetEngine: from n/a through 3.7.0. | 2025-08-20 | 8.5 | CVE-2025-53194 |
| dedalx--Cook&Meal | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dedalx Cook&Meal allows PHP Local File Inclusion. This issue affects Cook&Meal: from n/a through 1.2.3. | 2025-08-20 | 8.1 | CVE-2025-48149 |
| Dell--iDRAC Service Module (iSM) | Dell iDRAC Service Module (iSM), versions prior to 6.0.3.0, contains a Buffer Access with Incorrect Length Value vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution and Elevation of privileges. | 2025-08-21 | 7.8 | CVE-2025-38743 |
| DELUCKS--DELUCKS SEO | Incorrect Privilege Assignment vulnerability in DELUCKS DELUCKS SEO allows Privilege Escalation. This issue affects DELUCKS SEO: from n/a through 2.6.0. | 2025-08-20 | 8.8 | CVE-2025-48165 |
| DexignZone--JobZilla - Job Board WordPress Theme | Cross-Site Request Forgery (CSRF) vulnerability in DexignZone JobZilla - Job Board WordPress Theme allows Privilege Escalation. This issue affects JobZilla - Job Board WordPress Theme: from n/a through 2.0. | 2025-08-20 | 8.8 | CVE-2025-49382 |
| digitalzoomstudio--Comments Capcha Box | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in digitalzoomstudio Comments Capcha Box allows Reflected XSS. This issue affects Comments Capcha Box: from n/a through 1.1. | 2025-08-20 | 7.1 | CVE-2025-53226 |
| dimafreund--Rentsyst | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dimafreund Rentsyst allows Reflected XSS. This issue affects Rentsyst: from n/a through 2.0.100. | 2025-08-20 | 7.1 | CVE-2025-48152 |
| directus--directus | Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents (without changes being applied to the files' database-resident metadata) and / or upload new files, with arbitrary content and extensions, which won't show up in the Directus UI. This vulnerability is fixed in 11.9.3. | 2025-08-20 | 9.3 | CVE-2025-55746 |
| ELEXtensions--ReachShip WooCommerce Multi-Carrier & Conditional Shipping | Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ReachShip WooCommerce Multi-Carrier & Conditional Shipping allows Using Malicious Files. This issue affects ReachShip WooCommerce Multi-Carrier & Conditional Shipping: from n/a through 4.3.1. | 2025-08-20 | 9.9 | CVE-2025-53213 |
| Emraan Cheema--CubeWP Framework | Incorrect Privilege Assignment vulnerability in Emraan Cheema CubeWP Framework allows Privilege Escalation. This issue affects CubeWP Framework: from n/a through 1.1.24. | 2025-08-20 | 8.8 | CVE-2025-54735 |
| favethemes--Houzez | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in favethemes Houzez allows PHP Local File Inclusion. This issue affects Houzez: from n/a through 4.0.4. | 2025-08-20 | 8.1 | CVE-2025-53198 |
| FNKvision--Y215 CCTV Camera | A vulnerability was identified in FNKvision Y215 CCTV Camera 10.194.120.40. Affected by this issue is some unknown functionality of the file /etc/passwd of the component Firmware. Such manipulation leads to hard-coded credentials. Local access is required to approach this attack. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-24 | 7.8 | CVE-2025-9380 |
| Fortra--FileCatalyst | Improper Access Control issue in the Workflow component of Fortra's FileCatalyst allows unauthenticated users to upload arbitrary files via the order forms page. | 2025-08-19 | 8.2 | CVE-2025-8450 |
| FunnelKit--Funnel Builder by FunnelKit | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in FunnelKit Funnel Builder by FunnelKit allows PHP Local File Inclusion. This issue affects Funnel Builder by FunnelKit: from n/a through 3.11.1. | 2025-08-20 | 7.5 | CVE-2025-54750 |
| IBM--Concert Software | IBM Concert Software 1.0.0 through 1.1.0 could allow a remote attacker to cause a denial of service using a specially crafted regular expression that would cause excessive resource consumption. | 2025-08-18 | 7.5 | CVE-2025-33090 |
| IBM--Integrated Analytics System | IBM Integrated Analytics System 1.0.0.0 through 1.0.30.0 could allow an authenticated user to upload a file with dangerous types that could be executed by another user if opened. | 2025-08-24 | 8 | CVE-2025-36174 |
| IBM--Jazz Foundation | IBM Jazz Foundation 7.0.2 to 7.0.2 iFix035, 7.0.3 to 7.0.3 iFix018, and 7.1.0 to 7.1.0 iFix004 could allow an unauthenticated remote attacker to update server property files that would allow them to perform unauthorized actions. | 2025-08-24 | 9.8 | CVE-2025-36157 |
| IBM--QRadar SIEM | IBM QRadar SIEM 7.5 through 7.5.0 UP13 could allow an authenticated user to escalate their privileges via a misconfigured cronjob due to execution with unnecessary privileges. | 2025-08-22 | 7.8 | CVE-2025-33120 |
| IBM--Storage Virtualize | IBM Storage Virtualize 8.4, 8.5, 8.6, and 8.7 could allow an authenticated user to escalate their privileges in an SSH session due to incorrect authorization checks to access resources. | 2025-08-18 | 8.8 | CVE-2025-36120 |
| imithemes--Real Spaces - WordPress Properties Directory Theme | The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'imic_agent_register' function in all versions up to, and including, 3.6. This is due to a lack of restriction in the registration role. This makes it possible for unauthenticated attackers to arbitrarily choose their role, including the Administrator role, during user registration. | 2025-08-19 | 9.8 | CVE-2025-6758 |
| imithemes--Real Spaces - WordPress Properties Directory Theme | The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'change_role_member' parameter in all versions up to, and including, 3.5. This is due to a lack of restriction in the profile update role. This makes it possible for unauthenticated attackers to arbitrarily choose their role, including the Administrator role, during a profile update. | 2025-08-19 | 8.8 | CVE-2025-8218 |
| INFINITT Healthcare--INFINITT PACS System Manager | Unauthorized users can access INFINITT PACS System Manager without proper authorization, which could lead to unauthorized access to system resources. | 2025-08-21 | 7.5 | CVE-2025-27721 |
| itsourcecode--Apartment Management System | A vulnerability was identified in itsourcecode Apartment Management System 1.0. Affected by this issue is some unknown functionality of the file /fair/addfair.php. The manipulation of the argument ID leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2025-08-21 | 7.3 | CVE-2025-9311 |
| itsourcecode--Online Tour and Travel Management System | A flaw has been found in itsourcecode Online Tour and Travel Management System 1.0. This issue affects some unknown processing of the file /user/page-login.php. This manipulation of the argument email causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. | 2025-08-19 | 7.3 | CVE-2025-9154 |
| itsourcecode--Online Tour and Travel Management System | A vulnerability has been found in itsourcecode Online Tour and Travel Management System 1.0. Impacted is an unknown function of the file /user/forget_password.php. Such manipulation of the argument email leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-19 | 7.3 | CVE-2025-9155 |
| itsourcecode--Sports Management System | A vulnerability was found in itsourcecode Sports Management System 1.0. The affected element is an unknown function of the file /Admin/sports.php. Performing manipulation of the argument code results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2025-08-19 | 7.3 | CVE-2025-9156 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.07.1 privilege escalation was possible due to incorrect directory ownership | 2025-08-20 | 7.5 | CVE-2025-57732 |
| JetBrains--YouTrack | In JetBrains YouTrack before 2025.2.92387 stored XSS was possible via Mermaid diagram content | 2025-08-20 | 8.7 | CVE-2025-57731 |
| Jordy Meow--Code Engine | Improper Control of Generation of Code ('Code Injection') vulnerability in Jordy Meow Code Engine allows Remote Code Inclusion. This issue affects Code Engine: from n/a through 0.3.3. | 2025-08-20 | 9.9 | CVE-2025-48169 |
| kristoferfannar--eslint-ban-moment | eslint-ban-moment is an Eslint plugin for final assignment in VIHU. In 3.0.0 and earlier, a sensitive Supabase URI is exposed in .env. A valid Supabase URI with embedded username and password will allow an attacker complete unauthorized access and control over database and user data. This could lead to data exfiltration, modification or deletion. | 2025-08-21 | 9.8 | CVE-2025-57754 |
| LambertGroup--Apollo - Sticky Full Width HTML5 Audio Player | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Apollo - Sticky Full Width HTML5 Audio Player allows Reflected XSS. This issue affects Apollo - Sticky Full Width HTML5 Audio Player: from n/a through 3.4. | 2025-08-20 | 7.1 | CVE-2025-48168 |
| LambertGroup--HTML5 Radio Player - WPBakery Page Builder Addon | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup HTML5 Radio Player - WPBakery Page Builder Addon allows Reflected XSS. This issue affects HTML5 Radio Player - WPBakery Page Builder Addon: from n/a through 2.5. | 2025-08-20 | 7.1 | CVE-2025-53564 |
| LambertGroup--Multimedia Playlist Slider Addon for WPBakery Page Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Multimedia Playlist Slider Addon for WPBakery Page Builder allows Reflected XSS. This issue affects Multimedia Playlist Slider Addon for WPBakery Page Builder: from n/a through 2.1. | 2025-08-20 | 7.1 | CVE-2025-48154 |
| LambertGroup--Radio Player Shoutcast & Icecast | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Radio Player Shoutcast & Icecast allows Reflected XSS. This issue affects Radio Player Shoutcast & Icecast: from n/a through 4.4.7. | 2025-08-20 | 7.1 | CVE-2025-53205 |
| LambertGroup--Responsive HTML5 Audio Player PRO With Playlist | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Responsive HTML5 Audio Player PRO With Playlist allows Reflected XSS. This issue affects Responsive HTML5 Audio Player PRO With Playlist: from n/a through 3.5.8. | 2025-08-20 | 7.1 | CVE-2025-54056 |
| LambertGroup--Revolution Video Player With Bottom Playlist | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Revolution Video Player With Bottom Playlist allows Reflected XSS. This issue affects Revolution Video Player With Bottom Playlist: from n/a through 2.9.2. | 2025-08-20 | 7.1 | CVE-2025-53212 |
| LambertGroup--SHOUT - HTML5 Radio Player With Ads - ShoutCast and IceCast Support | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup SHOUT - HTML5 Radio Player With Ads - ShoutCast and IceCast Support allows Reflected XSS. This issue affects SHOUT - HTML5 Radio Player With Ads - ShoutCast and IceCast Support: from n/a through 3.5.4. | 2025-08-20 | 7.1 | CVE-2025-48163 |
| LambertGroup--Universal Video Player - Addon for WPBakery Page Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player - Addon for WPBakery Page Builder allows Reflected XSS. This issue affects Universal Video Player - Addon for WPBakery Page Builder: from n/a through 3.2.1. | 2025-08-20 | 7.1 | CVE-2025-48170 |
| LambertGroup--Universal Video Player - Addon for WPBakery Page Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player - Addon for WPBakery Page Builder allows Reflected XSS. This issue affects Universal Video Player - Addon for WPBakery Page Builder: from n/a through 3.2.1. | 2025-08-20 | 7.1 | CVE-2025-53559 |
| LambertGroup--Universal Video Player - Addon for WPBakery Page Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Universal Video Player - Addon for WPBakery Page Builder allows Reflected XSS. This issue affects Universal Video Player - Addon for WPBakery Page Builder: from n/a through 3.2.1. | 2025-08-20 | 7.1 | CVE-2025-53562 |
| LambertGroup--Youtube Vimeo Video Player and Slider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Youtube Vimeo Video Player and Slider allows Reflected XSS. This issue affects Youtube Vimeo Video Player and Slider: from n/a through 3.8. | 2025-08-20 | 7.1 | CVE-2025-53563 |
| LambertGroup--Youtube Vimeo Video Player and Slider WP Plugin | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Youtube Vimeo Video Player and Slider WP Plugin allows Reflected XSS. This issue affects Youtube Vimeo Video Player and Slider WP Plugin: from n/a through 3.8. | 2025-08-20 | 7.1 | CVE-2025-48159 |
| Lenovo--PC Manager | An improper permission vulnerability was reported in Lenovo PC Manager that could allow a local attacker to escalate privileges. | 2025-08-18 | 7.8 | CVE-2025-8098 |
| Lexmark--Lexmark Cloud Services | A missing authorization vulnerability in Lexmark Cloud Services badge management allows attacker to reassign badges within their organization | 2025-08-19 | 8.5 | CVE-2025-4046 |
| Lexmark--Universal Print Driver | Improper Restriction of XML External Entity Reference in various Lexmark printer drivers for Windows allows attacker to disclose sensitive information to an arbitrary URL. | 2025-08-19 | 8.2 | CVE-2025-4044 |
| Linksys--RE6250 | A vulnerability was detected in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This issue affects the function WPSSTAPINEnr of the file /goform/WPSSTAPINEnr. Performing manipulation of the argument ssid results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-20 | 8.8 | CVE-2025-9245 |
| Linksys--RE6250 | A flaw has been found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Impacted is the function check_port_conflict of the file /goform/check_port_conflict. Executing manipulation of the argument single_port_rule/port_range_rule can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-20 | 8.8 | CVE-2025-9246 |
| Linksys--RE6250 | A vulnerability has been found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. The affected element is the function setVlan of the file /goform/setVlan. The manipulation of the argument vlan_set leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-20 | 8.8 | CVE-2025-9247 |
| Linksys--RE6250 | A vulnerability was found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. The impacted element is the function RP_pingGatewayByBBS of the file /goform/RP_pingGatewayByBBS. The manipulation of the argument ssidhex results in stack-based buffer overflow. The attack may be performed from a remote location. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-20 | 8.8 | CVE-2025-9248 |
| Linksys--RE6250 | A vulnerability was determined in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This affects the function DHCPReserveAddGroup of the file /goform/DHCPReserveAddGroup. This manipulation of the argument enable_group/name_group/ip_group/mac_group causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-20 | 8.8 | CVE-2025-9249 |
| Linksys--RE6250 | A vulnerability was identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This impacts the function setPWDbyBBS of the file /goform/setPWDbyBBS. Such manipulation of the argument hint leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-20 | 8.8 | CVE-2025-9250 |
| Linksys--RE6250 | A security flaw has been discovered in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected is the function sta_wps_pin of the file /goform/sta_wps_pin. Performing manipulation of the argument Ssid results in stack-based buffer overflow. The attack can be initiated remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-20 | 8.8 | CVE-2025-9251 |
| Linksys--RE6250 | A weakness has been identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected by this vulnerability is the function DisablePasswordAlertRedirect of the file /goform/DisablePasswordAlertRedirect. Executing manipulation of the argument hint can lead to stack-based buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-20 | 8.8 | CVE-2025-9252 |
| Linksys--RE6250 | A security vulnerability has been detected in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected by this issue is the function RP_doSpecifySiteSurvey of the file /goform/RP_doSpecifySiteSurvey. The manipulation of the argument ssidhex leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-20 | 8.8 | CVE-2025-9253 |
| Linksys--RE6250 | A vulnerability was found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected by this vulnerability is the function scheduleAdd of the file /goform/scheduleAdd. Performing manipulation of the argument ruleName results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-22 | 8.8 | CVE-2025-9355 |
| Linksys--RE6250 | A vulnerability was determined in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected by this issue is the function inboundFilterAdd of the file /goform/inboundFilterAdd. Executing manipulation of the argument ruleName can lead to stack-based buffer overflow. The attack may be performed from a remote location. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-22 | 8.8 | CVE-2025-9356 |
| Linksys--RE6250 | A vulnerability was identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This affects the function langSwitchByBBS of the file /goform/langSwitchByBBS. The manipulation of the argument langSelectionOnly leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-23 | 8.8 | CVE-2025-9357 |
| Linksys--RE6250 | A security flaw has been discovered in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This vulnerability affects the function setSysAdm of the file /goform/setSysAdm. The manipulation of the argument admpasshint results in stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-23 | 8.8 | CVE-2025-9358 |
| Linksys--RE6250 | A weakness has been identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This issue affects the function RP_checkCredentialsByBBS of the file /goform/RP_checkCredentialsByBBS. This manipulation of the argument ssidhex/pwd causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-23 | 8.8 | CVE-2025-9359 |
| Linksys--RE6250 | A security vulnerability has been detected in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Impacted is the function accessControlAdd of the file /goform/accessControlAdd. Such manipulation of the argument ruleName/schedule leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-23 | 8.8 | CVE-2025-9360 |
| Linksys--RE6250 | A vulnerability was detected in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. The affected element is the function ipRangeBlockManageRule of the file /goform/ipRangeBlockManageRule. Performing manipulation of the argument ipRangeBlockRuleName/scheduleIp/ipRangeBlockRuleIpAddr results in stack-based buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-23 | 8.8 | CVE-2025-9361 |
| Linksys--RE6250 | A vulnerability has been found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This affects the function portTriggerManageRule of the file /goform/portTriggerManageRule. The manipulation of the argument triggerRuleName/schedule leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-23 | 8.8 | CVE-2025-9363 |
| Linksys--RE6250 | A security vulnerability has been detected in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This affects the function qosClassifier of the file /goform/qosClassifier. Such manipulation of the argument dir/sFromPort/sToPort/dFromPort/dToPort/protocol/layer7/dscp/remark_dscp leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-24 | 8.8 | CVE-2025-9392 |
| Linksys--RE6250 | A vulnerability was detected in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This vulnerability affects the function addStaProfile of the file /goform/addStaProfile. Performing manipulation of the argument profile_name/Ssid/wep_key_1/wep_key_2/wep_key_3/wep_key_4/wep_key_length/wep_default_key/cipher/passphrase results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-24 | 8.8 | CVE-2025-9393 |
| magepeopleteam--Taxi Booking Manager for WooCommerce | Authentication Bypass Using an Alternate Path or Channel vulnerability in magepeopleteam Taxi Booking Manager for WooCommerce allows Authentication Abuse. This issue affects Taxi Booking Manager for WooCommerce: from n/a through 1.3.0. | 2025-08-20 | 9.8 | CVE-2025-54713 |
| ManageEngine--Asset Explorer | There is an improper privilege management vulnerability identified in ManageEngine's Asset Explorer, ServiceDesk Plus, ServiceDesk Plus MSP, and SupportCenter Plus products by Zohocorp. This vulnerability impacts Asset Explorer versions before 7710, ServiceDesk Plus versions before 15110, ServiceDesk Plus MSP versions before 14940, and SupportCenter Plus versions before 14940. | 2025-08-20 | 8.1 | CVE-2025-8309 |
| Max Chirkov--Simple Login Log | Deserialization of Untrusted Data vulnerability in Max Chirkov Simple Login Log allows Object Injection. This issue affects Simple Login Log: from n/a through 1.1.3. | 2025-08-20 | 7.2 | CVE-2025-49438 |
| mecanik--Cloudflare Image Resizing Optimize & Accelerate Your Images | The Cloudflare Image Resizing plugin for WordPress is vulnerable to Remote Code Execution due to missing authentication and insufficient sanitization within its hook_rest_pre_dispatch() method in all versions up to, and including, 1.5.6. This makes it possible for unauthenticated attackers to inject arbitrary PHP into the codebase, achieving remote code execution. | 2025-08-19 | 9.8 | CVE-2025-8723 |
| meshtastic--firmware | Meshtastic is an open source mesh networking solution. Prior to v2.6.3, an attacker can send NodeInfo with a empty publicKey first, then overwrite it with a new key. First sending a empty key bypasses 'if (p.public_key.size > 0) {', clearing the existing publicKey (and resetting the size to 0) for a known node. Then a new key bypasses 'if (info->user.public_key.size > 0) {', and this malicious key is stored in NodeDB. This vulnerability is fixed in 2.6.3. | 2025-08-18 | 9.4 | CVE-2025-55293 |
| Michele Giorgi--Formality | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Michele Giorgi Formality allows PHP Local File Inclusion. This issue affects Formality: from n/a through 1.5.9. | 2025-08-20 | 8.1 | CVE-2025-48157 |
| Microsoft--Microsoft PC Manager | Improper authorization in Microsoft PC Manager allows an unauthorized attacker to elevate privileges over a network. | 2025-08-21 | 9.1 | CVE-2025-53795 |
| Microsoft--Microsoft Purview Data Governance | Improper access control in Azure Databricks allows an unauthorized attacker to elevate privileges over a network. | 2025-08-21 | 9.8 | CVE-2025-53763 |
| Microsoft--Windows 10 Version 1809 | Untrusted pointer dereference in Windows MBT Transport driver allows an authorized attacker to elevate privileges locally. | 2025-08-21 | 7.8 | CVE-2025-55230 |
| Microsoft--Windows Server 2019 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Storage allows an unauthorized attacker to execute code over a network. | 2025-08-21 | 7.5 | CVE-2025-55231 |
| Miguel Useche--JS Archive List | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Miguel Useche JS Archive List allows SQL Injection. This issue affects JS Archive List: from n/a through n/a. | 2025-08-20 | 9.3 | CVE-2025-54726 |
| miniOrange--Custom API for WP | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in miniOrange Custom API for WP allows SQL Injection. This issue affects Custom API for WP: from n/a through 4.2.2. | 2025-08-20 | 9.3 | CVE-2025-54048 |
| miniOrange--Custom API for WP | Incorrect Privilege Assignment vulnerability in miniOrange Custom API for WP allows Privilege Escalation. This issue affects Custom API for WP: from n/a through 4.2.2. | 2025-08-20 | 9.9 | CVE-2025-54049 |
| Mitchell Bennis--Simple File List | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitchell Bennis Simple File List allows Path Traversal. This issue affects Simple File List: from n/a through 6.1.14. | 2025-08-20 | 7.5 | CVE-2025-54021 |
| Mitsubishi Electric Europe--smartRTU | A remote unauthenticated attacker who has bypassed authentication could execute arbitrary OS commands to disclose, tamper with, destroy or delete information in Mitsubishi Electric smartRTU, or cause a denial-of service condition on the product. | 2025-08-21 | 9.8 | CVE-2025-3128 |
| Mouy-leng--GenX_FX | GenX_FX is an advance IA trading platform that will focus on forex trading. A vulnerability was identified in the GenX FX backend where API keys and authentication tokens may be exposed if environment variables are misconfigured. Unauthorized users could gain access to cloud resources (Google Cloud, Firebase, GitHub, etc.). | 2025-08-19 | 9.8 | CVE-2025-55306 |
| N-able--N-central | On N-central, it is possible for any authenticated user to read, write and modify syslog configuration across customers on an N-central server. This vulnerability is present in all deployments of N-central prior to 2025.2. | 2025-08-21 | 8.3 | CVE-2025-7051 |
| n8n-io--n8n | n8n is a workflow automation platform. From 1.77.0 to before 1.98.2, a stored Cross-Site Scripting (XSS) vulnerability was identified in n8n, specifically in the Form Trigger node's HTML form element. An authenticated attacker can inject malicious HTML via an <iframe> with a srcdoc payload that includes arbitrary JavaScript execution. The attacker can also inject malicious Javascript by using <video> coupled <source> using an onerror event. While using iframe or a combination of video and source tag, this vulnerability allows for Account Takeover (ATO) by exfiltrating n8n-browserId and session cookies from authenticated users who visit a maliciously crafted form. Using these tokens and cookies, an attacker can impersonate the victim and change account details such as email addresses, enabling full control over the account-especially if 2FA is not enabled. Users should upgrade to version >= 1.98.2. | 2025-08-19 | 8.7 | CVE-2025-52478 |
| NamelessMC--Nameless | NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Cross-site scripting (XSS) vulnerability in NamelessMC before 2.2.3 allows remote authenticated attackers to inject arbitrary web script or HTML via the dashboard text editor component. This vulnerability is fixed in 2.2.4. | 2025-08-18 | 9.1 | CVE-2025-54117 |
| NamelessMC--Nameless | NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Cross-site scripting (XSS) vulnerability in NamelessMC before 2.2.4 allows remote authenticated attackers to inject arbitrary web script or HTML via the default_keywords crafted parameter. This vulnerability is fixed in 2.2.4. | 2025-08-18 | 7.2 | CVE-2025-54421 |
| nanbu--Welcart e-Commerce | Deserialization of Untrusted Data vulnerability in nanbu Welcart e-Commerce allows Object Injection. This issue affects Welcart e-Commerce: from n/a through 2.11.16. | 2025-08-20 | 7.2 | CVE-2025-54012 |
| nK--Ghost Kit | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nK Ghost Kit allows PHP Local File Inclusion. This issue affects Ghost Kit: from n/a through 3.4.1. | 2025-08-20 | 8.1 | CVE-2025-53567 |
| NooTheme--Jobmonster | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Jobmonster allows Reflected XSS. This issue affects Jobmonster: from n/a through 4.7.8. | 2025-08-20 | 7.1 | CVE-2025-53201 |
| ovatheme--eventlist | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme eventlist allows PHP Local File Inclusion. This issue affects eventlist: from n/a through 1.9.2. | 2025-08-20 | 8.1 | CVE-2025-53204 |
| paymayapg--Maya Business | Authorization Bypass Through User-Controlled Key vulnerability in paymayapg Maya Business allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Maya Business: from n/a through 1.2.0. | 2025-08-20 | 7.5 | CVE-2025-53208 |
| PHPGurukul--Online Course Registration | A flaw has been found in PHPGurukul Online Course Registration 3.1. This affects an unknown function of the file /admin/session.php. This manipulation of the argument sesssion causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. | 2025-08-21 | 7.3 | CVE-2025-9307 |
| PHPGurukul--User Management System | A vulnerability was identified in PHPGurukul User Management System 1.0. This vulnerability affects unknown code of the file /signup.php. Such manipulation of the argument emailid leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. | 2025-08-21 | 7.3 | CVE-2025-9302 |
| PickPlugins--Post Grid and Gutenberg Blocks | Deserialization of Untrusted Data vulnerability in PickPlugins Post Grid and Gutenberg Blocks allows Object Injection. This issue affects Post Grid and Gutenberg Blocks: from n/a through 2.3.11. | 2025-08-20 | 8.8 | CVE-2025-54007 |
| Pik Online Yazlm zmleri A..--Pik Online | Server-Side Request Forgery (SSRF) vulnerability in Pik Online Yazılım Çözümleri A.Ş. Pik Online allows Server Side Request Forgery.This issue affects Pik Online: before 3.1.5. | 2025-08-20 | 8.6 | CVE-2025-5260 |
| Pik Online Yazlm zmleri A..--Pik Online | Authorization Bypass Through User-Controlled Key vulnerability in Pik Online Yazılım Çözümleri A.Ş. Pik Online allows Exploitation of Trusted Identifiers.This issue affects Pik Online: before 3.1.5. | 2025-08-20 | 7.5 | CVE-2025-5261 |
| projectcapsule--capsule | Capsule is a multi-tenancy and policy-based framework for Kubernetes. A namespace label injection vulnerability in Capsule v0.10.3 and earlier allows authenticated tenant users to inject arbitrary labels into system namespaces (kube-system, default, capsule-system), bypassing multi-tenant isolation and potentially accessing cross-tenant resources through TenantResource selectors. This vulnerability enables privilege escalation and violates the fundamental security boundaries that Capsule is designed to enforce. This vulnerability is fixed in 0.10.4. | 2025-08-18 | 9.1 | CVE-2025-55205 |
| QuanticaLabs--MediCenter - Health Medical Clinic | Deserialization of Untrusted Data vulnerability in QuanticaLabs MediCenter - Health Medical Clinic allows Object Injection. This issue affects MediCenter - Health Medical Clinic: from n/a through 15.1. | 2025-08-20 | 9.8 | CVE-2025-54014 |
| quantumcloud--Simple Business Directory Pro | Incorrect Privilege Assignment vulnerability in quantumcloud Simple Business Directory Pro allows Privilege Escalation. This issue affects Simple Business Directory Pro: from n/a through n/a. | 2025-08-20 | 9.8 | CVE-2025-53580 |
| quantumcloud--Simple Business Directory Pro | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in quantumcloud Simple Business Directory Pro allows Reflected XSS. This issue affects Simple Business Directory Pro: from n/a through 15.5.1. | 2025-08-20 | 7.1 | CVE-2025-48162 |
| quantumcloud--Simple Link Directory | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in quantumcloud Simple Link Directory allows Reflected XSS. This issue affects Simple Link Directory: from n/a through n/a. | 2025-08-20 | 7.1 | CVE-2025-48297 |
| RadiusTheme--Widget for Google Reviews | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Widget for Google Reviews allows PHP Local File Inclusion. This issue affects Widget for Google Reviews: from n/a through 1.0.15. | 2025-08-20 | 8.1 | CVE-2025-53565 |
| Raptive--Raptive Ads | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Raptive Raptive Ads allows Reflected XSS. This issue affects Raptive Ads: from n/a through 3.8.0. | 2025-08-20 | 7.1 | CVE-2025-53319 |
| rascals--Noisa | Deserialization of Untrusted Data vulnerability in rascals Noisa allows Object Injection. This issue affects Noisa: from n/a through 2.6.0. | 2025-08-20 | 8.8 | CVE-2025-53560 |
| Realtyna--Realtyna Organic IDX plugin | Cross-Site Request Forgery (CSRF) vulnerability in Realtyna Realtyna Organic IDX plugin allows PHP Local File Inclusion. This issue affects Realtyna Organic IDX plugin: from n/a through 5.0.0. | 2025-08-20 | 7.5 | CVE-2025-54052 |
| RooCodeInc--Roo-Code | Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions prior to 3.25.5, Roo-Code fails to properly handle process substitution and single ampersand characters in the command parsing logic for auto-execute commands. If a user has enabled auto-approved execution for a command such as ls, an attacker who can submit crafted prompts to the agent may inject arbitrary commands to be executed alongside the intended command. Exploitation requires attacker access to submit prompts and for the user to have enabled auto-approved command execution, which is disabled by default. This vulnerability could allow an attacker to execute arbitrary code. The issue is fixed in version 3.25.5. | 2025-08-22 | 8.1 | CVE-2025-57771 |
| Roxnor--FundEngine | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Roxnor FundEngine allows PHP Local File Inclusion. This issue affects FundEngine: from n/a through 1.7.4. | 2025-08-20 | 7.5 | CVE-2025-48302 |
| Saad Iqbal--Bookify | Incorrect Privilege Assignment vulnerability in Saad Iqbal Bookify allows Privilege Escalation. This issue affects Bookify: from n/a through 1.0.9. | 2025-08-20 | 8.8 | CVE-2025-48142 |
| SaifuMak--Add Custom Codes | Improper Control of Generation of Code ('Code Injection') vulnerability in SaifuMak Add Custom Codes allows Code Injection. This issue affects Add Custom Codes: from n/a through 4.80. | 2025-08-20 | 7.5 | CVE-2025-30975 |
| Saleswonder Team Tobias--CF7 WOW Styler | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Saleswonder Team Tobias CF7 WOW Styler allows PHP Local File Inclusion. This issue affects CF7 WOW Styler: from n/a through 1.7.2. | 2025-08-20 | 7.5 | CVE-2025-54028 |
| Santesoft--Sante PACS Server | The Sante PACS Server allows a remote attacker to crash the main thread by sending a crafted HL7 message, causing a denial-of-service condition. The application would require a manual restart and no authentication is required. | 2025-08-18 | 7.5 | CVE-2025-53948 |
| Santesoft--Sante PACS Server | The Sante PACS Server Web Portal sends credential information without encryption. | 2025-08-18 | 7.4 | CVE-2025-54156 |
| Schiocco--Support Board | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Schiocco Support Board allows PHP Local File Inclusion. This issue affects Support Board: from n/a through 3.8.0. | 2025-08-20 | 8.1 | CVE-2025-54031 |
| Schiocco--Support Board | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Schiocco Support Board allows Reflected XSS. This issue affects Support Board: from n/a through 3.8.0. | 2025-08-20 | 7.1 | CVE-2025-54027 |
| Schneider Electric--EcoStruxure Power Monitoring Expert (PME) | CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists that could cause unauthorized access to sensitive data when an attacker sends a specially crafted document to a vulnerable endpoint. | 2025-08-20 | 7.5 | CVE-2025-54924 |
| Schneider Electric--EcoStruxure Power Monitoring Expert (PME) | CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists that could cause unauthorized access to sensitive data when an attacker configures the application to access a malicious url. | 2025-08-20 | 7.5 | CVE-2025-54925 |
| Schneider Electric--EcoStruxure Power Monitoring Expert (PME) | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause remote code execution when an authenticated attacker with admin privileges uploads a malicious file over HTTP which then gets executed. | 2025-08-20 | 7.2 | CVE-2025-54926 |
| Schneider Electric--Modicon M340 | CWE-20: Improper Input Validation vulnerability exists that could cause a Denial Of Service when specific crafted FTP command is sent to the device. | 2025-08-18 | 7.5 | CVE-2025-6625 |
| Schneider Electric--SESU | CWE-59: Improper Link Resolution Before File Access ('Link Following') vulnerability exists that could cause arbitrary data to be written to protected locations, potentially leading to escalation of privilege, arbitrary file corruption, exposure of application and system information or persistent denial of service when a low-privileged attacker tampers with the installation folder. | 2025-08-18 | 7.3 | CVE-2025-5296 |
| shaarli--Shaarli | Shaarli is a minimalist bookmark manager and link sharing service. Prior to 0.15.0, the input string in the cloud tag page is not properly sanitized. This allows the </title> tag to be prematurely closed, leading to a reflected Cross-Site Scripting (XSS) vulnerability. This vulnerability is fixed in 0.15.0. | 2025-08-18 | 7.1 | CVE-2025-55291 |
| simplercheckout--Simpler Checkout | The Simpler Checkout plugin for WordPress is vulnerable to Authentication Bypass in versions 0.7.0 to 1.1.9. This is due to the plugin not properly verifying a user's identity prior to logging them in as an admin through the simplerwc_woocommerce_order_created() function. This makes it possible for unauthenticated attackers to log in as other users based on their order ID, which can be an administrator if a site admin has placed a test order. | 2025-08-23 | 9.8 | CVE-2025-7642 |
| skatox--JS Archive List | The JS Archive List plugin for WordPress is vulnerable to time-based SQL Injection via the build_sql_where() function in all versions up to, and including, 6.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-08-19 | 7.5 | CVE-2025-7670 |
| skygroup--Druco | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Druco allows Reflected XSS. This issue affects Druco: from n/a through 1.5.2. | 2025-08-20 | 7.1 | CVE-2025-54055 |
| skygroup--UpStore | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup UpStore allows Reflected XSS. This issue affects UpStore: from n/a through 1.7.0. | 2025-08-20 | 7.1 | CVE-2025-48296 |
| Softing Industrial Automation GmbH--OPC UA C++ SDK | A malicious client can bypass the client certificate trust check of an opc.https server when the server endpoint is configured to allow only secure communication. | 2025-08-21 | 9.1 | CVE-2025-7390 |
| SourceCodester--Online Bank Management System | A weakness has been identified in SourceCodester Online Bank Management System 1.0. Impacted is an unknown function of the file /bank/show.php. Executing manipulation of the argument ID can lead to sql injection. The attack may be performed from a remote location. The exploit has been made available to the public and could be exploited. | 2025-08-21 | 7.3 | CVE-2025-9304 |
| SourceCodester--Online Bank Management System | A security vulnerability has been detected in SourceCodester Online Bank Management System 1.0. The affected element is an unknown function of the file /bank/mnotice.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. | 2025-08-21 | 7.3 | CVE-2025-9305 |
| StoreKeeper B.V.--StoreKeeper for WooCommerce | Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. StoreKeeper for WooCommerce allows Using Malicious Files. This issue affects StoreKeeper for WooCommerce: from n/a through 14.4.4. | 2025-08-20 | 10 | CVE-2025-48148 |
| Surbowl--dormitory-management-php | A vulnerability was identified in Surbowl dormitory-management-php up to 9f1d9d1f528cabffc66fda3652c56ff327fda317. Affected is an unknown function of the file /admin/violation_add.php?id=2. Such manipulation of the argument ID leads to sql injection. The attack may be performed from a remote location. The exploit is publicly available and might be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-08-19 | 7.3 | CVE-2025-9150 |
| Swatadru--Exam-Seating-Arrangement | A vulnerability was determined in Swatadru Exam-Seating-Arrangement up to 97335ccebf95468d92525f4255a2241d2b0b002f. Affected is an unknown function of the file /student.php of the component Student Login. Executing manipulation of the argument email can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-20 | 7.3 | CVE-2025-9238 |
| Tenda--AC6 V5.0 | An authentication bypass vulnerability exists in the HTTP authentication functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted HTTP request can lead to arbitrary code execution. An attacker can send packets to trigger this vulnerability. | 2025-08-20 | 9.8 | CVE-2025-27129 |
| Tenda--AC6 V5.0 | An unsafe default authentication vulnerability exists in the Initial Setup Authentication functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted network request can lead to arbitrary code execution. An attacker can browse to the device to trigger this vulnerability. | 2025-08-20 | 8.1 | CVE-2025-24322 |
| Tenda--AC6 V5.0 | A denial of service vulnerability exists in the HTTP Header Parsing functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted series of HTTP requests can lead to a reboot. An attacker can send multiple network packets to trigger this vulnerability. | 2025-08-20 | 8.6 | CVE-2025-30256 |
| Tenda--AC6 V5.0 | A stack-based buffer overflow vulnerability exists in the Cloud API functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted HTTP response can lead to arbitrary code execution. An attacker can send an HTTP response to trigger this vulnerability. | 2025-08-20 | 8.1 | CVE-2025-32010 |
| Tenda--AC6 V5.0 | An information disclosure vulnerability exists in the /goform/getproductInfo functionality of Tenda AC6 V5.0 V02.03.01.110. Specially crafted network packets can lead to a disclosure of sensitive information. An attacker can send packets to trigger this vulnerability. | 2025-08-20 | 7.5 | CVE-2025-24496 |
| Tenda--AC6 V5.0 | A firmware update vulnerability exists in the Firmware Signature Validation functionality of Tenda AC6 V5.0 V02.03.01.110. A specially crafted malicious file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability. | 2025-08-20 | 7.2 | CVE-2025-31355 |
| Tenda--i22 | A vulnerability was detected in Tenda i22 1.0.0.3(4687). This impacts the function formWeixinAuthInfoGet of the file /goform/wxportalauth. Performing manipulation of the argument Type results in stack-based buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used. | 2025-08-21 | 8.8 | CVE-2025-9297 |
| Tenda--M3 | A flaw has been found in Tenda M3 1.0.0.12. Affected is the function formQuickIndex of the file /goform/QuickIndex. Executing manipulation of the argument PPPOEPassword can lead to stack-based buffer overflow. The attack can be launched remotely. The exploit has been published and may be used. | 2025-08-21 | 8.8 | CVE-2025-9298 |
| Tenda--M3 | A vulnerability has been found in Tenda M3 1.0.0.12. Affected by this vulnerability is the function formGetMasterPassengerAnalyseData of the file /goform/getMasterPassengerAnalyseData. The manipulation of the argument Time leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-21 | 8.8 | CVE-2025-9299 |
| thehp--Global DNS | Improper Control of Generation of Code ('Code Injection') vulnerability in thehp Global DNS allows Remote Code Inclusion. This issue affects Global DNS: from n/a through 3.1.0. | 2025-08-20 | 10 | CVE-2025-53577 |
| thembay--Cena Store | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Cena Store allows PHP Local File Inclusion. This issue affects Cena Store: from n/a through 2.11.26. | 2025-08-20 | 8.1 | CVE-2025-48171 |
| Themeisle--Otter - Gutenberg Block | Insertion of Sensitive Information Into Sent Data vulnerability in Themeisle Otter - Gutenberg Block allows Retrieve Embedded Sensitive Data. This issue affects Otter - Gutenberg Block: from n/a through 3.1.0. | 2025-08-20 | 7.5 | CVE-2025-55715 |
| themeisle--Redirection for Contact Form 7 | The Redirection for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_associated_files function in all versions up to, and including, 3.2.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2025-08-20 | 8.8 | CVE-2025-8141 |
| themeisle--Redirection for Contact Form 7 | The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the get_lead_fields function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in a Contact Form 7 plugin allows attackers to delete arbitrary files. Additionally, in certain server configurations, Remote Code Execution is possible | 2025-08-20 | 8.8 | CVE-2025-8145 |
| themeisle--Redirection for Contact Form 7 | The Redirection for Contact Form 7 plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.2.4 via deserialization of untrusted input in the delete_associated_files function. This makes it possible for unauthenticated attackers to inject a PHP Object. This vulnerability may be exploited by unauthenticated attackers when a form is present on the site with a file upload action, and doesn't affect sites with PHP version > 8. This vulnerability also requires the 'Redirection For Contact Form 7 Extension - Create Post' extension to be installed and activated in order to be exploited. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. We confirmed there is a usable gadget in Contact Form 7 plugin that makes arbitrary file deletion possible when installed with this plugin. Given Contact Form 7 is a requirement of this plugin, it is likely that any site with this plugin and the 'Redirection For Contact Form 7 Extension - Create Post' extension enabled is vulnerable to arbitrary file deletion. | 2025-08-20 | 7.5 | CVE-2025-8289 |
| ThemeMakers--ThemeMakers Visual Content Composer | Deserialization of Untrusted Data vulnerability in ThemeMakers ThemeMakers Visual Content Composer allows Object Injection. This issue affects ThemeMakers Visual Content Composer: from n/a through 1.5.8. | 2025-08-20 | 9.8 | CVE-2025-53299 |
| ThimPress--WP Pipes | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress WP Pipes allows Reflected XSS. This issue affects WP Pipes: from n/a through 1.4.3. | 2025-08-20 | 7.1 | CVE-2025-28977 |
| ThinkInAIXYZ--deepchat | DeepChat is a smart assistant that connects powerful AI to your personal world. DeepChat before 0.3.1 has a one-click remote code execution vulnerability. An attacker can exploit this vulnerability by embedding a specially crafted deepchat: URL on any website, including a malicious one they control. When a victim visits such a site or clicks on the link, the browser triggers the app's custom URL handler (deepchat:), causing the DeepChat application to launch and process the URL, leading to remote code execution on the victim's machine. This vulnerability is fixed in 0.3.1. | 2025-08-19 | 9.7 | CVE-2025-55733 |
| TOTOLINK--A720R | A security flaw has been discovered in TOTOLINK A720R 4.1.5cu.630_B20250509. This issue affects the function setParentalRules of the file /cgi-bin/cstecgi.cgi. Performing manipulation of the argument desc results in buffer overflow. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. | 2025-08-21 | 8.8 | CVE-2025-9303 |
| Tribulant Software--Newsletters | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Tribulant Software Newsletters allows PHP Local File Inclusion. This issue affects Newsletters: from n/a through 4.10. | 2025-08-20 | 7.5 | CVE-2025-54034 |
| Uniong--WebITR | WebITR developed by Uniong has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to log into the system as arbitrary users by exploiting a specific functionality. | 2025-08-22 | 9.8 | CVE-2025-9254 |
| Uniong--WebITR | WebITR developed by Uniong has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2025-08-22 | 7.5 | CVE-2025-9255 |
| Unisoc (Shanghai) Technologies Co., Ltd.--SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152 | In vowifi service, there is a possible command injection due to improper input validation. This could lead to remote escalation of privilege with no additional execution privileges needed. | 2025-08-18 | 9.8 | CVE-2025-31715 |
| Unisoc (Shanghai) Technologies Co., Ltd.--SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152 | In engineer mode service, there is a possible command injection due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. | 2025-08-18 | 8.4 | CVE-2025-31713 |
| unopim--unopim | UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. In versions 0.3.0 and earlier, users without the Delete privilege for products are unable to delete individual products via the standard endpoint, as expected. However, these users can bypass intended access controls by issuing requests to the mass-delete endpoint, allowing them to delete products without proper authorization. This vulnerability allows unauthorized product deletion, leading to potential data loss and business disruption. The issue is fixed in version 0.3.1. No known workarounds exist. | 2025-08-22 | 8.1 | CVE-2025-55741 |
| unopim--unopim | UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Before 0.2.1, UnoPim contains a stored cross-site scripting vulnerability via SVG MIME/sanitizer bypass in the /admin/settings/users/create endpoint. This vulnerability is fixed in 0.2.1. | 2025-08-21 | 8 | CVE-2025-55742 |
| vcita--Online Booking & Scheduling Calendar for WordPress by vcita | Unrestricted Upload of File with Dangerous Type vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita allows Using Malicious Files. This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.5.3. | 2025-08-20 | 9.1 | CVE-2025-54677 |
| vllm-project--vllm | vLLM is an inference and serving engine for large language models (LLMs). From 0.1.0 to before 0.10.1.1, a Denial of Service (DoS) vulnerability can be triggered by sending a single HTTP GET request with an extremely large header to an HTTP endpoint. This results in server memory exhaustion, potentially leading to a crash or unresponsiveness. The attack does not require authentication, making it exploitable by any remote user. This vulnerability is fixed in 0.10.1.1. | 2025-08-21 | 7.5 | CVE-2025-48956 |
| WebCodingPlace--Real Estate Manager Pro | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebCodingPlace Real Estate Manager Pro allows Reflected XSS. This issue affects Real Estate Manager Pro: from n/a through 12.7.3. | 2025-08-20 | 7.1 | CVE-2025-54032 |
| Wiesemann & Theis--Motherbox 3 | An unauthenticated remote attacker can get access without password protection to the affected device. This enables the unprotected read-only access to the stored measurement data. | 2025-08-19 | 7.5 | CVE-2025-41689 |
| WP Travel--WP Travel Gutenberg Blocks | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Travel WP Travel Gutenberg Blocks allows PHP Local File Inclusion. This issue affects WP Travel Gutenberg Blocks: from n/a through 3.9.0. | 2025-08-20 | 8.1 | CVE-2025-53207 |
| wptobe--Wptobe-memberships | The Wptobe-memberships plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the del_img_ajax_call() function in all versions up to, and including, 3.4.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2025-08-23 | 8.1 | CVE-2025-9048 |
| wpzoom--Inspiro | The Inspiro theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.2. This is due to missing or incorrect nonce validation on the inspiro_install_plugin() function. This makes it possible for unauthenticated attackers to install plugins from the repository via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-08-21 | 8.1 | CVE-2025-8592 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 1&1 Mail & Media--mail.com App | A security vulnerability has been detected in 1&1 Mail & Media mail.com App 8.8.0 on Android. Affected is an unknown function of the file AndroidManifest.xml of the component com.mail.mobile.android.mail. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-18 | 5.3 | CVE-2025-9102 |
| Acrel--Environmental Monitoring Cloud Platform | A vulnerability was identified in Acrel Environmental Monitoring Cloud Platform up to 20250804. This affects an unknown part of the file /NewsManage/UploadNewsImg. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-18 | 6.3 | CVE-2025-9099 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-08-20 | 5.4 | CVE-2025-46849 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-08-20 | 5.4 | CVE-2025-46852 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.22 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. A low privileged attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a specially crafted web page. | 2025-08-20 | 5.4 | CVE-2025-46856 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-08-20 | 5.4 | CVE-2025-46932 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-08-20 | 5.4 | CVE-2025-46936 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-08-20 | 5.4 | CVE-2025-46962 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-08-20 | 5.4 | CVE-2025-46998 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.22 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. A low privileged attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a specially crafted web page. | 2025-08-20 | 5.4 | CVE-2025-47054 |
| Adrian Tobey--Groundhogg | Deserialization of Untrusted Data vulnerability in Adrian Tobey Groundhogg allows Object Injection. This issue affects Groundhogg: from n/a through 4.2.2. | 2025-08-20 | 6.6 | CVE-2025-54053 |
| Aelora--iframe Wrapper | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aelora iframe Wrapper allows DOM-Based XSS. This issue affects iframe Wrapper: from n/a through 0.1.1. | 2025-08-20 | 6.5 | CVE-2025-49422 |
| AfterShip--Package Tracker App | A security vulnerability has been detected in AfterShip Package Tracker App up to 5.24.1 on Android. The affected element is an unknown function of the file AndroidManifest.xml of the component com.aftership.AfterShip. The manipulation leads to improper export of android application components. The attack must be carried out locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure and replied: "After reviewing your report, we have confirmed that this vulnerability does indeed exist and we are actively working to fix it." | 2025-08-19 | 5.3 | CVE-2025-9134 |
| aicwebtech--Bible SuperSearch | The Bible SuperSearch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'selector_height' parameter in all versions up to, and including, 6.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-21 | 6.4 | CVE-2025-8064 |
| amans2k--SlingBlocks Gutenberg Blocks by FunnelKit (Formerly WooFunnels) | The SlingBlocks - Gutenberg Blocks by FunnelKit (Formerly WooFunnels) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown block's attributes in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-21 | 6.4 | CVE-2025-8607 |
| andy_moyle--Church Admin | Missing Authorization vulnerability in andy_moyle Church Admin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Church Admin: from n/a through 5.0.26. | 2025-08-22 | 5.3 | CVE-2025-57896 |
| Anipaleja--nginx-defender | nginx-defender is a high-performance, enterprise-grade Web Application Firewall (WAF) and threat detection system engineered for modern web infrastructure. This is a configuration vulnerability affecting nginx-defender deployments. Example configuration files config.yaml and docker-compose.yml contain default credentials (default_password: "change_me_please", GF_SECURITY_ADMIN_PASSWORD=admin123). If users deploy nginx-defender without changing these defaults, attackers with network access could gain administrative control, bypassing security protections. The issue is addressed in v1.5.0 and later. | 2025-08-19 | 6.5 | CVE-2025-55740 |
| anzia--Ni WooCommerce Customer Product Report | The Ni WooCommerce Customer Product Report plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ni_woocpr_action() function in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin settings. | 2025-08-23 | 4.3 | CVE-2025-7827 |
| appneta--tcpreplay | A vulnerability was determined in appneta tcpreplay up to 4.5.2-beta2. The impacted element is the function untrunc_packet of the file src/tcpedit/edit_packet.c of the component tcprewrite. Executing manipulation can lead to use after free. It is possible to launch the attack on the local host. The exploit has been publicly disclosed and may be utilized. This patch is called 73008f261f1cdf7a1087dc8759115242696d35da. Applying a patch is advised to resolve this issue. | 2025-08-19 | 5.3 | CVE-2025-9157 |
| appneta--tcpreplay | A flaw has been found in appneta tcpreplay up to 4.5.1. The affected element is the function fix_ipv6_checksums of the file edit_packet.c of the component tcprewrite. This manipulation causes use after free. The attack is restricted to local execution. The exploit has been published and may be used. Upgrading to version 4.5.2-beta3 is sufficient to fix this issue. It is advisable to upgrade the affected component. | 2025-08-24 | 5.3 | CVE-2025-9385 |
| appneta--tcpreplay | A vulnerability has been found in appneta tcpreplay up to 4.5.1. The impacted element is the function get_l2len_protocol of the file get.c of the component tcprewrite. Such manipulation leads to use after free. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. Upgrading to version 4.5.2-beta3 is sufficient to resolve this issue. You should upgrade the affected component. | 2025-08-24 | 5.3 | CVE-2025-9386 |
| AVEVA--PI Integrator | The vulnerability, if exploited, could allow an authenticated miscreant (with privileges to access publication targets) to retrieve sensitive information that could then be used to gain additional access to downstream resources. | 2025-08-21 | 6.5 | CVE-2025-41415 |
| badasswp--Pending Order Bot | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in badasswp Pending Order Bot allows Stored XSS. This issue affects Pending Order Bot: from n/a through 1.0.2. | 2025-08-20 | 5.9 | CVE-2025-49892 |
| Bearsthemes--Alone | Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Code Injection. This issue affects Alone: from n/a through n/a. | 2025-08-20 | 6.5 | CVE-2025-54019 |
| Bjskzy--Zhiyou ERP | A weakness has been identified in Bjskzy Zhiyou ERP up to 11.0. Affected by this issue is the function getFieldValue of the component com.artery.workflow.ServiceImpl. This manipulation of the argument sql causes sql injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-24 | 6.3 | CVE-2025-9391 |
| brewlabs--SensorPress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brewlabs SensorPress allows Stored XSS. This issue affects SensorPress: from n/a through 1.0. | 2025-08-20 | 5.9 | CVE-2025-49409 |
| Cisco--Cisco Duo Authentication Proxy | A vulnerability in the debug logging function of Cisco Duo Authentication Proxy could allow an authenticated, high-privileged, remote attacker to view sensitive information in a system log file. This vulnerability is due to insufficient masking of sensitive information before it is written to system log files. An attacker could exploit this vulnerability by accessing logs on an affected system. A successful exploit could allow the attacker to view sensitive information that should be restricted. | 2025-08-20 | 4.9 | CVE-2025-20345 |
| Cisco--Cisco Evolved Programmable Network Manager (EPNM) | A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an authenticated, low-privileged, remote attacker to retrieve arbitrary files from the underlying file system on an affected device. This vulnerability is due to insufficient input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to the web-based management interface on an affected device. A successful exploit could allow the attacker to access sensitive files from the affected device. | 2025-08-20 | 6.5 | CVE-2025-20269 |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in the GUI of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker with administrative privileges to upload files to an affected device. This vulnerability is due to improper validation of the file copy function. An attacker could exploit this vulnerability by sending a crafted file upload using the Cisco ISE GUI. A successful exploit could allow the attacker to upload arbitrary files to an affected system. | 2025-08-20 | 4.9 | CVE-2025-20131 |
| CodePhiliaX--Chat2DB | A vulnerability was found in CodePhiliaX Chat2DB up to 0.3.7. This affects an unknown function of the file ai/chat2db/server/web/api/controller/data/source/DataSourceController.java of the component JDBC Connection Handler. The manipulation results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-19 | 6.3 | CVE-2025-9148 |
| Crocoblock--JetBlocks For Elementor | Insertion of Sensitive Information Into Sent Data vulnerability in Crocoblock JetBlocks For Elementor allows Retrieve Embedded Sensitive Data. This issue affects JetBlocks For Elementor: from n/a through 1.3.18. | 2025-08-20 | 6.5 | CVE-2025-53988 |
| Crocoblock--JetElements For Elementor | Insertion of Sensitive Information Into Sent Data vulnerability in Crocoblock JetElements For Elementor allows Retrieve Embedded Sensitive Data. This issue affects JetElements For Elementor: from n/a through 2.7.7. | 2025-08-20 | 6.5 | CVE-2025-53983 |
| Crocoblock--JetEngine | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine allows Stored XSS. This issue affects JetEngine: from n/a through 3.7.0. | 2025-08-20 | 6.5 | CVE-2025-53195 |
| Crocoblock--JetEngine | Insertion of Sensitive Information Into Sent Data vulnerability in Crocoblock JetEngine allows Retrieve Embedded Sensitive Data. This issue affects JetEngine: from n/a through 3.7.0. | 2025-08-20 | 6.5 | CVE-2025-53196 |
| Crocoblock--JetMenu | Insertion of Sensitive Information Into Sent Data vulnerability in Crocoblock JetMenu allows Retrieve Embedded Sensitive Data. This issue affects JetMenu: from n/a through 2.4.11.1. | 2025-08-20 | 6.5 | CVE-2025-53987 |
| Crocoblock--JetPopup | Insertion of Sensitive Information Into Sent Data vulnerability in Crocoblock JetPopup allows Retrieve Embedded Sensitive Data. This issue affects JetPopup: from n/a through 2.0.15. | 2025-08-20 | 6.5 | CVE-2025-53993 |
| Crocoblock--JetSmartFilters | Insertion of Sensitive Information Into Sent Data vulnerability in Crocoblock JetSmartFilters allows Retrieve Embedded Sensitive Data. This issue affects JetSmartFilters: from n/a through 3.6.7. | 2025-08-20 | 6.5 | CVE-2025-54008 |
| Crocoblock--JetTabs | Insertion of Sensitive Information Into Sent Data vulnerability in Crocoblock JetTabs allows Retrieve Embedded Sensitive Data. This issue affects JetTabs: from n/a through 2.2.9. | 2025-08-20 | 6.5 | CVE-2025-53985 |
| Crocoblock--JetTricks | Insertion of Sensitive Information Into Sent Data vulnerability in Crocoblock JetTricks allows Retrieve Embedded Sensitive Data. This issue affects JetTricks: from n/a through 1.5.4.1. | 2025-08-20 | 6.5 | CVE-2025-53992 |
| Crocoblock--JetWooBuilder | Insertion of Sensitive Information Into Sent Data vulnerability in Crocoblock JetWooBuilder allows Retrieve Embedded Sensitive Data. This issue affects JetWooBuilder: from n/a through 2.1.20. | 2025-08-20 | 6.5 | CVE-2025-53998 |
| DCN--DCME-720 | A vulnerability was found in DCN DCME-720 9.1.5.11. This affects an unknown function of the file /usr/local/www/function/audit/newstatistics/ip_block.php of the component Web Management Backend. Performing manipulation of the argument ip results in os command injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. Other products might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-24 | 6.3 | CVE-2025-9387 |
| Dell--iDRAC Service Module (iSM) | Dell iDRAC Service Module (iSM), versions prior to 6.0.3.0, contains an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution. | 2025-08-21 | 5.3 | CVE-2025-38742 |
| dglingren--Media Library Assistant | The Media Library Assistant plugin for WordPress is vulnerable to arbitrary file deletion in the /wp-content/uploads directory due to insufficient file path validation and user capability checking in the _process_mla_download_file function in all versions up to, and including, 3.27. This makes it possible for authenticated attackers, with Author-level access and above, to delete arbitrary files on the server from the /wp-content/uploads/ directory. | 2025-08-19 | 4.3 | CVE-2025-8357 |
| diego.benna--Essential Doo Components for Visual Composer | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in diego.benna Essential Doo Components for Visual Composer allows DOM-Based XSS. This issue affects Essential Doo Components for Visual Composer: from n/a through 1.9. | 2025-08-20 | 6.5 | CVE-2025-49424 |
| Dourou--Cookie Warning | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dourou Cookie Warning allows Stored XSS. This issue affects Cookie Warning: from n/a through 1.3. | 2025-08-20 | 5.9 | CVE-2025-49428 |
| Dourou--Cookie Warning | Cross-Site Request Forgery (CSRF) vulnerability in Dourou Cookie Warning allows Cross Site Request Forgery. This issue affects Cookie Warning: from n/a through 1.3. | 2025-08-20 | 4.3 | CVE-2025-49426 |
| Elliot Sowersby / RelyWP--Coupon Affiliates | Missing Authorization vulnerability in Elliot Sowersby / RelyWP Coupon Affiliates allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Coupon Affiliates: from n/a through 6.4.0. | 2025-08-20 | 6.5 | CVE-2025-54025 |
| Elseplus--File Recovery App | A vulnerability was determined in Elseplus File Recovery App 4.4.21 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-18 | 5.3 | CVE-2025-9098 |
| elunez--eladmin | A weakness has been identified in elunez eladmin up to 2.7. This affects the function exportUser. This manipulation causes csv injection. The attack may be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-08-20 | 6.3 | CVE-2025-9241 |
| elunez--eladmin | A security flaw has been discovered in elunez eladmin up to 2.7. Affected by this issue is some unknown functionality of the file /auth/info. The manipulation results in information disclosure. The attack can be launched remotely. The exploit has been released to the public and may be exploited. | 2025-08-20 | 4.3 | CVE-2025-9240 |
| Epsiloncool--WP Fast Total Search | Cross-Site Request Forgery (CSRF) vulnerability in Epsiloncool WP Fast Total Search allows Cross Site Request Forgery. This issue affects WP Fast Total Search: from n/a through 1.79.270. | 2025-08-22 | 4.3 | CVE-2025-57893 |
| Equalize Digital--Accessibility Checker by Equalize Digital | Authorization Bypass Through User-Controlled Key vulnerability in Equalize Digital Accessibility Checker by Equalize Digital allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Accessibility Checker by Equalize Digital: from n/a through 1.30.0. | 2025-08-22 | 5.4 | CVE-2025-57886 |
| Esri--Portal for ArcGIS Enterprise Experience Sites | There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 - 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim's browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. | 2025-08-21 | 4.8 | CVE-2025-55105 |
| Esri--Portal for ArcGIS Enterprise Sites | There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 - 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim's browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. | 2025-08-21 | 4.8 | CVE-2025-55103 |
| Esri--Portal for ArcGIS Enterprise Sites | A stored cross-site scripting (XSS) vulnerability exists ArcGIS HUB and ArcGIS Enterprise Sites which allows an authenticated user with the ability to create or edit a site to add and store an XSS payload. If this stored XSS payload is triggered by any user attacker supplied JavaScript may execute in the victim's browser. | 2025-08-21 | 4.8 | CVE-2025-55104 |
| Esri--Portal for ArcGIS Enterprise Sites | There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 - 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim's browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. | 2025-08-21 | 4.8 | CVE-2025-55106 |
| Esri--Portal for ArcGIS Enterprise Sites | There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 - 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim's browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal. | 2025-08-21 | 4.8 | CVE-2025-55107 |
| Euro Information--CIC banque et compte en ligne App | A vulnerability was found in Euro Information CIC banque et compte en ligne App 12.56.0 on Android. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.cic_prod.bad. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-18 | 5.3 | CVE-2025-9097 |
| evigeo--WP Filter & Combine RSS Feeds | The WP Filter & Combine RSS Feeds plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the post_listing_page() function in all versions up to, and including, 0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete feeds. | 2025-08-23 | 4.3 | CVE-2025-7828 |
| favethemes--Houzez | Missing Authorization vulnerability in favethemes Houzez allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Houzez: from n/a through 4.1.1. | 2025-08-20 | 5.3 | CVE-2025-49406 |
| Fetch Designs--Sign-up Sheets | Cross-Site Request Forgery (CSRF) vulnerability in Fetch Designs Sign-up Sheets allows Cross Site Request Forgery. This issue affects Sign-up Sheets: from n/a through 2.3.3. | 2025-08-20 | 4.3 | CVE-2025-49391 |
| FNKvision--Y215 CCTV Camera | A weakness has been identified in FNKvision Y215 CCTV Camera 10.194.120.40. This vulnerability affects unknown code of the file s1_rf_test_config of the component Telnet Sevice. Executing manipulation can lead to backdoor. The physical device can be targeted for the attack. This attack is characterized by high complexity. It is stated that the exploitability is difficult. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-24 | 6.4 | CVE-2025-9382 |
| FUJIFILM Healthcare Americas Corporation--Synapse Mobility | Synapse Mobility 8.0, 8.0.1, 8.0.2, 8.1, and 8.1.1 contain a privilege escalation vulnerability through external control of Web parameter. If exploited, a user of the product may escalate the privilege and access data that the user do not have permission to view by altering the parameters of the search function. | 2025-08-20 | 4.3 | CVE-2025-54551 |
| givanz--Vvveb | A weakness has been identified in givanz Vvveb up to 1.0.7.2. Affected is an unknown function of the file /system/traits/media.php. Executing manipulation of the argument files[] can lead to unrestricted upload. The attack can be launched remotely. The exploit has been made available to the public and could be exploited. Applying a patch is advised to resolve this issue. The code maintainer explains, that "[he] fixed the code to remove this vulnerability and will make a new release". | 2025-08-24 | 6.3 | CVE-2025-9397 |
| givewp--GiveWP Donation Plugin and Fundraising Platform | The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the give_update_payment_status() function in all versions up to, and including, 4.5.0. This makes it possible for authenticated attackers, with GiveWP Worker-level access and above, to update donations statuses. This ability is not present in the user interface. | 2025-08-21 | 4.3 | CVE-2025-7221 |
| Google--AngularJS | A regular expression used by AngularJS' linky https://docs.angularjs.org/api/ngSanitize/filter/linky filter to detect URLs in input text is vulnerable to super-linear runtime due to backtracking. With a large carefully-crafted input, this can cause a Regular expression Denial of Service (ReDoS) https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS attack on the application. This issue affects all versions of AngularJS. Note: The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status . | 2025-08-19 | 4.3 | CVE-2025-4690 |
| HCL Software--Digital Experience | HCL Digital Experience is susceptible to cross site scripting (XSS) in an administrative UI with restricted access. | 2025-08-19 | 4.9 | CVE-2025-31988 |
| Hossni Mubarak--JobWP | Cross-Site Request Forgery (CSRF) vulnerability in Hossni Mubarak JobWP allows Cross Site Request Forgery. This issue affects JobWP: from n/a through 2.4.3. | 2025-08-22 | 4.3 | CVE-2025-57895 |
| IBM--Concert Software | IBM Concert Software 1.0.0 through 1.1.0 contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. | 2025-08-18 | 6.2 | CVE-2025-33100 |
| IBM--Concert Software | IBM Concert Software 1.0.0 through 1.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory. | 2025-08-18 | 5.9 | CVE-2025-1759 |
| IBM--Concert Software | IBM Concert Software 1.0.0 through 1.1.0 uses cross-origin resource sharing (CORS) which could allow an attacker to carry out privileged actions as the domain name is not being limited to only trusted domains. | 2025-08-18 | 5.4 | CVE-2025-27909 |
| IBM--Edge Application Manager | IBM Edge Application Manager 4.5 could allow a local user to read or modify resources that they should not have authorization to access due to incorrect permission assignment. | 2025-08-20 | 6.1 | CVE-2025-1139 |
| IBM--Edge Application Manager | IBM Edge Application Manager 4.5 is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. | 2025-08-20 | 5.4 | CVE-2025-1142 |
| IBM--QRadar SIEM | IBM QRadar SIEM 7.5 through 7.5.0 Dashboard is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2025-08-22 | 5.4 | CVE-2025-36042 |
| IBM--QRadar SOAR Plugin App | IBM QRadar SOAR Plugin App 1.0.0 through 5.6.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system. | 2025-08-20 | 6.5 | CVE-2025-36114 |
| IBM--Sterling B2B Integrator | IBM Sterling B2B Integrator 6.2.1.0 and IBM Sterling File Gateway 6.2.1.0 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2025-08-19 | 5.4 | CVE-2025-33008 |
| imaprogrammer--Custom Comment | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in imaprogrammer Custom Comment allows Stored XSS. This issue affects Custom Comment: from n/a through 2.1.6. | 2025-08-20 | 5.9 | CVE-2025-49889 |
| Imran Emu--TC Testimonials | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu TC Testimonials allows Stored XSS. This issue affects TC Testimonials: from n/a through 1.1.1. | 2025-08-20 | 6.5 | CVE-2025-49410 |
| Infility--Infility Global | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Infility Infility Global allows Path Traversal. This issue affects Infility Global: from n/a through 2.14.7. | 2025-08-20 | 6.5 | CVE-2025-47650 |
| INFINITT Healthcare--INFINITT PACS System Manager | An attacker could exploit this vulnerability by uploading arbitrary files via a specific service, which could lead to system compromise. | 2025-08-21 | 6.3 | CVE-2025-24489 |
| INFINITT Healthcare--INFINITT PACS System Manager | An attacker could exploit this vulnerability by uploading arbitrary files via the a specific endpoint, leading to unauthorized remote code execution or system compromise. | 2025-08-21 | 6.3 | CVE-2025-27714 |
| itsourcecode--Online Tour and Travel Management System | A vulnerability was detected in itsourcecode Online Tour and Travel Management System 1.0. This vulnerability affects unknown code of the file /admin/operations/travellers.php. The manipulation of the argument photo results in unrestricted upload. The attack can be launched remotely. The exploit is now public and may be used. | 2025-08-19 | 6.3 | CVE-2025-9153 |
| Jeff Starr--Simple Statistics for Feeds | Cross-Site Request Forgery (CSRF) vulnerability in Jeff Starr Simple Statistics for Feeds allows Cross Site Request Forgery. This issue affects Simple Statistics for Feeds: from n/a through 20250322. | 2025-08-22 | 4.3 | CVE-2025-57892 |
| JetBrains--IntelliJ IDEA | In JetBrains IntelliJ IDEA before 2025.2 improper access control allowed Code With Me guest to discover hidden files | 2025-08-20 | 6.5 | CVE-2025-57728 |
| JetBrains--IntelliJ IDEA | In JetBrains IntelliJ IDEA before 2025.2 unexpected plugin startup was possible due to automatic LSP server start | 2025-08-20 | 6.5 | CVE-2025-57729 |
| JetBrains--IntelliJ IDEA | In JetBrains IntelliJ IDEA before 2025.2 hTML injection was possible via Remote Development feature | 2025-08-20 | 5.2 | CVE-2025-57730 |
| JetBrains--IntelliJ IDEA | In JetBrains IntelliJ IDEA before 2025.2 credentials disclosure was possible via remote reference | 2025-08-20 | 4.7 | CVE-2025-57727 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.07.1 sMTP injection was possible allowing modification of email content | 2025-08-20 | 5.5 | CVE-2025-57733 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.07.1 aWS credentials were exposed in Docker script files | 2025-08-20 | 4.3 | CVE-2025-57734 |
| johnbillion--WP Crontrol | The WP Crontrol plugin for WordPress is vulnerable to Server-Side Request Forgery in versions 1.17.0 to 1.19.1 via the 'wp_remote_request' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-08-22 | 6.5 | CVE-2025-8678 |
| Jorge Garcia de Bustos--AWStats Script | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jorge Garcia de Bustos AWStats Script allows Stored XSS. This issue affects AWStats Script: from n/a through 0.3. | 2025-08-20 | 5.9 | CVE-2025-49890 |
| kleor--Contact Manager | The Contact Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in all versions up to, and including, 8.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-08-19 | 4.4 | CVE-2025-8783 |
| LabRedesCefetRJ--WeGIA | WeGIA is a Web manager for charitable institutions. Prior to 3.4.7, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the cargos.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the msg_e parameter. This vulnerability is fixed in 3.4.7. | 2025-08-21 | 6.5 | CVE-2025-57764 |
| LabRedesCefetRJ--WeGIA | WeGIA is a Web manager for charitable institutions. Prior to 3.4.7, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in the pre_cadastro_adotante.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the msg_e parameter. This vulnerability is fixed in 3.4.7. | 2025-08-21 | 6.5 | CVE-2025-57765 |
| Lenovo--510 FHD Webcam | A potential vulnerability was reported in the Lenovo 510 FHD and Performance FHD web cameras that could allow an attacker with physical access to write arbitrary firmware updates to the device over a USB connection. | 2025-08-18 | 6.8 | CVE-2025-4371 |
| librenms--librenms | librenms is a community-based GPL-licensed network monitoring system. A stored Cross-Site Scripting (XSS) vulnerability exists in LibreNMS (<= 25.6.0) in the Alert Template creation feature. This allows a user with the admin role to inject malicious JavaScript, which will be executed when the template is rendered, potentially compromising other admin accounts. This vulnerability is fixed in 25.8.0. | 2025-08-18 | 5.5 | CVE-2025-55296 |
| libretro--RetroArch | A flaw has been found in libretro RetroArch 1.18.0/1.19.0/1.20.0. This affects the function filestream_vscanf of the file libretro-common/streams/file_stream.c. This manipulation causes out-of-bounds read. The attack needs to be launched locally. Upgrading to version 1.21.0 mitigates this issue. It is recommended to upgrade the affected component. | 2025-08-19 | 5.3 | CVE-2025-9136 |
| Linksys--E5600 | A flaw has been found in Linksys E5600 1.1.0.26. The affected element is the function verify_gemtek_header of the file checkFw.sh of the component Firmware Handler. Executing manipulation can lead to risky cryptographic algorithm. The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is described as difficult. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-19 | 6.6 | CVE-2025-9146 |
| Linksys--RE6250 | A security vulnerability has been detected in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This vulnerability affects the function addStaticRoute of the file /goform/addStaticRoute. Such manipulation of the argument staticRoute_IP_setting/staticRoute_Netmask_setting/staticRoute_Gateway_setting/staticRoute_Metric_setting/staticRoute_destType_setting leads to os command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-20 | 6.3 | CVE-2025-9244 |
| Linksys--RE6250 | A flaw has been found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. The impacted element is the function urlFilterManageRule of the file /goform/urlFilterManageRule. Executing manipulation of the argument urlFilterRuleName/scheduleUrl/addURLFilter can lead to stack-based buffer overflow. The attack may be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-23 | 6.3 | CVE-2025-9362 |
| liseperu--Elizaibots | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in liseperu Elizaibots allows Stored XSS. This issue affects Elizaibots: from n/a through 1.0.2. | 2025-08-20 | 6.5 | CVE-2025-49893 |
| LiuYuYang01--ThriveX-Blog | A security flaw has been discovered in LiuYuYang01 ThriveX-Blog up to 3.1.7. Affected by this vulnerability is the function updateJsonValueByName of the file /web_config/json/name/web. Performing manipulation results in improper authorization. It is possible to initiate the attack remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-19 | 6.3 | CVE-2025-9151 |
| Mattermost--Mattermost | Mattermost versions 10.9.x <= 10.9.1, 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate file paths during plugin import operations which allows restricted admin users to install unauthorized custom plugins via path traversal in the import functionality, bypassing plugin signature enforcement and marketplace restrictions. | 2025-08-21 | 6.8 | CVE-2025-36530 |
| Mattermost--Mattermost | Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2, 10.10.x <= 10.10.0 fail to validate upload types in remote cluster upload sessions which allows a system admin to upload non-attachment file types via shared channels that could potentially be placed in arbitrary filesystem directories. | 2025-08-21 | 6.8 | CVE-2025-49222 |
| Mattermost--Mattermost | Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fails to sanitize path traversal sequences in template file destination paths, which allows a system admin to perform path traversal attacks via malicious path components, potentially enabling malicious file placement outside intended directories. | 2025-08-21 | 6.8 | CVE-2025-8023 |
| Mattermost--Mattermost | Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.9.x <= 10.9.2 fail to sanitize the team invite ID in the POST /api/v4/teams/:teamId/restore endpoint which allows an team admin with no member invite privileges to get the team's invite id. | 2025-08-21 | 4.3 | CVE-2025-47870 |
| Mattermost--Mattermost | Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to sanitize file names which allows users with file upload permission to overwrite file attachment thumbnails via path traversal in file streaming APIs. | 2025-08-21 | 4.3 | CVE-2025-6465 |
| Mattermost--Mattermost | Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.0, 10.9.x <= 10.9.3 fail to validate import data which allows a system admin to crash the server via the bulk import feature. | 2025-08-21 | 4.9 | CVE-2025-8402 |
| MGeurts--genealogy | Genealogy is a family tree PHP application. Prior to 4.4.0, Authenticated Reflected Cross-Site Scripting (XSS) vulnerability was identified in the Genealogy application. Authenticated attackers could run arbitrary JavaScript in another user's session, leading to session hijacking, data theft, and UI manipulation. This vulnerability is fixed in 4.4.0. | 2025-08-18 | 5.5 | CVE-2025-55288 |
| Microsoft--Windows 10 Version 1809 | Improper verification of cryptographic signature in Windows Certificates allows an unauthorized attacker to perform spoofing over a network. | 2025-08-21 | 5.3 | CVE-2025-55229 |
| miniOrange--Prevent files / folders access | Path Traversal vulnerability in miniOrange Prevent files / folders access allows Path Traversal. This issue affects Prevent files / folders access: from n/a through 2.6.0. | 2025-08-20 | 6.5 | CVE-2025-53561 |
| Mobile Industrial Robots--MiR Robots | Stored cross-site scripting (XSS) in the web interface of MiR software versions prior to 3.0.0 on MiR Robots and MiR Fleet allows execution of arbitrary JavaScript code in a victim's browser | 2025-08-20 | 5.5 | CVE-2025-9225 |
| Mobile Industrial Robots--MiR Robots | Information disclosure vulnerability in error handling in MiR software prior to version 3.0.0 allows unauthenticated attackers to view detailed error information, such as file paths and other data, via access to verbose error pages. | 2025-08-20 | 5.3 | CVE-2025-9229 |
| Mobile Industrial Robots--MiR Robots | MiR software versions prior to version 3.0.0 have insufficient authorization controls when creating text notes, allowing low-privilege users to create notes which are intended only for administrative users. | 2025-08-20 | 4.3 | CVE-2025-9228 |
| n/a--Emlog Pro | A weakness has been identified in Emlog Pro up to 2.5.18. This issue affects some unknown processing of the file /admin/media.php?action=upload&sid=0. Executing manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-20 | 6.3 | CVE-2025-9173 |
| n/a--Emlog Pro | A security vulnerability has been detected in Emlog Pro up to 2.5.18. This affects an unknown function of the file /admin/blogger.php?action=update_avatar. Such manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-21 | 4.7 | CVE-2025-9296 |
| N/A--libssh | There's a vulnerability in the libssh package where when a libssh consumer passes in an unexpectedly large input buffer to ssh_get_fingerprint_hash() function. In such cases the bin_to_base64() function can experience an integer overflow leading to a memory under allocation, when that happens it's possible that the program perform out of bounds write leading to a heap corruption. This issue affects only 32-bits builds of libssh. | 2025-08-20 | 4.5 | CVE-2025-4877 |
| n/a--PoDoFo | A flaw has been found in PoDoFo 1.1.0-dev. This issue affects the function PdfTokenizer::DetermineDataType of the file src/podofo/main/PdfTokenizer.cpp of the component PDF Dictionary Parser. Executing manipulation can lead to use after free. It is possible to launch the attack on the local host. The exploit has been published and may be used. This patch is called 22d16cb142f293bf956f66a4d399cdd65576d36c. A patch should be applied to remediate this issue. | 2025-08-24 | 5.3 | CVE-2025-9394 |
| n/a--Scada-LTS | A vulnerability was determined in Scada-LTS 2.7.8.1. Affected by this vulnerability is an unknown functionality of the file /Scada-LTS/dwr/call/plaincall/WatchListDwr.init.dwr. Executing manipulation can lead to information disclosure. The attack may be performed from a remote location. The exploit has been publicly disclosed and may be utilized. The vendor explains: "[T]he risks of indicated vulnerabilities seem to be minimal as all scenarios likely require admin permissions. Moreover, regardless our team fixes those vulnerabilities - the overall risk change to the user due to malicious admin actions will not be lower." | 2025-08-19 | 4.3 | CVE-2025-9139 |
| n/a--vim | A security flaw has been discovered in vim up to 9.1.1615. Affected by this vulnerability is the function main of the file src/xxd/xxd.c of the component xxd. The manipulation results in buffer overflow. The attack requires a local approach. The exploit has been released to the public and may be exploited. Upgrading to version 9.1.1616 addresses this issue. The patch is identified as eeef7c77436a78cd27047b0f5fa6925d56de3cb0. It is recommended to upgrade the affected component. | 2025-08-24 | 5.3 | CVE-2025-9390 |
| n8n-io--n8n | n8n is a workflow automation platform. Before 1.106.0, a symlink traversal vulnerability was discovered in the Read/Write File node in n8n. While the node attempts to restrict access to sensitive directories and files, it does not properly account for symbolic links (symlinks). An attacker with the ability to create symlinks-such as by using the Execute Command node-could exploit this to bypass the intended directory restrictions and read from or write to otherwise inaccessible paths. Users of n8n.cloud are not impacted. Affected users should update to version 1.106.0 or later. | 2025-08-20 | 6.5 | CVE-2025-57749 |
| NamelessMC--Nameless | NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Sensitive information disclosure in NamelessMC before 2.2.4 allows unauthenticated remote attacker to gain sensitive information such as absolute path of the source code via list parameter. This vulnerability is fixed in 2.2.4. | 2025-08-18 | 5.3 | CVE-2025-54118 |
| neurobin--shc | A vulnerability was determined in neurobin shc up to 4.0.3. This vulnerability affects the function make of the file src/shc.c of the component Filename Handler. Executing manipulation can lead to os command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. | 2025-08-19 | 5.3 | CVE-2025-9174 |
| neurobin--shc | A vulnerability was identified in neurobin shc up to 4.0.3. This issue affects the function make of the file src/shc.c. The manipulation leads to stack-based buffer overflow. The attack can only be performed from a local environment. The exploit is publicly available and might be used. | 2025-08-19 | 5.3 | CVE-2025-9175 |
| neurobin--shc | A security flaw has been discovered in neurobin shc up to 4.0.3. Impacted is the function make of the file src/shc.c of the component Environment Variable Handler. The manipulation results in os command injection. The attack is only possible with local access. The exploit has been released to the public and may be exploited. | 2025-08-19 | 5.3 | CVE-2025-9176 |
| Noor Alam--Colorbox Lightbox | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Noor Alam Colorbox Lightbox allows Stored XSS. This issue affects Colorbox Lightbox: from n/a through 1.1.5. | 2025-08-20 | 6.5 | CVE-2025-49397 |
| NooTheme--Jobmonster | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Jobmonster allows Stored XSS. This issue affects Jobmonster: from n/a through 4.8.0. | 2025-08-22 | 6.5 | CVE-2025-57887 |
| NooTheme--Jobmonster | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in NooTheme Jobmonster allows Retrieve Embedded Sensitive Data. This issue affects Jobmonster: from n/a through 4.8.0. | 2025-08-22 | 5.3 | CVE-2025-57888 |
| numixtech--Page Transition | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in numixtech Page Transition allows Stored XSS. This issue affects Page Transition: from n/a through 1.3. | 2025-08-20 | 5.9 | CVE-2025-49412 |
| ogulo--Ogulo 360 Tour | The Ogulo - 360° Tour plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slug' parameter in all versions up to, and including, 1.0.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-23 | 6.4 | CVE-2025-9131 |
| ollybach--WPPizza | Missing Authorization vulnerability in ollybach WPPizza allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPPizza: from n/a through 3.19.8. | 2025-08-22 | 4.3 | CVE-2025-57894 |
| OpenPrinting--ippusbxd | A stack based buffer overflow vulnerability is present in OpenPrinting ippusbxd 1.34. A specially configured printer that supports IPP-over-USB can cause a buffer overflow which can lead to a arbitrary code execution in a privileged service. To trigger the vulnerability, a malicious device would need to be connected to the vulnerable system over USB. | 2025-08-19 | 6.4 | CVE-2024-45062 |
| osama.esh--WP Visitor Statistics (Real Time Traffic) | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osama.esh WP Visitor Statistics (Real Time Traffic) allows Stored XSS. This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through 8.2. | 2025-08-20 | 6.5 | CVE-2025-49400 |
| Pierre Lannoy--Sessions | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pierre Lannoy Sessions allows Stored XSS. This issue affects Sessions: from n/a through 3.2.0. | 2025-08-22 | 5.9 | CVE-2025-57890 |
| Pierre-Henri Lavigne--Markup Markdown | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pierre-Henri Lavigne Markup Markdown allows Stored XSS. This issue affects Markup Markdown: from n/a through 3.20.6. | 2025-08-20 | 6.5 | CVE-2025-49420 |
| pokornydavid--Restore Permanently delete Post or Page Data | The Restore Permanently delete Post or Page Data plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the rp_dpo_dpa_ajax_dp_delete_data() function. This makes it possible for unauthenticated attackers to delete data via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-08-23 | 4.3 | CVE-2025-7839 |
| Portabilis--i-Diario | A vulnerability has been found in Portabilis i-Diario up to 2.10. This affects an unknown function of the file /intranet/educar_tipo_usuario_lst.php of the component Tipos de usà rio Page. Such manipulation of the argument nm_tipo leads to sql injection. The attack may be performed from a remote location. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-20 | 6.3 | CVE-2025-9236 |
| Portabilis--i-Diario | A vulnerability was determined in Portabilis i-Diario up to 1.5.0. This impacts an unknown function of the file /alunos/search_autocomplete. Executing manipulation of the argument q can lead to cross site scripting. The attack may be performed from a remote location. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-18 | 4.3 | CVE-2025-9107 |
| Portabilis--i-Diario | Affected is an unknown function of the component Login Page. The manipulation leads to improper restriction of rendered ui layers. It is possible to launch the attack remotely. | 2025-08-18 | 4.3 | CVE-2025-9108 |
| posimyththemes--Nexter Blocks WordPress Gutenberg Blocks & 1000+ Starter Templates | The Nexter Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 4.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-19 | 6.4 | CVE-2025-8567 |
| ProveSource LTD--ProveSource Social Proof | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ProveSource LTD ProveSource Social Proof allows Retrieve Embedded Sensitive Data.This issue affects ProveSource Social Proof: from n/a through 3.0.5. | 2025-08-21 | 5.3 | CVE-2025-48355 |
| QuanticaLabs--Cost Calculator | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuanticaLabs Cost Calculator allows Stored XSS. This issue affects Cost Calculator: from n/a through 7.4. | 2025-08-20 | 6.5 | CVE-2025-54046 |
| Red Hat--Cryostat 4 | A vulnerability was found in the Cryostat HTTP API. Cryostat's HTTP API binds to all network interfaces, allowing possible external visibility and access to the API port if Network Policies are disabled, allowing an unauthenticated, malicious attacker to jeopardize the environment. | 2025-08-20 | 5.9 | CVE-2025-8415 |
| Red Hat--mirror registry for Red Hat OpenShift | The mirror-registry doesn't properly sanitize the host header HTTP header in HTTP request received, allowing an attacker to perform malicious redirects to attacker-controlled domains or phishing campaigns. | 2025-08-20 | 6.5 | CVE-2025-7777 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted realm documents are processed. An attacker can leverage this to inject malicious content during the realm import procedure. This can lead to unintended consequences within the Keycloak environment. | 2025-08-21 | 4.9 | CVE-2025-9162 |
| Red Hat--Red Hat Developer Hub 1.7 | An insufficient access control vulnerability was found in the Red Hat Developer Hub rhdh/rhdh-hub-rhel9 container image. The Red Hat Developer Hub cluster admin/user, who has standard user access to the cluster, and the Red Hat Developer Hub namespace, can access the rhdh/rhdh-hub-rhel9 container image and modify the image's content. This issue affects the confidentiality and integrity of the data, and any changes made are not permanent, as they reset after the pod restarts. | 2025-08-19 | 6.1 | CVE-2025-5417 |
| Red Hat--Red Hat OpenShift Container Platform 4 | There's a vulnerability in the CRI-O application where when container is launched with securityContext.runAsUser specifying a non-existent user, CRI-O attempts to create the user, reading the container's entire /etc/passwd file into memory. If this file is excessively large, it can cause the a high memory consumption leading applications to be killed due to out-of-memory. As a result a denial-of-service can be achieved, possibly disrupting other pods and services running in the same host. | 2025-08-20 | 5.7 | CVE-2025-4437 |
| rewish--WP Emmet | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in rewish WP Emmet allows Stored XSS. This issue affects WP Emmet: from n/a through 0.3.4. | 2025-08-20 | 5.9 | CVE-2025-49894 |
| riotweb--Contact Info Widget | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in riotweb Contact Info Widget allows Stored XSS. This issue affects Contact Info Widget: from n/a through 2.6.2. | 2025-08-20 | 5.9 | CVE-2025-49891 |
| saitoha--libsixel | A vulnerability was found in saitoha libsixel up to 1.10.3. Affected by this issue is the function sixel_debug_print_palette of the file src/encoder.c of the component img2sixel. The manipulation results in stack-based buffer overflow. The attack must be initiated from a local position. The exploit has been made public and could be used. The patch is identified as 316c086e79d66b62c0c4bc66229ee894e4fdb7d1. Applying a patch is advised to resolve this issue. | 2025-08-21 | 5.3 | CVE-2025-9300 |
| Santesoft--Sante PACS Server | Sante PACS Server is vulnerable to stored cross-site scripting. An attacker could inject malicious HTML codes redirecting a user to a malicious webpage and stealing the user's cookie. | 2025-08-18 | 6.1 | CVE-2025-54759 |
| Santesoft--Sante PACS Server | Sante PACS Server web portal is vulnerable to stored cross-site scripting. An attacker could inject malicious HTML codes redirecting a user to a malicious webpage and stealing the user's cookie. | 2025-08-18 | 5.4 | CVE-2025-54862 |
| Schneider Electric--EcoStruxure Power Monitoring Expert (PME) | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability exists that could cause unauthorized access to sensitive files when an authenticated attackers uses a crafted path input that is processed by the system. | 2025-08-20 | 4.9 | CVE-2025-54927 |
| Schneider Electric--Saitel DR RTU | CWE-269: Improper Privilege Management vulnerability exists that could cause privilege escalation and arbitrary code execution when a privileged engineer user with console access modifies a configuration file used by a root-level daemon to execute custom scripts. | 2025-08-20 | 6.7 | CVE-2025-8453 |
| sertifier--Sertifier Certificate & Badge Maker for WordPress Tutor LMS | The Sertifier Certificate & Badge Maker for WordPress - Tutor LMS plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19. This is due to missing or incorrect nonce validation on the 'sertifier_settings' page. This makes it possible for unauthenticated attackers to update the plugin's api key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-08-23 | 4.3 | CVE-2025-7841 |
| Shahjahan Jewel--Fluent Support | Cross-Site Request Forgery (CSRF) vulnerability in Shahjahan Jewel Fluent Support allows Cross Site Request Forgery. This issue affects Fluent Support: from n/a through 1.9.1. | 2025-08-22 | 4.3 | CVE-2025-57885 |
| Shanghai Lingdang Information Technology--Lingdang CRM | A vulnerability was identified in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.4.7. Affected by this issue is some unknown functionality of the file /crm/crmapi/erp/tabdetail_moduleSave.php. The manipulation of the argument getvaluestring leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. Upgrading to version 8.6.5.4 can resolve this issue. The affected component should be upgraded. The vendor explains: "All SQL injection vectors were patched via parameterized queries and input sanitization in v8.6.5+." | 2025-08-19 | 6.3 | CVE-2025-9140 |
| silence--Silencesoft RSS Reader | The Silencesoft RSS Reader plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.6. This is due to missing or incorrect nonce validation on the 'sil_rss_edit_page' page. This makes it possible for unauthenticated attackers to delete RSS feeds via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-08-23 | 4.3 | CVE-2025-7842 |
| SMA--ennexos.sunnyportal.com | A low-privileged remote attacker can obtain the username of another registered Sunny Portal user by entering that user's email address. | 2025-08-19 | 6.5 | CVE-2025-41685 |
| smub--Easy Digital Downloads eCommerce Payments and Subscriptions made easy | The Easy Digital Downloads plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.5.0. This is due to missing nonce validations in the edd_sendwp_disconnect() and edd_sendwp_remote_install() functions. This makes it possible for unauthenticated attackers to deactivate or download and activate the SendWP plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-08-20 | 5.4 | CVE-2025-8102 |
| stijnvanderree--Laposta WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in stijnvanderree Laposta WooCommerce allows Stored XSS. This issue affects Laposta WooCommerce: from n/a through 1.9.1. | 2025-08-20 | 5.9 | CVE-2025-49434 |
| StuffAnThings--qbit_manage | qBit Manage is a tool that helps manage tedious tasks in qBittorrent and automate them. A path traversal vulnerability exists in qbit_manage's web API that allows authenticated users to read arbitrary files from the server filesystem through the restore_config_from_backup endpoint. The vulnerability allows attackers to bypass directory restrictions and read arbitrary files from the server filesystem by manipulating the backup_id parameter with path traversal sequences (e.g., ../). This vulnerability is fixed in 4.5.4. | 2025-08-19 | 6.5 | CVE-2025-55295 |
| surror--ShortcodeHub MultiPurpose Shortcode Builder | The ShortcodeHub plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author_link_target' parameter in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-23 | 6.4 | CVE-2025-7957 |
| templatescoderthemes--Spexo Addons for Elementor Free Elementor Addons, Widgets and Templates | The Spexo Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Countdown widget in all versions up to, and including, 1.0.23 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-24 | 6.4 | CVE-2025-8208 |
| themegrill--ColorMag | The ColorMag theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the welcome_notice_import_handler() function in all versions up to, and including, 4.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the ThemeGrill Demo Importer plugin. | 2025-08-20 | 4.3 | CVE-2025-9202 |
| themegrill--Spacious | The Spacious theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'welcome_notice_import_handler' function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo data into the site. | 2025-08-22 | 4.3 | CVE-2025-9331 |
| themifyme--Themify Audio Dock | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Audio Dock allows Stored XSS. This issue affects Themify Audio Dock: from n/a through 2.0.5. | 2025-08-20 | 5.9 | CVE-2025-49392 |
| themifyme--Themify Builder | Missing Authorization vulnerability in themifyme Themify Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Themify Builder: from n/a through 7.6.7. | 2025-08-20 | 4.3 | CVE-2025-49396 |
| themifyme--Themify Icons | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Icons allows Stored XSS. This issue affects Themify Icons: from n/a through 2.0.3. | 2025-08-20 | 6.5 | CVE-2025-49395 |
| thiudis--Custom Menu | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in thiudis Custom Menu allows Stored XSS. This issue affects Custom Menu: from n/a through 1.8. | 2025-08-20 | 6.5 | CVE-2025-49436 |
| Uniong--WebITR | WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files. | 2025-08-22 | 6.5 | CVE-2025-9256 |
| Uniong--WebITR | WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files. | 2025-08-22 | 6.5 | CVE-2025-9257 |
| Uniong--WebITR | WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files. | 2025-08-22 | 6.5 | CVE-2025-9258 |
| Uniong--WebITR | WebITR developed by Uniong has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files. | 2025-08-22 | 6.5 | CVE-2025-9259 |
| Unisoc (Shanghai) Technologies Co., Ltd.--SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152 | In Developer Tools, there is a possible missing verification incorrect input. This could lead to local escalation of privilege with no additional execution privileges needed. | 2025-08-18 | 6.8 | CVE-2025-31714 |
| Verkehrsauskunft sterreich--SmartRide | A vulnerability was detected in Verkehrsauskunft Österreich SmartRide, cleVVVer and BusBahnBim up to 12.1.1(258). The impacted element is an unknown function of the file AndroidManifest.xml. The manipulation results in improper export of android application components. The attack must be initiated from a local position. The exploit is now public and may be used. Upgrading to version 12.1.2(259) is sufficient to resolve this issue. Upgrading the affected component is recommended. The vendor was contacted early and fixed the issue by "[r]emoving the task affinity of the app so it can't be copied". | 2025-08-19 | 5.3 | CVE-2025-9135 |
| Vikas Sharma--iFrame Block | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vikas Sharma iFrame Block allows Stored XSS. This issue affects iFrame Block: from n/a through 0.1.1. | 2025-08-20 | 6.5 | CVE-2025-49411 |
| VMware--Spring Framework | Spring Framework MVC applications can be vulnerable to a "Path Traversal Vulnerability" when deployed on a non-compliant Servlet container. An application can be vulnerable when all the following are true: * the application is deployed as a WAR or with an embedded Servlet container * the Servlet container does not reject suspicious sequences https://jakarta.ee/specifications/servlet/6.1/jakarta-servlet-spec-6.1.html#uri-path-canonicalization * the application serves static resources https://docs.spring.io/spring-framework/reference/web/webmvc/mvc-config/static-resources.html#page-title with Spring resource handling We have verified that applications deployed on Apache Tomcat or Eclipse Jetty are not vulnerable, as long as default security features are not disabled in the configuration. Because we cannot check exploits against all Servlet containers and configuration variants, we strongly recommend upgrading your application. | 2025-08-18 | 5.9 | CVE-2025-41242 |
| wangsongyan--wblog | A vulnerability was identified in wangsongyan wblog 0.0.1. This affects the function RestorePost of the file backup.go. Such manipulation of the argument fileName leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-24 | 6.3 | CVE-2025-9395 |
| Wavlink--WL-NU516U1 | A vulnerability was determined in Wavlink WL-NU516U1 M16U1_V240425. This impacts the function sub_4032E4 of the file /cgi-bin/wireless.cgi. This manipulation of the argument Guest_ssid causes command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2025-08-19 | 6.3 | CVE-2025-9149 |
| wcplus--WC Plus | The WC Plus plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pluswc_logo_favicon_logo_base' AJAX action in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update the site's favicon logo base. | 2025-08-23 | 5.3 | CVE-2025-7821 |
| webaware--Flexible Map | The Flexible Map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Flexible Maps shortcode in all versions up to, and including, 1.18.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-19 | 6.4 | CVE-2025-8622 |
| Webba Appointment Booking--Webba Booking | Missing Authorization vulnerability in Webba Appointment Booking Webba Booking allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Webba Booking: from n/a through 5.1.20. | 2025-08-20 | 6.5 | CVE-2025-54040 |
| WEN Solutions--Notice Bar | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WEN Solutions Notice Bar allows Stored XSS. This issue affects Notice Bar: from n/a through 3.1.3. | 2025-08-20 | 6.5 | CVE-2025-49389 |
| wen-solutions--WS Theme Addons | The WS Theme Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ws_weather shortcode in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-23 | 6.4 | CVE-2025-8062 |
| Wishloop--Terms of Service & Privacy Policy Generator | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wishloop Terms of Service & Privacy Policy Generator allows Stored XSS. This issue affects Terms of Service & Privacy Policy Generator: from n/a through 1.0. | 2025-08-20 | 5.9 | CVE-2025-49413 |
| wong2--mcp-cli | A flaw has been found in wong2 mcp-cli 1.13.0. Affected is the function redirectToAuthorization of the file /src/oauth/provider.js of the component oAuth Handler. This manipulation causes os command injection. The attack may be initiated remotely. The attack is considered to have high complexity. The exploitability is told to be difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-20 | 5.6 | CVE-2025-9262 |
| wpclever--WPC Smart Compare for WooCommerce | The WPC Smart Compare for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via DOM elements in all versions up to, and including, 6.4.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-19 | 6.4 | CVE-2025-7496 |
| wpclever--WPC Smart Quick View for WooCommerce | The WPC Smart Quick View for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's woosq_btn shortcode in all versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-20 | 6.4 | CVE-2025-8618 |
| WPDeveloper--Templately | Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded Sensitive Data. This issue affects Templately: from n/a through 3.2.7. | 2025-08-20 | 4.9 | CVE-2025-49408 |
| wpecommerce--Recurring PayPal Donations | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpecommerce Recurring PayPal Donations allows Stored XSS. This issue affects Recurring PayPal Donations: from n/a through 1.8. | 2025-08-22 | 5.9 | CVE-2025-57891 |
| wpsoul--Greenshift | Missing Authorization vulnerability in wpsoul Greenshift allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Greenshift: from n/a through 12.1.1. | 2025-08-22 | 4.3 | CVE-2025-57884 |
| wptasker--WP Discord Post Plus – Supports Unlimited Channels | Cross-Site Request Forgery (CSRF) vulnerability in wptasker WP Discord Post Plus – Supports Unlimited Channels allows Cross Site Request Forgery. This issue affects WP Discord Post Plus – Supports Unlimited Channels: from n/a through 1.0.2. | 2025-08-20 | 4.3 | CVE-2025-49896 |
| Xuxueli--xxl-job | A vulnerability was found in Xuxueli xxl-job up to 3.1.1. Affected by this issue is the function remove of the file /src/main/java/com/xxl/job/admin/controller/JobInfoController.java of the component Jobs Handler. Performing manipulation of the argument ID results in improper control of resource identifiers. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2025-08-20 | 5.4 | CVE-2025-9264 |
| Xuxueli--xxl-job | A vulnerability has been found in Xuxueli xxl-job up to 3.1.1. Affected by this vulnerability is the function getJobsByGroup of the file /src/main/java/com/xxl/job/admin/controller/JobLogController.java. Such manipulation of the argument jobGroup leads to improper control of resource identifiers. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-20 | 4.3 | CVE-2025-9263 |
| yeqifu--carRental | A vulnerability was determined in yeqifu carRental up to 3fabb7eae93d209426638863980301d6f99866b3. Affected by this vulnerability is an unknown functionality of the file /carRental_war/druid/login.html of the component Druid. Executing manipulation can lead to hard-coded credentials. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. | 2025-08-21 | 5.3 | CVE-2025-9310 |
| YiFang--CMS | A security vulnerability has been detected in YiFang CMS up to 2.0.5. Affected by this vulnerability is the function exportInstallTable of the file app/utils/base/database/Migrate.php. The manipulation leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-24 | 5.3 | CVE-2025-9398 |
| zhenfeng13--My-Blog | A security flaw has been discovered in zhenfeng13 My-Blog 1.0.0. This vulnerability affects unknown code of the file /blog/comment of the component Frontend Blog Article Comment Handler. The manipulation leads to authentication bypass by capture-replay. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-18 | 5.3 | CVE-2025-9100 |
| zitadel--zitadel | The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. Versions 4.0.0 to 4.0.2, 3.0.0 to 3.3.6, and all versions prior to 2.71.15 are vulnerable to a username enumeration issue in the login interface. The login UI includes a security feature, Ignoring unknown usernames, that is intended to prevent username enumeration by returning a generic response for both valid and invalid usernames. This vulnerability allows an unauthenticated attacker to bypass this protection by submitting arbitrary userIDs to the select account page and distinguishing between valid and invalid accounts based on the system's response. For effective exploitation, an attacker needs to iterate through possible userIDs, but the impact can be limited by implementing rate limiting or similar measures. The issue has been patched in versions 4.0.3, 3.4.0, and 2.71.15. | 2025-08-22 | 5.3 | CVE-2025-57770 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| Adobe--ColdFusion | ColdFusion versions 2025.1, 2023.13, 2021.19 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to limited file system read. A high-privilege authenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction. | 2025-08-18 | 2.2 | CVE-2025-54234 |
| appneta--tcpreplay | A vulnerability was detected in appneta tcpreplay up to 4.5.1. Impacted is the function tcpedit_post_args of the file /src/tcpedit/parse_args.c. The manipulation results in null pointer dereference. The attack is only possible with local access. The exploit is now public and may be used. Upgrading to version 4.5.2-beta2 is recommended to address this issue. Upgrading the affected component is advised. The vendor explains, that he was "[a]ble to reproduce in 6fcbf03 but not in 4.5.2-beta2". | 2025-08-24 | 3.3 | CVE-2025-9384 |
| ckolivas--lrzip | A security flaw has been discovered in ckolivas lrzip up to 0.651. This impacts the function __GI_____strtol_l_internal of the file strtol_l.c. Performing manipulation results in null pointer dereference. The attack is only possible with local access. The exploit has been released to the public and may be exploited. | 2025-08-24 | 3.3 | CVE-2025-9396 |
| CodeAstro--Ecommerce Website | A vulnerability was found in CodeAstro Ecommerce Website 1.0. This impacts an unknown function of the file /customer/my_account.php?edit_account of the component Edit Your Account Page. Performing manipulation of the argument Username results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. | 2025-08-20 | 3.5 | CVE-2025-9237 |
| elunez--eladmin | A vulnerability was identified in elunez eladmin up to 2.7. Affected by this vulnerability is the function EncryptUtils of the file eladmin-common/src/main/java/me/zhengjie/utils/EncryptUtils.java of the component DES Key Handler. The manipulation of the argument STR_PARAM with the input Passw0rd leads to inadequate encryption strength. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitation appears to be difficult. | 2025-08-20 | 3.7 | CVE-2025-9239 |
| FNKvision--Y215 CCTV Camera | A security vulnerability has been detected in FNKvision Y215 CCTV Camera 10.194.120.40. This issue affects the function crypt of the file /etc/passwd. The manipulation leads to use of weak hash. The attack can only be performed from a local environment. The complexity of an attack is rather high. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-24 | 2.5 | CVE-2025-9383 |
| FNKvision--Y215 CCTV Camera | A security flaw has been discovered in FNKvision Y215 CCTV Camera 10.194.120.40. This affects an unknown part of the file /tmp/wpa_supplicant.conf. Performing manipulation results in information disclosure. The attack may be carried out on the physical device. The attack's complexity is rated as high. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-24 | 1.6 | CVE-2025-9381 |
| IBM--Concert Software | IBM Concert Software 1.0.0 through 1.1.0 is vulnerable to excessive data exposure, allowing attackers to access sensitive information without proper filtering. | 2025-08-18 | 3.7 | CVE-2024-49827 |
| IBM--Sterling B2B Integrator | IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7, 6.2.0.0 through 6.2.0.4, and 6.2.1.0 could disclose sensitive server information to an unauthorized user that could aid in further attacks against the system. | 2025-08-19 | 2.7 | CVE-2025-2988 |
| jasonclark--getsemantic | A vulnerability has been found in jasonclark getsemantic up to 040c96eb8cf9947488bd01b8de99b607b0519f7d. The impacted element is an unknown function of the file /index.php. The manipulation of the argument view leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-19 | 3.5 | CVE-2025-9147 |
| Mattermost--Mattermost | Mattermost Server versions 10.5.x <= 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions | 2025-08-21 | 3.5 | CVE-2025-47700 |
| Mattermost--Mattermost | Mattermost versions 10.5.x <= 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts | 2025-08-21 | 3.5 | CVE-2025-49810 |
| Mattermost--Mattermost | Mattermost versions 10.5.x <= 10.5.8, 9.11.x <= 9.11.17 fail to properly validate authorization for team scheme role modifications which allows Team Admins to demote Team Members to Guests via the PUT /api/v4/teams/team-id/members/user-id/schemeRoles API endpoint. | 2025-08-21 | 3.8 | CVE-2025-53971 |
| n/a--cmake | A vulnerability was determined in cmake 4.1.20250725-gb5cce23. This affects the function cmForEachFunctionBlocker::ReplayItems of the file cmForEachCommand.cxx. This manipulation causes reachable assertion. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. Patch name: 37e27f71bc356d880c908040cd0cb68fa2c371b8. It is suggested to install a patch to address this issue. | 2025-08-21 | 3.3 | CVE-2025-9301 |
| n/a--LibTIFF | A flaw has been found in LibTIFF 4.7.0. This affects the function _TIFFmallocExt/_TIFFCheckRealloc/TIFFHashSetNew/InitCCITTFax3 of the file tools/tiffcmp.c of the component tiffcmp. Executing manipulation can lead to memory leak. The attack is restricted to local execution. The exploit has been published and may be used. This patch is called ed141286a37f6e5ddafb5069347ff5d587e7a4e0. It is best practice to apply a patch to resolve this issue. | 2025-08-19 | 3.3 | CVE-2025-9165 |
| n/a--Scada-LTS | A vulnerability has been found in Scada-LTS 2.7.8.1. This impacts an unknown function of the file scheduled_events.shtm. Such manipulation of the argument alias leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor explains: "[T]he risks of indicated vulnerabilities seem to be minimal as all scenarios likely require admin permissions. Moreover, regardless our team fixes those vulnerabilities - the overall risk change to the user due to malicious admin actions will not be lower. An admin user - by definition - has full control over HTML and JS code that is delivered to users in regular synoptic panels. In other words - due to the design of the system it is not possible to limit the admin user to attack the users." | 2025-08-19 | 3.5 | CVE-2025-9137 |
| n/a--Scada-LTS | A vulnerability was found in Scada-LTS 2.7.8.1. Affected is an unknown function of the file pointHierarchy/new/. Performing manipulation of the argument Title results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor explains: "[T]he risks of indicated vulnerabilities seem to be minimal as all scenarios likely require admin permissions. Moreover, regardless our team fixes those vulnerabilities - the overall risk change to the user due to malicious admin actions will not be lower. An admin user - by definition - has full control over HTML and JS code that is delivered to users in regular synoptic panels. In other words - due to the design of the system it is not possible to limit the admin user to attack the users." | 2025-08-19 | 3.5 | CVE-2025-9138 |
| n/a--Scada-LTS | A security flaw has been discovered in Scada-LTS 2.7.8.1. This affects an unknown part of the file mailing_lists.shtm. The manipulation of the argument name/userList/address results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be exploited. | 2025-08-19 | 3.5 | CVE-2025-9143 |
| n/a--Scada-LTS | A weakness has been identified in Scada-LTS 2.7.8.1. This vulnerability affects unknown code of the file publisher_edit.shtm. This manipulation of the argument Name causes cross site scripting. The attack can be initiated remotely. The exploit has been made available to the public and could be exploited. | 2025-08-19 | 3.5 | CVE-2025-9144 |
| n/a--Scada-LTS | A security vulnerability has been detected in Scada-LTS 2.7.8.1. This issue affects some unknown processing of the file view_edit.shtm of the component SVG File Handler. Such manipulation of the argument backgroundImageMP leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2025-08-19 | 3.5 | CVE-2025-9145 |
| n/a--Scada-LTS | A security vulnerability has been detected in Scada-LTS up to 2.7.8.1. Impacted is an unknown function of the file view_edit.shtm. The manipulation of the argument Name leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2025-08-20 | 3.5 | CVE-2025-9233 |
| n/a--Scada-LTS | A vulnerability was detected in Scada-LTS up to 2.7.8.1. The affected element is an unknown function of the file maintenance_events.shtm. The manipulation of the argument Alias results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. | 2025-08-20 | 3.5 | CVE-2025-9234 |
| n/a--Scada-LTS | A flaw has been found in Scada-LTS up to 2.7.8.1. The impacted element is an unknown function of the file compound_events.shtm. This manipulation of the argument Name causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. | 2025-08-20 | 3.5 | CVE-2025-9235 |
| n/a--Scada-LTS | A vulnerability was determined in Scada-LTS up to 2.7.8.1. This impacts an unknown function of the file watch_list.shtm. Executing manipulation of the argument Name can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2025-08-24 | 3.5 | CVE-2025-9388 |
| n/a--SolidInvoice | A vulnerability has been found in SolidInvoice up to 2.4.0. This vulnerability affects unknown code of the file /invoice/recurring of the component Recurring Invoice Module. The manipulation of the argument client name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-19 | 3.5 | CVE-2025-9167 |
| n/a--SolidInvoice | A vulnerability was found in SolidInvoice up to 2.4.0. This issue affects some unknown processing of the file /invoice of the component Invoice Creation Module. The manipulation of the argument Client Name results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-19 | 3.5 | CVE-2025-9168 |
| n/a--SolidInvoice | A vulnerability was determined in SolidInvoice up to 2.4.0. Impacted is an unknown function of the file /quotes of the component Quote Module. This manipulation of the argument Name causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-19 | 3.5 | CVE-2025-9169 |
| n/a--SolidInvoice | A vulnerability was identified in SolidInvoice up to 2.4.0. The affected element is an unknown function of the file /tax/rates of the component Tax Rates Module. Such manipulation of the argument Name leads to cross site scripting. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-19 | 3.5 | CVE-2025-9170 |
| n/a--SolidInvoice | A security flaw has been discovered in SolidInvoice up to 2.4.0. The impacted element is an unknown function of the file /clients of the component Clients Module. Performing manipulation of the argument Name results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-19 | 3.5 | CVE-2025-9171 |
| n/a--vim | A vulnerability was identified in vim 9.1.0000. Affected is the function __memmove_avx_unaligned_erms of the file memmove-vec-unaligned-erms.S. The manipulation leads to memory corruption. The attack needs to be performed locally. The exploit is publicly available and might be used. Some users are not able to reproduce this. One of the users mentions that this appears not to be working, "when coloring is turned on". | 2025-08-24 | 3.3 | CVE-2025-9389 |
| n/a--ZenCart | A vulnerability was detected in ZenCart 2.1.0. Affected by this vulnerability is an unknown functionality of the component CKEditor. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor declares this as "intended behavior, allowed for authorized administrators". | 2025-08-18 | 2.4 | CVE-2025-9103 |
| Netis--WF2419 | A vulnerability was determined in Netis WF2419 1.2.29433. This vulnerability affects unknown code of the file /index.htm of the component Wireless Settings Page. This manipulation of the argument SSID with the input <img/src/onerror=prompt(8)> causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-18 | 2.4 | CVE-2025-9119 |
| Portabilis--i-Diario | A flaw has been found in Portabilis i-Diario up to 1.5.0. The affected element is an unknown function of the file /planos-de-aulas-por-disciplina/ of the component Informações Adicionais Page. This manipulation of the argument Parecer/Objeto de Conhecimento/Habilidades causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-18 | 3.5 | CVE-2025-9104 |
| Portabilis--i-Diario | A vulnerability has been found in Portabilis i-Diario up to 1.5.0. The impacted element is an unknown function of the file /planos-de-ensino-por-areas-de-conhecimento/ of the component Informações Adicionais Page. Such manipulation of the argument Parecer/Conteúdos/Objetivos leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-18 | 3.5 | CVE-2025-9105 |
| Portabilis--i-Diario | A vulnerability was found in Portabilis i-Diario up to 1.5.0. This affects an unknown function of the file /planos-de-ensino-por-disciplina/ of the component Informações Adicionais Page. Performing manipulation of the argument Parecer/Conteúdos/Objetivos results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-18 | 3.5 | CVE-2025-9106 |
| Portabilis--i-Diario | A security flaw has been discovered in Portabilis i-Diario up to 1.5.0. Affected by this vulnerability is an unknown functionality of the file /password/email of the component Password Recovery Endpoint. The manipulation results in observable response discrepancy. It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit has been released to the public and may be exploited. | 2025-08-18 | 3.7 | CVE-2025-9109 |
| Schneider Eelctric--EcoStruxureTM Building Operation Enterprise Server | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists that could cause unauthorized access to sensitive credential data when an attacker is able to capture local SMB traffic between a valid user within the BMS network and the vulnerable products. | 2025-08-20 | 2.3 | CVE-2025-8448 |
| SourceCodester--Advanced School Management System | A vulnerability was detected in SourceCodester Advanced School Management System 1.0. The impacted element is an unknown function of the file /index.php/notice/addNotice. The manipulation of the argument noticeSubject results in cross site scripting. It is possible to launch the attack remotely. The exploit is now public and may be used. | 2025-08-21 | 3.5 | CVE-2025-9306 |
| Tenda--AC10 | A vulnerability was found in Tenda AC10 16.03.10.13. Affected is an unknown function of the file /etc_ro/shadow of the component MD5 Hash Handler. Performing manipulation results in hard-coded credentials. The attack needs to be approached locally. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The exploit has been made public and could be used. | 2025-08-21 | 2.5 | CVE-2025-9309 |
| TOTVS--Portal Meu RH | A flaw has been found in TOTVS Portal Meu RH up to 12.1.17. Impacted is an unknown function of the component Password Reset Handler. Executing manipulation of the argument redirectUrl can lead to open redirect. The attack may be performed from a remote location. The exploit has been published and may be used. Upgrading to version 12.1.2410.274, 12.1.2502.178 and 12.1.2506.121 is recommended to address this issue. It is recommended to upgrade the affected component. The vendor explains, that "[o]ur internal validation (...) confirms that the reported behavior does not exist in currently supported releases. In these tests, the redirectUrl parameter is ignored, and no malicious redirection occurs." This vulnerability only affects products that are no longer supported by the maintainer. | 2025-08-20 | 3.5 | CVE-2025-9193 |
| yarnpkg--Yarn | A vulnerability has been found in yarnpkg Yarn up to 1.22.22. This impacts the function setOptions of the file src/util/request-manager.js. Such manipulation leads to inefficient regular expression complexity. Local access is required to approach this attack. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-08-21 | 3.3 | CVE-2025-9308 |
| zhenfeng13--My-Blog | A weakness has been identified in zhenfeng13 My-Blog up to 1.0.0. This issue affects some unknown processing of the file /admin/tags/save of the component Tag Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-18 | 3.5 | CVE-2025-9101 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| Adform--Adform Site Tracking | Adform Site Tracking 1.1 allows attackers to inject HTML or execute arbitrary code via cookie hijacking. | 2025-08-19 | not yet calculated | CVE-2025-50891 |
| AiKaan--AiKaan IoT Management Platform | Aikaan IoT management platform v3.25.0325-5-g2e9c59796 sends a newly generated password to users in plaintext via email and also includes the same password as a query parameter in the account activation URL (e.g., https://domain.com/activate=xyz). This practice can result in password exposure via browser history, proxy logs, referrer headers, and email caching. The vulnerability impacts user credential confidentiality during initial onboarding. | 2025-08-21 | not yet calculated | CVE-2025-52351 |
| AiKaan--AiKaan IoT Management Platform | Aikaan IoT management platform v3.25.0325-5-g2e9c59796 provides a configuration to disable user sign-up in distributed deployments by hiding the sign-up option on the login page UI. However, the sign-up API endpoint remains publicly accessible and functional, allowing unauthenticated users to register accounts via APIs even when the feature is disabled. This leads to authentication bypass and unauthorized access to admin portals, violating intended access controls. | 2025-08-21 | not yet calculated | CVE-2025-52352 |
| Alanaktion--phproject | Phproject is a high performance full-featured project management system. From 1.8.0 to before 1.8.3, a Stored Cross-Site Scripting (XSS) vulnerability exists in the Planned Hours field when creating a new project. When sending a POST request to /issues/new/, the value provided in the Planned Hours field is included in the server response without any HTML encoding or sanitization. Because of this, an attacker can craft a malicious payload such as <script>alert(1)</script> and include it in the planned_hours parameter. The server reflects the input directly in the HTML of the project creation page, causing the browser to interpret and execute it. This vulnerability is fixed in 1.8.3. | 2025-08-21 | not yet calculated | CVE-2025-57768 |
| AllSky--AllSky | A Path Traversal vulnerability in AllSky v2023.05.01_04 allows an unauthenticated attacker to create a webshell and remote code execution via the path, content parameter to /includes/save_file.php. | 2025-08-19 | not yet calculated | CVE-2024-44373 |
| Alludo--MindManager | In MindManager Windows versions prior to 24.1.150, attackers could potentially write to unexpected directories in victims' machines via directory traversal if victims opened file attachments located in malicious mmap files. | 2025-08-22 | not yet calculated | CVE-2024-56179 |
| Amlib--Amlibweb Library Management System | Amlib's NetOpacs webquery.dll contains a stack-based buffer overflow vulnerability triggered by improper handling of HTTP GET parameters. Specifically, the application fails to enforce bounds on input supplied to the app parameter, allowing excessive data to overwrite memory structures including the Structured Exception Handler (SEH). Additionally, malformed parameter names followed by an equals sign may result in unintended control flow behavior. This vulnerability is exposed through IIS and affects legacy Windows deployments | 2025-08-21 | not yet calculated | CVE-2010-20112 |
| anji-plus--AJ-Report | An authentication bypass vulnerability in anji-plus AJ-Report up to v1.4.2 allows unauthenticated attackers to execute arbitrary code via a crafted URL. | 2025-08-22 | not yet calculated | CVE-2024-52786 |
| AOL Inc.--AOL Desktop | AOL Desktop 9.6 contains a buffer overflow vulnerability in its Tool\rich.rct component when parsing .rtx files. By embedding an overly long string in a hyperlink tag, an attacker can trigger a stack-based buffer overflow due to the use of unsafe strcpy operations. This allows remote attackers to execute arbitrary code when a victim opens a malicious .rtx file. AOL Desktop is end-of-life and no longer supported. Users are encouraged to migrate to AOL Desktop Gold or alternative platforms. | 2025-08-20 | not yet calculated | CVE-2011-10027 |
| AOL--AOL | AOL versions up to and including 9.5 includes an ActiveX control (Phobos.dll) that exposes a method called Import() via the Phobos.Playlist COM object. This method is vulnerable to a stack-based buffer overflow when provided with an excessively long string argument. Exploitation allows remote attackers to execute arbitrary code in the context of the user, but only when the malicious HTML file is opened locally, due to the control not being marked safe for scripting or initialization. AOL remains an active and supported brand offering services like AOL Mail and AOL Desktop Gold, but the legacy AOL 9.5 desktop software-specifically the version containing the vulnerable Phobos.dll ActiveX control-is long discontinued and no longer maintained. | 2025-08-21 | not yet calculated | CVE-2010-10015 |
| AOMEI--Backupper Workstation | AOMEI Backupper Workstation Link Following Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of AOMEI Backupper Workstation. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. User interaction on the part of an administrator is needed additionally. The specific flaw exists within the restore functionality. By creating a junction, an attacker can abuse the service to create arbitrary files. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-27059. | 2025-08-20 | not yet calculated | CVE-2025-8612 |
| AOMEI--Cyber Backup | AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of AOMEI Cyber Backup. Authentication is not required to exploit this vulnerability. The specific flaw exists within the StorageNode service, which listens on TCP port 9075 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-26156. | 2025-08-20 | not yet calculated | CVE-2025-8610 |
| AOMEI--Cyber Backup | AOMEI Cyber Backup Missing Authentication for Critical Function Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of AOMEI Cyber Backup. Authentication is not required to exploit this vulnerability. The specific flaw exists within the DaoService service, which listens on TCP port 9074 by default. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-26158. | 2025-08-20 | not yet calculated | CVE-2025-8611 |
| Apache Software Foundation--Apache EventMesh Runtime | CWE-918 Server-Side Request Forgery (SSRF) in eventmesh-runtime module in WebhookUtil.java on windows\linux\mac os e.g. allows the attacker can abuse functionality on the server to read or update internal resources. Users are recommended to upgrade to version 1.12.0 or use the master branch , which fixes this issue. | 2025-08-20 | not yet calculated | CVE-2024-39954 |
| Apache Software Foundation--Apache Log4cxx | Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using HTMLLayout, logger names are not properly escaped when writing out to the HTML file. If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or Javascript in order to hide information from logs or steal data from the user. In order to activate this, the following sequence must occur: * Log4cxx is configured to use HTMLLayout. * Logger name comes from an untrusted string * Logger with compromised name logs a message * User opens the generated HTML log file in their browser, leading to potential XSS Because logger names are generally constant strings, we assess the impact to users as LOW This issue affects Apache Log4cxx: before 1.5.0. Users are recommended to upgrade to version 1.5.0, which fixes the issue. | 2025-08-22 | not yet calculated | CVE-2025-54812 |
| Apache Software Foundation--Apache Log4cxx | Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using JSONLayout, not all payload bytes are properly escaped. If an attacker-supplied message contains certain non-printable characters, these will be passed along in the message and written out as part of the JSON message. This may prevent applications that consume these logs from correctly interpreting the information within them. This issue affects Apache Log4cxx: before 1.5.0. Users are recommended to upgrade to version 1.5.0, which fixes the issue. | 2025-08-22 | not yet calculated | CVE-2025-54813 |
| Apache Software Foundation--Apache StreamPark | SQL Injection vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recommended to upgrade to version 2.1.6, which fixes the issue. This vulnerability is present only in the distribution package (SpringBoot platform) and does not involve Maven artifacts. It can only be exploited after a user has successfully logged into the platform (implying that the attacker would first need to compromise the login authentication). As a result, the associated risk is considered relatively low. | 2025-08-22 | not yet calculated | CVE-2024-48988 |
| Apache Software Foundation--Apache Tika PDF parser module | Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue. | 2025-08-20 | not yet calculated | CVE-2025-54988 |
| Appian Enterprise--Business Process Management | A security issue has been identified in Appian Enterprise Business Process Management version 25.3. The vulnerability is related to incorrect access control, which under certain conditions could allow unauthorized access to information. | 2025-08-19 | not yet calculated | CVE-2025-50434 |
| Apple--macOS | An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Sonoma 14.7.8, macOS Ventura 13.7.8, iPadOS 17.7.10, macOS Sequoia 15.6.1, iOS 18.6.2 and iPadOS 18.6.2. Processing a malicious image file may result in memory corruption. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals. | 2025-08-21 | not yet calculated | CVE-2025-43300 |
| Arcane Software--Vermillion FTP Daemon | Arcane Software's Vermillion FTP Daemon (vftpd) versions up to and including 1.31 contains a memory corruption vulnerability triggered by a malformed FTP PORT command. The flaw arises from an out-of-bounds array access during input parsing, allowing an attacker to manipulate stack memory and potentially execute arbitrary code. Exploitation requires direct access to the FTP service and is constrained by a single execution attempt if the daemon is installed as a Windows service. | 2025-08-21 | not yet calculated | CVE-2010-20115 |
| Barracuda Networks--Spam & Virus Firewall | Barracuda products, confirmed in Spam & Virus Firewall, SSL VPN, and Web Application Firewall versions prior to October 2010, contain a path traversal vulnerability in the view_help.cgi endpoint. The locale parameter fails to properly sanitize user input, allowing attackers to inject traversal sequences and null-byte terminators to access arbitrary files on the underlying system. By exploiting this flaw, unauthenticated remote attackers can retrieve sensitive configuration files such as /mail/snapshot/config.snapshot, potentially exposing credentials, internal settings, and other critical data. | 2025-08-21 | not yet calculated | CVE-2010-20109 |
| Catalyst--Mahara | Mahara 21.10 before 21.10.6, 22.04 before 22.04.4, and 22.10 before 22.10.1 allows unsafe font upload for skins. A particularly structured XML file could allow one to traverse the server to obtain access to secure files or cause code execution based on the payload. | 2025-08-22 | not yet calculated | CVE-2022-45133 |
| Catalyst--Mahara | Mahara 21.10 before 21.10.6, 22.04 before 22.04.4, and 22.10 before 22.10.1 deserializes user input unsafely during skin import. A particularly structured XML file could cause code execution when being processed. | 2025-08-22 | not yet calculated | CVE-2022-45134 |
| CommuniCrypt Software--CommuniCrypt Mail | CommuniCrypt Mail versions up to and including 1.16 contains a stack-based buffer overflow vulnerability in its ANSMTP.dll and AOSMTP.dll ActiveX controls, specifically within the AddAttachments() method. This method fails to properly validate the length of input strings, allowing data to exceed the bounds of a fixed-size stack buffer. When invoked with an overly long string, the control can corrupt adjacent memory structures, including exception handlers, leading to potential control flow disruption. | 2025-08-21 | not yet calculated | CVE-2010-20119 |
| Commvault--CommCell | An issue was discovered in Commvault before 11.36.60. A vulnerability in a known login mechanism allows unauthenticated attackers to execute API calls without requiring user credentials. RBAC helps limit the exposure but does not eliminate risk. | 2025-08-20 | not yet calculated | CVE-2025-57788 |
| Commvault--CommCell | An issue was discovered in Commvault before 11.36.60. During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. This is limited to the setup phase, before any jobs have been configured. | 2025-08-20 | not yet calculated | CVE-2025-57789 |
| Commvault--CommCell | An issue was discovered in Commvault before 11.36.60. A security vulnerability has been identified that allows remote attackers to perform unauthorized file system access through a path traversal issue. The vulnerability may lead to remote code execution. | 2025-08-20 | not yet calculated | CVE-2025-57790 |
| Commvault--CommCell | An issue was discovered in Commvault before 11.36.60. A security vulnerability has been identified that allows remote attackers to inject or manipulate command-line arguments passed to internal components due to insufficient input validation. Successful exploitation results in a valid user session for a low privilege role. | 2025-08-20 | not yet calculated | CVE-2025-57791 |
| Consensys--gnark | gnark is a zero-knowledge proof system framework. In versions prior to 0.14.0, the Verify function in eddsa.go and ecdsa.go used the S value from a signature without asserting that 0 ≤ S < order, leading to a signature malleability vulnerability. Because gnark's native EdDSA and ECDSA circuits lack essential constraints, multiple distinct witnesses can satisfy the same public inputs. In protocols where nullifiers or anti-replay checks are derived from R and S, this enables signature malleability and may allow double spending. This issue has been addressed in version 0.14.0. | 2025-08-22 | not yet calculated | CVE-2025-57801 |
| ContentKeeper Technologies--Web Appliance | ContentKeeper Web Appliance (now maintained by Impero Software) versions prior to 125.10 expose the mimencode binary via a CGI endpoint, allowing unauthenticated attackers to retrieve arbitrary files from the filesystem. By crafting a POST request to /cgi-bin/ck/mimencode with traversal and output parameters, attackers can read sensitive files such as /etc/passwd outside the webroot. | 2025-08-20 | not yet calculated | CVE-2009-10005 |
| copier-org--copier | Copier library and CLI app for rendering project templates. Prior to 9.9.1, a safe template can currently read and write arbitrary files because Copier exposes a few pathlib.Path objects in the Jinja context which have unconstrained I/O methods. This effectively renders the security model w.r.t. filesystem access useless. This vulnerability is fixed in 9.9.1. | 2025-08-18 | not yet calculated | CVE-2025-55201 |
| copier-org--copier | Copier library and CLI app for rendering project templates. From 7.1.0 to before 9.9.1, Copier suggests that it's safe to generate a project from a safe template, i.e. one that doesn't use unsafe features like custom Jinja extensions which would require passing the --UNSAFE,--trust flag. As it turns out, a safe template can currently write files outside the destination path where a project shall be generated or updated. This is possible when rendering a generated directory structure whose rendered path is either a relative parent path or an absolute path. Constructing such paths is possible using Copier's builtin pathjoin Jinja filter and its builtin _copier_conf.sep variable, which is the platform-native path separator. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user's write permissions), e.g., to cause havoc. This vulnerability is fixed in 9.9.1. | 2025-08-18 | not yet calculated | CVE-2025-55214 |
| CursorArts--FileWrangler | FileWrangler <= 5.30 suffers from a stack-based buffer overflow vulnerability when parsing directory listings from an FTP server. A malicious server can send an overlong folder name in response to a LIST command, triggering memory corruption during client-side rendering. Exploitation requires passive user interaction-simply connecting to the server-without further input. Successful exploitation may lead to arbitrary code execution. | 2025-08-20 | not yet calculated | CVE-2010-20045 |
| D-Link--DCS-825L | D-Link DCS-825L firmware version 1.08.01 and possibly prior versions contain an insecure implementation in the mydlink-watch-dog.sh script. The script monitors and respawns the `dcp` and `signalc` binaries without validating their integrity, origin, or permissions. An attacker with filesystem access (e.g., via UART or firmware modification) may replace these binaries to achieve persistent arbitrary code execution with root privileges. The issue stems from improper handling of executable trust and absence of integrity checks in the watchdog logic. | 2025-08-22 | not yet calculated | CVE-2025-55581 |
| D-Link--DI-7400G+ | The DI-7400G+ router has a command injection vulnerability, which allows attackers to execute arbitrary commands on the device. The sub_478D28 function in in mng_platform.asp, and sub_4A12DC function in wayos_ac_server.asp of the jhttpd program, with the parameter ac_mng_srv_host. | 2025-08-22 | not yet calculated | CVE-2025-57105 |
| D-Link--DIR-619L | D-Link DIR-619L 2.06B01 is vulnerable to Buffer Overflow in the formWlanSetup function via the parameter f_wds_wepKey. | 2025-08-22 | not yet calculated | CVE-2025-55599 |
| D-Link--DIR-619L | D-Link DIR-619L 2.06B01 is vulnerable to Buffer Overflow in the formSysCmd function via the submit-url parameter. | 2025-08-22 | not yet calculated | CVE-2025-55602 |
| D-Link--DIR-619L | D-Link DIR-619L 2.06B01 is vulnerable to Buffer Overflow in the formLanguageChange function via the nextPage parameter. | 2025-08-22 | not yet calculated | CVE-2025-55611 |
| Danfoss--AK-SM8xxA Series | Improper neutralization of alarm-to-mail configuration fields used in an OS shell Command ('Command Injection') in Danfoss AK-SM8xxA Series prior to version 4.3.1, leading to a potential post-authenticated remote code execution on an attacked system. | 2025-08-22 | not yet calculated | CVE-2025-41451 |
| Danfoss--AK-SM8xxA Series | Post-authenticated external control of system web interface configuration setting vulnerability in Danfoss AK-SM8xxA Series prior to 4.3.1, which could allow for a denial of service attack induced by improper handling of exceptional conditions | 2025-08-22 | not yet calculated | CVE-2025-41452 |
| Datavane--jobx | Authentication Bypass vulnerability in jobx up to v1.0.1-RELEASE allows an attacker can exploit this vulnerability to access sensitive API without any token via the preHandle function. | 2025-08-20 | not yet calculated | CVE-2024-57491 |
| Delta Electronics--DIAEnergie | DIAEnergie - Stored Cross-site Scripting | 2025-08-18 | not yet calculated | CVE-2025-57700 |
| Delta Electronics--DIAEnergie | DIAEnergie - Reflected Cross-site Scripting | 2025-08-18 | not yet calculated | CVE-2025-57701 |
| Delta Electronics--DIAEnergie | DIAEnergie - Reflected Cross-site Scripting | 2025-08-18 | not yet calculated | CVE-2025-57702 |
| Delta Electronics--DIAEnergie | DIAEnergie - Reflected Cross-site Scripting | 2025-08-18 | not yet calculated | CVE-2025-57703 |
| Digital Music Pad--Digital Music Pad | Digital Music Pad v8.2.3.3.4 contains a stack-based buffer overflow vulnerability in its playlist file parser. When opening a .pls file containing an excessively long string in the File1 field, the application fails to properly validate input length, resulting in corruption of the Structured Exception Handler (SEH) on the stack. This flaw may allow an attacker to control execution flow when the file is opened, potentially leading to arbitrary code execution. | 2025-08-21 | not yet calculated | CVE-2010-20111 |
| discourse--discourse | Discourse is an open-source discussion platform. Welcome banner user name string for logged in users can be vulnerable to XSS attacks, which affect the user themselves or an admin impersonating them. Admins can temporarily alter the welcome_banner.header.logged_in_members site text to remove the preferred_display_name placeholder, or not impersonate any users for the time being. This vulnerability is fixed in 3.5.0.beta8. | 2025-08-19 | not yet calculated | CVE-2025-54411 |
| Docker--Docker Desktop | A vulnerability was identified in Docker Desktop that allows local running Linux containers to access the Docker Engine API via the configured Docker subnet, at 192.168.65.7:2375 by default. This vulnerability occurs with or without Enhanced Container Isolation (ECI) enabled, and with or without the "Expose daemon on tcp://localhost:2375 without TLS" option enabled. This can lead to execution of a wide range of privileged commands to the engine API, including controlling other containers, creating new ones, managing images etc. In some circumstances (e.g. Docker Desktop for Windows with WSL backend) it also allows mounting the host drive with the same privileges as the user running Docker Desktop. | 2025-08-20 | not yet calculated | CVE-2025-9074 |
| DogukanUrker--FlaskBlog | flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, the code checks if the userRole is "admin" only when visiting the /admin page, but not when visiting its subroutes. Specifically, only the file routes/adminPanel.py checks the user role when a user is trying to access the admin page, but that control is not done for the pages routes/adminPanelComments.py and routes/adminPanelPosts.py. Thus, an unauthorized user can bypass the intended restrictions, leaking sensitive data and accessing the following pages: /admin/posts, /adminpanel/posts, /admin/comments, and /adminpanel/comments. | 2025-08-19 | not yet calculated | CVE-2025-55734 |
| DogukanUrker--FlaskBlog | flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when creating a post, there's no validation of the content of the post stored in the variable "postContent". The vulnerability arises when displaying the content of the post using the | safe filter, that tells the engine to not escape the rendered content. This can lead to a stored XSS inside the content of the post. The code that causes the problem is in template/routes.html. | 2025-08-19 | not yet calculated | CVE-2025-55735 |
| DogukanUrker--FlaskBlog | flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, an arbitrary user can change his role to "admin", giving its relative privileges (e.g. delete users, posts, comments etc.). The problem is in the routes/adminPanelUsers file. | 2025-08-19 | not yet calculated | CVE-2025-55736 |
| DogukanUrker--FlaskBlog | flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID. The code that causes the problem is in routes/post.py. | 2025-08-19 | not yet calculated | CVE-2025-55737 |
| donknap--dpanel | dpanel is an open source server management panel written in Go. In versions 1.2.0 through 1.7.2, dpanel allows authenticated users to read arbitrary files from the server via the /api/app/compose/get-from-uri API endpoint. The vulnerability exists in the GetFromUri function in app/application/http/controller/compose.go, where the uri parameter is passed directly to os.ReadFile without proper validation or access control. A logged-in attacker can exploit this flaw to read sensitive files from the host system, leading to information disclosure. No patched version is available as of this writing. | 2025-08-22 | not yet calculated | CVE-2025-53363 |
| Eclipse Jetty--Eclipse Jetty | In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory. For example, a client can open a stream and then send WINDOW_UPDATE frames with window size increment of 0, which is illegal. Per specification https://www.rfc-editor.org/rfc/rfc9113.html#name-window_update , the server should send a RST_STREAM frame. The client can now open another stream and send another bad WINDOW_UPDATE, therefore causing the server to consume more resources than necessary, as this case does not exceed the max number of concurrent streams, yet the client is able to create an enormous amount of streams in a short period of time. The attack can be performed with other conditions (for example, a DATA frame for a closed stream) that cause the server to send a RST_STREAM frame. Links: * https://github.com/jetty/jetty.project/security/advisories/GHSA-mmxm-8w33-wc4h | 2025-08-20 | not yet calculated | CVE-2025-5115 |
| EHCP--Easy Hosting Control Panel (EHCP) | Reflected Cross-Site Scripting in the List MySQL Databases function in Easy Hosting Control Panel (EHCP) 20.04.1.b allows authenticated attackers to execute arbitrary JavaScript via the action parameter. | 2025-08-22 | not yet calculated | CVE-2025-50858 |
| EHCP--Easy Hosting Control Panel (EHCP) | Reflected Cross-Site Scripting in the Change Template function in Easy Hosting Control Panel (EHCP) 20.04.1.b allows authenticated attackers to execute arbitrary JavaScript via the template parameter. | 2025-08-22 | not yet calculated | CVE-2025-50859 |
| EHCP--Easy Hosting Control Panel (EHCP) | SQL Injection in the listdomains function in Easy Hosting Control Panel (EHCP) 20.04.1.b allows authenticated attackers to access or manipulate database contents via the arananalan POST parameter. | 2025-08-21 | not yet calculated | CVE-2025-50860 |
| EHCP--Easy Hosting Control Panel (EHCP) | Easy Hosting Control Panel EHCP v20.04.1.b was discovered to contain a SQL injection vulnerability via the id parameter in the List All Email Addresses function. | 2025-08-19 | not yet calculated | CVE-2025-50926 |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. The BluFi example bundled in ESP-IDF was vulnerable to memory overflows in two areas: Wi-Fi credential handling and Diffie-Hellman key exchange. This vulnerability is fixed in 5.4.1, 5.3.3, 5.1.6, and 5.0.9. | 2025-08-21 | not yet calculated | CVE-2025-55297 |
| Evolution Consulting --HRmaster | HTML injection vulnerability in the registration interface in Evolution Consulting Kft. HRmaster module v235 allows an attacker to inject HTML tags into the "keresztnév" (firstname) field, which will be sent out in an email resulting in possible Phishing scenarios against any, previously not registered, email address. | 2025-08-21 | not yet calculated | CVE-2025-51989 |
| Exagrid--EX10 | An XML external entities (XXE) injection vulnerability in the /init API endpoint in Exagid EX10 before 6.4.0 P20, 7.0.1 P12, and 7.2.0 P08 allows an authenticated, unprivileged attacker to achieve information disclosure and privilege escalation via a crafted ISys XML message. | 2025-08-21 | not yet calculated | CVE-2025-47184 |
| Flexbyte Software--Solar FTP Server | Solar FTP Server fails to properly handle format strings passed to the USER command. When a specially crafted string containing format specifiers is sent, the server crashes due to a read access violation in the __output_1() function of sfsservice.exe. This results in a denial of service (DoS) condition. | 2025-08-20 | not yet calculated | CVE-2011-10029 |
| Foxit Software--Foxit PDF Reader | Foxit PDF Reader before 4.2.0.0928 does not properly bound-check the /Title entry in the PDF Info dictionary. A specially crafted PDF with an overlong Title string can overflow a fixed-size stack buffer, corrupt the Structured Exception Handler (SEH) chain, and lead to arbitrary code execution in the context of the user who opens the file. | 2025-08-20 | not yet calculated | CVE-2010-20010 |
| Foxit Software--Foxit PDF Reader | Foxit PDF Reader < 4.3.1.0218 exposes a JavaScript API function, createDataObject(), that allows untrusted PDF content to write arbitrary files anywhere on disk. By embedding a malicious PDF that calls this API, an attacker can drop executables or scripts into privileged folders, leading to code execution the next time the system boots or the user logs in. | 2025-08-20 | not yet calculated | CVE-2011-10030 |
| frappe--frappe | Frappe is a full-stack web application framework. A carefully crafted request could extract data that the user would normally not have access to, via SQL injection. This vulnerability is fixed in 15.74.2 and 14.96.15. | 2025-08-20 | not yet calculated | CVE-2025-55731 |
| frappe--frappe | Frappe is a full-stack web application framework. Prior to 15.74.2 and 14.96.15, an attacker could implement SQL injection through specially crafted requests, allowing malicious people to access sensitive information. This vulnerability is a bypass of the official patch released for CVE-2025-52895. This vulnerability is fixed in 15.74.2 and 14.96.15. | 2025-08-20 | not yet calculated | CVE-2025-55732 |
| FTPPad--FTPPad FTP Client | FTPPad <= 1.2.0 contains a stack-based buffer overflow vulnerability in its FTP directory listing parser. When the client connects to an FTP server and receives a crafted response to a LIST command containing an excessively long directory and filename, the application fails to properly validate input length. This results in a buffer overflow that overwrites the saved Extended Instruction Pointer (EIP), allowing remote attackers to execute arbitrary code. | 2025-08-21 | not yet calculated | CVE-2010-20108 |
| gAlan--gAlan | gAlan 0.2.1, a modular audio processing environment for Windows, is vulnerable to a stack-based buffer overflow when parsing .galan files. The application fails to properly validate the length of input data, allowing a specially crafted file to overwrite the stack and execute arbitrary code. Exploitation requires local interaction, typically by convincing a user to open the malicious file. | 2025-08-21 | not yet calculated | CVE-2009-20004 |
| Google--Chrome | Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 136.0.7103.113 allowed a remote attacker to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High) | 2025-08-22 | not yet calculated | CVE-2025-4609 |
| Google--Chrome | Out of bounds write in V8 in Google Chrome prior to 139.0.7258.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-08-20 | not yet calculated | CVE-2025-9132 |
| HackUCF--OnboardLite | OnboardLite is the result of the Influx Initiative, our vision for an improved student organization lifecycle at the University of Central Florida. An attacker can craft a link to the trusted application that, when visited, redirects the user to a malicious external site. This enables phishing, credential theft, malware delivery, and trust abuse. Any version with commit hash 6cca19e or later implements jwt signing for the redirect url parameter. | 2025-08-20 | not yet calculated | CVE-2025-55751 |
| HRForecast--smartLibrary | In the smartLibrary component of the HRForecast Suite 0.4.3, a SQL injection vulnerability was discovered in the valueKey parameter. This flaw enables any authenticated user to execute arbitrary SQL queries, via crafted payloads to valueKey to the api/smartlibrary/v2/en/dictionaries/options/lookup endpoint. | 2025-08-19 | not yet calculated | CVE-2025-51506 |
| Intermesh BV--Group-Office | Group-Office versions prior to 6.8.119 and prior to 25.0.20 provided by Intermesh BV contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser. | 2025-08-21 | not yet calculated | CVE-2025-53504 |
| Intermesh BV--Group-Office | Group-Office versions prior to 6.8.119 and prior to 25.0.20 provided by Intermesh BV contain a path traversal vulnerability. If this vulnerability is exploited, information on the server hosting the product may be exposed. | 2025-08-21 | not yet calculated | CVE-2025-53505 |
| iXsystems--FreeNAS | FreeNAS 0.7.2 prior to revision 5543 includes an unauthenticated commandâ€execution backdoor in its web interface. The exec_raw.php script exposes a cmd parameter that is passed directly to the underlying shell without sanitation. | 2025-08-20 | not yet calculated | CVE-2010-20059 |
| jonkastonka--Cookies and Content Security Policy | Incorrect Access Control in the AJAX endpoint functionality in jonkastonka Cookies and Content Security Policy plugin through version 2.29 allows remote attackers to cause a denial of service (database server resource exhaustion) via unlimited database write operations to the wp_ajax_nopriv_cacsp_insert_consent_data endpoint. | 2025-08-19 | not yet calculated | CVE-2025-51529 |
| Kaillera Project--Server | Kaillera Server version 0.86 is vulnerable to a denial-of-service condition triggered by sending a malformed UDP packet after the initial handshake. Once a client sends a valid HELLO0.83 packet and receives a response, any subsequent malformed packet causes the server to crash and become unresponsive. This flaw stems from improper input validation in the server's UDP packet handler, allowing unauthenticated remote attackers to disrupt service availability. | 2025-08-20 | not yet calculated | CVE-2011-10020 |
| KMiNT21 Software--EasyFTP Server | EasyFTP Server 1.7.0.11 and earlier contains a stack-based buffer overflow vulnerability in its HTTP interface. When processing a GET request to list.html, the server fails to properly validate the length of the path parameter. Supplying an excessively long value causes a buffer overflow on the stack, potentially corrupting control flow structures. The vulnerability is exposed through the embedded web server and does not require authentication due to default anonymous access. The issue was resolved in version 1.7.0.12, after which the product was renamed to UplusFtp. | 2025-08-21 | not yet calculated | CVE-2010-20113 |
| KMiNT21 Software--EasyFTP Server | EasyFTP Server versions up to 1.7.0.11 contain a stack-based buffer overflow vulnerability in the FTP command parser. When processing the CWD (Change Working Directory) command, the server fails to properly validate the length of the input string, allowing attackers to overwrite memory on the stack. This flaw enables remote code execution without authentication, as EasyFTP allows anonymous access by default. The vulnerability was resolved in version 1.7.0.12, after which the product was renamed "UplusFtp." | 2025-08-21 | not yet calculated | CVE-2010-20121 |
| komari-monitor--komari | Komari is a lightweight, self-hosted server monitoring tool designed to provide a simple and efficient solution for monitoring server performance. Prior to 1.0.4-fix1, WebSocket upgrader has disabled origin checking, enabling Cross-Site WebSocket Hijacking (CSWSH) attacks against authenticated users. Any third party website can send requests to the terminal websocket endpoint with browser's cookies, resulting in remote code execution. This vulnerability is fixed in 1.0.4-fix1. | 2025-08-18 | not yet calculated | CVE-2025-55300 |
| LabRedesCefetRJ--WeGIA | WeGIA is a Web manager for charitable institutions. Prior to 3.4.10, there is a SQL Injection vulnerability in the /html/funcionario/dependente_remover.php endpoint, specifically in the id_funcionario parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This vulnerability is fixed in 3.4.10. | 2025-08-21 | not yet calculated | CVE-2025-57761 |
| LabRedesCefetRJ--WeGIA | WeGIA is a Web manager for charitable institutions. Prior to 3.4.7, there is a Stored Cross-Site Scripting (XSS) vulnerability in the dependente_docdependente.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts into the nome parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. This vulnerability is fixed in 3.4.7. | 2025-08-21 | not yet calculated | CVE-2025-57762 |
| LabRedesCefetRJ--WeGIA | WeGIA is a Web manager for charitable institutions. Prior to 3.4.7, there is a Reflected Cross-Site Scripting (XSS) vulnerability in the insere_despacho.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the cpf sccs. This vulnerability is fixed in 3.4.7. | 2025-08-21 | not yet calculated | CVE-2025-57763 |
| LeapWare--LeapFTP | LeapFTP < 3.1.x contains a stack-based buffer overflow vulnerability in its FTP client parser. When the client receives a directory listing containing a filename longer than 528 bytes, the application fails to properly bound-check the input and overwrites the Structured Exception Handler (SEH) chain. This allows an attacker operating a malicious FTP server to execute arbitrary code on the victim's machine when the file is listed or downloaded. | 2025-08-20 | not yet calculated | CVE-2010-20049 |
| Legion of the Bouncy Castle Inc.--Bouncy Castle for Java | Out-of-bounds Write vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bc-fips on All (API modules). This vulnerability is associated with program files org/bouncycastle/jcajce/provider/BaseCipher. This issue affects Bouncy Castle for Java: from BC-FJA 2.1.0 through 2.1.0. | 2025-08-22 | not yet calculated | CVE-2025-9340 |
| Legion of the Bouncy Castle Inc.--Bouncy Castle for Java FIPS | Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java FIPS bc-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files org/bouncycastle/crypto/fips/AESNativeCBC.Java. This issue affects Bouncy Castle for Java FIPS: from BC-FJA 2.1.0 through 2.1.0. | 2025-08-22 | not yet calculated | CVE-2025-9341 |
| Liferay--DXP | A server-side request forgery (SSRF) vulnerability exists in the Liferay DXP 2025.Q2.0 through 2025.Q2.3 due to insecure domain validation on analytics.cloud.domain.allowed, allowing an attacker to perform requests by change the domain and bypassing the validation method, this insecure validation is not distinguishing between trusted subdomains and malicious domains. | 2025-08-21 | not yet calculated | CVE-2025-43747 |
| Liferay--Portal | Liferay Portal 7.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 and 7.3 GA through update 36 allows unauthenticated users with valid credentials to bypass the login process by changing the POST method to GET, once the site has MFA enabled. | 2025-08-18 | not yet calculated | CVE-2025-3639 |
| Liferay--Portal | A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows an remote authenticated user to inject JavaScript in message board threads and categories. | 2025-08-18 | not yet calculated | CVE-2025-43731 |
| Liferay--Portal | Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.17 and 7.4 GA through update 92 is vulnerable to Insecure Direct Object Reference (IDOR) in the groupId parameter of the _com_liferay_roles_selector_web_portlet_RolesSelectorPortlet_groupId. When an organization administrator modifies this parameter id value, they can gain unauthorized access to user lists from other organizations. | 2025-08-18 | not yet calculated | CVE-2025-43732 |
| Liferay--Portal | A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.7 allows a remote authenticated attacker to inject JavaScript code via the content page's name field. This malicious payload is then reflected and executed within the user's browser when viewing the "document View Usages" page. | 2025-08-18 | not yet calculated | CVE-2025-43733 |
| Liferay--Portal | A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8 and 2025.Q1.0 through 2025.Q1.15 allows a remote authenticated user to inject JavaScript code via _com_liferay_journal_web_portlet_JournalPortlet_backURL parameter. | 2025-08-19 | not yet calculated | CVE-2025-43737 |
| Liferay--Portal | A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.1 through 2024.Q1.19 allows a remote authenticated user to inject JavaScript code via _com_liferay_expando_web_portlet_ExpandoPortlet_displayType parameter. | 2025-08-19 | not yet calculated | CVE-2025-43738 |
| Liferay--Portal | Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.6, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allow any authenticated user to modify the content of emails sent through the calendar portlet, allowing an attacker to send phishing emails to any other user in the same organization. | 2025-08-19 | not yet calculated | CVE-2025-43739 |
| Liferay--Portal | A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.3.120 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.8, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13 and 2024.Q1.9 through 2024.Q1.19 allows an remote authenticated attacker to inject JavaScript through the message boards feature available via the web interface. | 2025-08-19 | not yet calculated | CVE-2025-43740 |
| Liferay--Portal | A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.3, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScrip in the _com_liferay_users_admin_web_portlet_UsersAdminPortlet_assetTagNames parameter | 2025-08-20 | not yet calculated | CVE-2025-43741 |
| Liferay--Portal | A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.3, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript in web content for friendly urls. | 2025-08-20 | not yet calculated | CVE-2025-43742 |
| Liferay--Portal | Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows any authenticated remote user to view other calendars by allowing them to enumerate the names of other users, given an attacker the possibility to send phishing to these users. | 2025-08-19 | not yet calculated | CVE-2025-43743 |
| Liferay--Portal | A stored DOM-based Cross-Site Scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.5, 2025.Q1.0 through 2025.Q1.15, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 exists in the Asset Publisher configuration UI within the Source.js module. This vulnerability allows attackers to inject arbitrary JavaScript via DDM structure field labels which are then inserted into the DOM using innerHTML without proper encoding. | 2025-08-19 | not yet calculated | CVE-2025-43744 |
| Liferay--Portal | A CSRF vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.7, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows remote attackers to performs cross-origin request on behalf of the authenticated user via the endpoint parameter. | 2025-08-19 | not yet calculated | CVE-2025-43745 |
| Liferay--Portal | A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_portletNamespace and _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_namespace parameter. | 2025-08-20 | not yet calculated | CVE-2025-43746 |
| Liferay--Portal | Insufficient CSRF protection for omni-administrator users in Liferay Portal 7.0.0 through 7.4.3.119, and Liferay DXP 2024.Q1.1 through 2024.Q1.6, 2023.Q4.0 through 2023.Q4.9, 2023.Q3.1 through 2023.Q3.9, 7.4 GA through update 92, 7.3 GA through update 36, and older unsupported versions allows attackers to execute Cross-Site Request Forgery | 2025-08-20 | not yet calculated | CVE-2025-43748 |
| Liferay--Portal | Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows unauthenticated users (guests) to access via URL files uploaded in the form and stored in document_library | 2025-08-20 | not yet calculated | CVE-2025-43749 |
| Liferay--Portal | Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.19 and 7.4 GA through update 92 allows remote unauthenticated users (guests) to upload files via the form attachment field without proper validation, enabling extension obfuscation and bypassing MIME type checks. | 2025-08-20 | not yet calculated | CVE-2025-43750 |
| Liferay--Portal | User enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14, 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10 and 7.4 GA through update 92 allows remote attackers to determine if an account exist in the application via the create account page. | 2025-08-22 | not yet calculated | CVE-2025-43751 |
| Liferay--Portal | Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allow users to upload an unlimited amount of files through the object entries attachment fields, the files are stored in the document_library allowing an attacker to cause a potential DDoS. | 2025-08-22 | not yet calculated | CVE-2025-43752 |
| Liferay--Portal | A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.32 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.7, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 update 32 through update 92 allows an remote authenticated user to inject JavaScript into the embedded message field from the form container. | 2025-08-21 | not yet calculated | CVE-2025-43753 |
| Liferay--Portal | Username enumeration vulnerability in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows attackers to determine if an account exist in the application by inspecting the server processing time of the login request. | 2025-08-21 | not yet calculated | CVE-2025-43754 |
| Liferay--Portal | A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 t through 7.4.3.132, and Liferay DXP 2025.Q2.0, 2025.Q1.0 through 2025.Q1.13, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.17 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript into the _com_liferay_layout_admin_web_portlet_GroupPagesPortlet_type parameter. | 2025-08-21 | not yet calculated | CVE-2025-43755 |
| Liferay--Portal | <!--td {border: 1px solid #cccccc;}br {mso-data-placement:same-cell;}-->A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.15, 2025.Q2.0 through 2025.Q2.2 and 2024.Q1.13 through 2024.Q1.19 allows a remote authenticated user to inject JavaScript code via snippet parameter. | 2025-08-21 | not yet calculated | CVE-2025-43756 |
| Liferay--Portal | A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q2.0 through 2025.Q2.2, 2025.Q1.0 through 2025.Q1.14, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.18 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code via _com_liferay_dynamic_data_mapping_web_portlet_DDMPortlet_definition parameter. | 2025-08-20 | not yet calculated | CVE-2025-43757 |
| Liferay--Portal | Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows unauthenticated users (guests) to access via URL files uploaded by object entry and stored in document_library | 2025-08-22 | not yet calculated | CVE-2025-43758 |
| Liferay--Portal | Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allows admin users of a virtual instance to add pages that are not in the default/main virtual instance, then any tenant can create a list of all other tenants. | 2025-08-22 | not yet calculated | CVE-2025-43759 |
| Liferay--Portal | A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4, 2024.Q4.0 through 2024.Q4.6, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20 and 7.4 GA through update 92 allows an remote authenticated attacker to inject JavaScript into the PortalUtil.escapeRedirect | 2025-08-22 | not yet calculated | CVE-2025-43760 |
| Liferay--Portal | A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.4, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the frontend-editor-ckeditor-web/ckeditor/samples/old/ajax.html path | 2025-08-22 | not yet calculated | CVE-2025-43761 |
| Liferay--Portal | Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.1, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.14 and 7.4 GA through update 92 allow users to upload an unlimited amount of files through the forms, the files are stored in the document_library allowing an attacker to cause a potential DDoS. | 2025-08-22 | not yet calculated | CVE-2025-43762 |
| Liferay--Portal | Self-ReDoS (Regular expression Denial of Service) exists with Role Name search field of Kaleo Designer portlet JavaScript in Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.1, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.20 and 7.4 GA through update 92, which allows authenticated users with permissions to update Kaleo Workflows to enter a malicious Regex pattern causing their browser to hang for a very long time. | 2025-08-23 | not yet calculated | CVE-2025-43764 |
| Liferay--Portal | A Stored cross-site scripting vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.13 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the text field from a web content. | 2025-08-23 | not yet calculated | CVE-2025-43765 |
| Liferay--Portal | The Liferay Portal 7.4.0 through 7.3.3.131, and Liferay DXP 2024.Q4.0, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows the upload of unrestricted files in the style books component that are processed within the environment enabling arbitrary code execution by attackers. | 2025-08-23 | not yet calculated | CVE-2025-43766 |
| Liferay--Portal | Open Redirect vulnerability in /c/portal/edit_info_item parameter redirect in Liferay Portal 7.4.3.86 through 7.4.3.131, and Liferay DXP 2024.Q3.1 through 2024.Q3.9, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 update 86 through update 92 allows an attacker to exploit this security vulnerability to redirect users to a malicious site. | 2025-08-23 | not yet calculated | CVE-2025-43767 |
| Liferay--Portal | Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15 and 7.4 GA through update 92 allows authenticated users without any permissions to access sensitive information of admin users using JSONWS APIs. | 2025-08-23 | not yet calculated | CVE-2025-43768 |
| Liferay--Portal | Stored cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q3.1 through 2024.Q3.8, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows remote attackers to execute arbitrary web script or HTML via components tab. | 2025-08-23 | not yet calculated | CVE-2025-43769 |
| Liferay--Portal | A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the referer or FORWARD_URL using %00 in those parameters. | 2025-08-23 | not yet calculated | CVE-2025-43770 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tls: stop recv() if initial process_rx_list gave us non-DATA If we have a non-DATA record on the rx_list and another record of the same type still on the queue, we will end up merging them: - process_rx_list copies the non-DATA record - we start the loop and process the first available record since it's of the same type - we break out of the loop since the record was not DATA Just check the record type and jump to the end in case process_rx_list did some work. | 2025-08-22 | not yet calculated | CVE-2024-58239 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: Restrict conditions for adding duplicating netems to qdisc tree netem_enqueue's duplication prevention logic breaks when a netem resides in a qdisc tree with other netems - this can lead to a soft lockup and OOM loop in netem_dequeue, as seen in [1]. Ensure that a duplicating netem cannot exist in a tree with other netems. Previous approaches suggested in discussions in chronological order: 1) Track duplication status or ttl in the sk_buff struct. Considered too specific a use case to extend such a struct, though this would be a resilient fix and address other previous and potential future DOS bugs like the one described in loopy fun [2]. 2) Restrict netem_enqueue recursion depth like in act_mirred with a per cpu variable. However, netem_dequeue can call enqueue on its child, and the depth restriction could be bypassed if the child is a netem. 3) Use the same approach as in 2, but add metadata in netem_skb_cb to handle the netem_dequeue case and track a packet's involvement in duplication. This is an overly complex approach, and Jamal notes that the skb cb can be overwritten to circumvent this safeguard. 4) Prevent the addition of a netem to a qdisc tree if its ancestral path contains a netem. However, filters and actions can cause a packet to change paths when re-enqueued to the root from netem duplication, leading us to the current solution: prevent a duplicating netem from inhabiting the same tree as other netems. [1] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/ [2] https://lwn.net/Articles/719297/ | 2025-08-19 | not yet calculated | CVE-2025-38553 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped By inducing delays in the right places, Jann Horn created a reproducer for a hard to hit UAF issue that became possible after VMAs were allowed to be recycled by adding SLAB_TYPESAFE_BY_RCU to their cache. Race description is borrowed from Jann's discovery report: lock_vma_under_rcu() looks up a VMA locklessly with mas_walk() under rcu_read_lock(). At that point, the VMA may be concurrently freed, and it can be recycled by another process. vma_start_read() then increments the vma->vm_refcnt (if it is in an acceptable range), and if this succeeds, vma_start_read() can return a recycled VMA. In this scenario where the VMA has been recycled, lock_vma_under_rcu() will then detect the mismatching ->vm_mm pointer and drop the VMA through vma_end_read(), which calls vma_refcount_put(). vma_refcount_put() drops the refcount and then calls rcuwait_wake_up() using a copy of vma->vm_mm. This is wrong: It implicitly assumes that the caller is keeping the VMA's mm alive, but in this scenario the caller has no relation to the VMA's mm, so the rcuwait_wake_up() can cause UAF. The diagram depicting the race: T1 T2 T3 == == == lock_vma_under_rcu mas_walk <VMA gets removed from mm> mmap <the same VMA is reallocated> vma_start_read __refcount_inc_not_zero_limited_acquire munmap __vma_enter_locked refcount_add_not_zero vma_end_read vma_refcount_put __refcount_dec_and_test rcuwait_wait_event <finish operation> rcuwait_wake_up [UAF] Note that rcuwait_wait_event() in T3 does not block because refcount was already dropped by T1. At this point T3 can exit and free the mm causing UAF in T1. To avoid this we move vma->vm_mm verification into vma_start_read() and grab vma->vm_mm to stabilize it before vma_refcount_put() operation. [surenb@google.com: v3] | 2025-08-19 | not yet calculated | CVE-2025-38554 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget : fix use-after-free in composite_dev_cleanup() 1. In func configfs_composite_bind() -> composite_os_desc_req_prepare(): if kmalloc fails, the pointer cdev->os_desc_req will be freed but not set to NULL. Then it will return a failure to the upper-level function. 2. in func configfs_composite_bind() -> composite_dev_cleanup(): it will checks whether cdev->os_desc_req is NULL. If it is not NULL, it will attempt to use it.This will lead to a use-after-free issue. BUG: KASAN: use-after-free in composite_dev_cleanup+0xf4/0x2c0 Read of size 8 at addr 0000004827837a00 by task init/1 CPU: 10 PID: 1 Comm: init Tainted: G O 5.10.97-oh #1 kasan_report+0x188/0x1cc __asan_load8+0xb4/0xbc composite_dev_cleanup+0xf4/0x2c0 configfs_composite_bind+0x210/0x7ac udc_bind_to_driver+0xb4/0x1ec usb_gadget_probe_driver+0xec/0x21c gadget_dev_desc_UDC_store+0x264/0x27c | 2025-08-19 | not yet calculated | CVE-2025-38555 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: core: Harden s32ton() against conversion to 0 bits Testing by the syzbot fuzzer showed that the HID core gets a shift-out-of-bounds exception when it tries to convert a 32-bit quantity to a 0-bit quantity. Ideally this should never occur, but there are buggy devices and some might have a report field with size set to zero; we shouldn't reject the report or the device just because of that. Instead, harden the s32ton() routine so that it returns a reasonable result instead of crashing when it is called with the number of bits set to 0 -- the same as what snto32() does. | 2025-08-19 | not yet calculated | CVE-2025-38556 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: apple: validate feature-report field count to prevent NULL pointer dereference A malicious HID device with quirk APPLE_MAGIC_BACKLIGHT can trigger a NULL pointer dereference whilst the power feature-report is toggled and sent to the device in apple_magic_backlight_report_set(). The power feature-report is expected to have two data fields, but if the descriptor declares one field then accessing field[1] and dereferencing it in apple_magic_backlight_report_set() becomes invalid since field[1] will be NULL. An example of a minimal descriptor which can cause the crash is something like the following where the report with ID 3 (power report) only references a single 1-byte field. When hid core parses the descriptor it will encounter the final feature tag, allocate a hid_report (all members of field[] will be zeroed out), create field structure and populate it, increasing the maxfield to 1. The subsequent field[1] access and dereference causes the crash. Usage Page (Vendor Defined 0xFF00) Usage (0x0F) Collection (Application) Report ID (1) Usage (0x01) Logical Minimum (0) Logical Maximum (255) Report Size (8) Report Count (1) Feature (Data,Var,Abs) Usage (0x02) Logical Maximum (32767) Report Size (16) Report Count (1) Feature (Data,Var,Abs) Report ID (3) Usage (0x03) Logical Minimum (0) Logical Maximum (1) Report Size (8) Report Count (1) Feature (Data,Var,Abs) End Collection Here we see the KASAN splat when the kernel dereferences the NULL pointer and crashes: [ 15.164723] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] SMP KASAN NOPTI [ 15.165691] KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] [ 15.165691] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0 #31 PREEMPT(voluntary) [ 15.165691] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 15.165691] RIP: 0010:apple_magic_backlight_report_set+0xbf/0x210 [ 15.165691] Call Trace: [ 15.165691] <TASK> [ 15.165691] apple_probe+0x571/0xa20 [ 15.165691] hid_device_probe+0x2e2/0x6f0 [ 15.165691] really_probe+0x1ca/0x5c0 [ 15.165691] __driver_probe_device+0x24f/0x310 [ 15.165691] driver_probe_device+0x4a/0xd0 [ 15.165691] __device_attach_driver+0x169/0x220 [ 15.165691] bus_for_each_drv+0x118/0x1b0 [ 15.165691] __device_attach+0x1d5/0x380 [ 15.165691] device_initial_probe+0x12/0x20 [ 15.165691] bus_probe_device+0x13d/0x180 [ 15.165691] device_add+0xd87/0x1510 [...] To fix this issue we should validate the number of fields that the backlight and power reports have and if they do not have the required number of fields then bail. | 2025-08-19 | not yet calculated | CVE-2025-38557 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: uvc: Initialize frame-based format color matching descriptor Fix NULL pointer crash in uvcg_framebased_make due to uninitialized color matching descriptor for frame-based format which was added in commit f5e7bdd34aca ("usb: gadget: uvc: Allow creating new color matching descriptors") that added handling for uncompressed and mjpeg format. Crash is seen when userspace configuration (via configfs) does not explicitly define the color matching descriptor. If color_matching is not found, config_group_find_item() returns NULL. The code then jumps to out_put_cm, where it calls config_item_put(color_matching);. If color_matching is NULL, this will dereference a null pointer, leading to a crash. [ 2.746440] Unable to handle kernel NULL pointer dereference at virtual address 000000000000008c [ 2.756273] Mem abort info: [ 2.760080] ESR = 0x0000000096000005 [ 2.764872] EC = 0x25: DABT (current EL), IL = 32 bits [ 2.771068] SET = 0, FnV = 0 [ 2.771069] EA = 0, S1PTW = 0 [ 2.771070] FSC = 0x05: level 1 translation fault [ 2.771071] Data abort info: [ 2.771072] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 2.771073] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 2.771074] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 2.771075] user pgtable: 4k pages, 39-bit VAs, pgdp=00000000a3e59000 [ 2.771077] [000000000000008c] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 2.771081] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 2.771084] Dumping ftrace buffer: [ 2.771085] (ftrace buffer empty) [ 2.771138] CPU: 7 PID: 486 Comm: ln Tainted: G W E 6.6.58-android15 [ 2.771139] Hardware name: Qualcomm Technologies, Inc. SunP QRD HDK (DT) [ 2.771140] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 2.771141] pc : __uvcg_fill_strm+0x198/0x2cc [ 2.771145] lr : __uvcg_iter_strm_cls+0xc8/0x17c [ 2.771146] sp : ffffffc08140bbb0 [ 2.771146] x29: ffffffc08140bbb0 x28: ffffff803bc81380 x27: ffffff8023bbd250 [ 2.771147] x26: ffffff8023bbd250 x25: ffffff803c361348 x24: ffffff803d8e6768 [ 2.771148] x23: 0000000000000004 x22: 0000000000000003 x21: ffffffc08140bc48 [ 2.771149] x20: 0000000000000000 x19: ffffffc08140bc48 x18: ffffffe9f8cf4a00 [ 2.771150] x17: 000000001bf64ec3 x16: 000000001bf64ec3 x15: ffffff8023bbd250 [ 2.771151] x14: 000000000000000f x13: 004c4b40000f4240 x12: 000a2c2a00051615 [ 2.771152] x11: 000000000000004f x10: ffffffe9f76b40ec x9 : ffffffe9f7e389d0 [ 2.771153] x8 : ffffff803d0d31ce x7 : 000f4240000a2c2a x6 : 0005161500028b0a [ 2.771154] x5 : ffffff803d0d31ce x4 : 0000000000000003 x3 : 0000000000000000 [ 2.771155] x2 : ffffffc08140bc50 x1 : ffffffc08140bc48 x0 : 0000000000000000 [ 2.771156] Call trace: [ 2.771157] __uvcg_fill_strm+0x198/0x2cc [ 2.771157] __uvcg_iter_strm_cls+0xc8/0x17c [ 2.771158] uvcg_streaming_class_allow_link+0x240/0x290 [ 2.771159] configfs_symlink+0x1f8/0x630 [ 2.771161] vfs_symlink+0x114/0x1a0 [ 2.771163] do_symlinkat+0x94/0x28c [ 2.771164] __arm64_sys_symlinkat+0x54/0x70 [ 2.771164] invoke_syscall+0x58/0x114 [ 2.771166] el0_svc_common+0x80/0xe0 [ 2.771168] do_el0_svc+0x1c/0x28 [ 2.771169] el0_svc+0x3c/0x70 [ 2.771172] el0t_64_sync_handler+0x68/0xbc [ 2.771173] el0t_64_sync+0x1a8/0x1ac Initialize color matching descriptor for frame-based format to prevent NULL pointer crash by mirroring the handling done for uncompressed and mjpeg formats. | 2025-08-19 | not yet calculated | CVE-2025-38558 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86/intel/pmt: fix a crashlog NULL pointer access Usage of the intel_pmt_read() for binary sysfs, requires a pcidev. The current use of the endpoint value is only valid for telemetry endpoint usage. Without the ep, the crashlog usage causes the following NULL pointer exception: BUG: kernel NULL pointer dereference, address: 0000000000000000 Oops: Oops: 0000 [#1] SMP NOPTI RIP: 0010:intel_pmt_read+0x3b/0x70 [pmt_class] Code: Call Trace: <TASK> ? sysfs_kf_bin_read+0xc0/0xe0 kernfs_fop_read_iter+0xac/0x1a0 vfs_read+0x26d/0x350 ksys_read+0x6b/0xe0 __x64_sys_read+0x1d/0x30 x64_sys_call+0x1bc8/0x1d70 do_syscall_64+0x6d/0x110 Augment struct intel_pmt_entry with a pointer to the pcidev to avoid the NULL pointer exception. | 2025-08-19 | not yet calculated | CVE-2025-38559 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/sev: Evict cache lines during SNP memory validation An SNP cache coherency vulnerability requires a cache line eviction mitigation when validating memory after a page state change to private. The specific mitigation is to touch the first and last byte of each 4K page that is being validated. There is no need to perform the mitigation when performing a page state change to shared and rescinding validation. CPUID bit Fn8000001F_EBX[31] defines the COHERENCY_SFW_NO CPUID bit that, when set, indicates that the software mitigation for this vulnerability is not needed. Implement the mitigation and invoke it when validating memory (making it private) and the COHERENCY_SFW_NO bit is not set, indicating the SNP guest is vulnerable. | 2025-08-19 | not yet calculated | CVE-2025-38560 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix Preauh_HashValue race condition If client send multiple session setup requests to ksmbd, Preauh_HashValue race condition could happen. There is no need to free sess->Preauh_HashValue at session setup phase. It can be freed together with session at connection termination phase. | 2025-08-19 | not yet calculated | CVE-2025-38561 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix null pointer dereference error in generate_encryptionkey If client send two session setups with krb5 authenticate to ksmbd, null pointer dereference error in generate_encryptionkey could happen. sess->Preauth_HashValue is set to NULL if session is valid. So this patch skip generate encryption key if session is valid. | 2025-08-19 | not yet calculated | CVE-2025-38562 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf/core: Prevent VMA split of buffer mappings The perf mmap code is careful about mmap()'ing the user page with the ringbuffer and additionally the auxiliary buffer, when the event supports it. Once the first mapping is established, subsequent mapping have to use the same offset and the same size in both cases. The reference counting for the ringbuffer and the auxiliary buffer depends on this being correct. Though perf does not prevent that a related mapping is split via mmap(2), munmap(2) or mremap(2). A split of a VMA results in perf_mmap_open() calls, which take reference counts, but then the subsequent perf_mmap_close() calls are not longer fulfilling the offset and size checks. This leads to reference count leaks. As perf already has the requirement for subsequent mappings to match the initial mapping, the obvious consequence is that VMA splits, caused by resizing of a mapping or partial unmapping, have to be prevented. Implement the vm_operations_struct::may_split() callback and return unconditionally -EINVAL. That ensures that the mapping offsets and sizes cannot be changed after the fact. Remapping to a different fixed address with the same size is still possible as it takes the references for the new mapping and drops those of the old mapping. | 2025-08-19 | not yet calculated | CVE-2025-38563 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf/core: Handle buffer mapping fail correctly in perf_mmap() After successful allocation of a buffer or a successful attachment to an existing buffer perf_mmap() tries to map the buffer read only into the page table. If that fails, the already set up page table entries are zapped, but the other perf specific side effects of that failure are not handled. The calling code just cleans up the VMA and does not invoke perf_mmap_close(). This leaks reference counts, corrupts user->vm accounting and also results in an unbalanced invocation of event::event_mapped(). Cure this by moving the event::event_mapped() invocation before the map_range() call so that on map_range() failure perf_mmap_close() can be invoked without causing an unbalanced event::event_unmapped() call. perf_mmap_close() undoes the reference counts and eventually frees buffers. | 2025-08-19 | not yet calculated | CVE-2025-38564 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf/core: Exit early on perf_mmap() fail When perf_mmap() fails to allocate a buffer, it still invokes the event_mapped() callback of the related event. On X86 this might increase the perf_rdpmc_allowed reference counter. But nothing undoes this as perf_mmap_close() is never called in this case, which causes another reference count leak. Return early on failure to prevent that. | 2025-08-19 | not yet calculated | CVE-2025-38565 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix handling of server side tls alerts Scott Mayhew discovered a security exploit in NFS over TLS in tls_alert_recv() due to its assumption it can read data from the msg iterator's kvec.. kTLS implementation splits TLS non-data record payload between the control message buffer (which includes the type such as TLS aler or TLS cipher change) and the rest of the payload (say TLS alert's level/description) which goes into the msg payload buffer. This patch proposes to rework how control messages are setup and used by sock_recvmsg(). If no control message structure is setup, kTLS layer will read and process TLS data record types. As soon as it encounters a TLS control message, it would return an error. At that point, NFS can setup a kvec backed msg buffer and read in the control message such as a TLS alert. Msg iterator can advance the kvec pointer as a part of the copy process thus we need to revert the iterator before calling into the tls_alert_recv. | 2025-08-19 | not yet calculated | CVE-2025-38566 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: avoid ref leak in nfsd_open_local_fh() If two calls to nfsd_open_local_fh() race and both successfully call nfsd_file_acquire_local(), they will both get an extra reference to the net to accompany the file reference stored in *pnf. One of them will fail to store (using xchg()) the file reference in *pnf and will drop that reference but WON'T drop the accompanying reference to the net. This leak means that when the nfs server is shut down it will hang in nfsd_shutdown_net() waiting for &nn->nfsd_net_free_done. This patch adds the missing nfsd_net_put(). | 2025-08-19 | not yet calculated | CVE-2025-38567 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing TCA_MQPRIO_TC_ENTRY_INDEX is validated using NLA_POLICY_MAX(NLA_U32, TC_QOPT_MAX_QUEUE), which allows the value TC_QOPT_MAX_QUEUE (16). This leads to a 4-byte out-of-bounds stack write in the fp[] array, which only has room for 16 elements (0-15). Fix this by changing the policy to allow only up to TC_QOPT_MAX_QUEUE - 1. | 2025-08-19 | not yet calculated | CVE-2025-38568 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: benet: fix BUG when creating VFs benet crashes as soon as SRIOV VFs are created: kernel BUG at mm/vmalloc.c:3457! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 4 UID: 0 PID: 7408 Comm: test.sh Kdump: loaded Not tainted 6.16.0+ #1 PREEMPT(voluntary) [...] RIP: 0010:vunmap+0x5f/0x70 [...] Call Trace: <TASK> __iommu_dma_free+0xe8/0x1c0 be_cmd_set_mac_list+0x3fe/0x640 [be2net] be_cmd_set_mac+0xaf/0x110 [be2net] be_vf_eth_addr_config+0x19f/0x330 [be2net] be_vf_setup+0x4f7/0x990 [be2net] be_pci_sriov_configure+0x3a1/0x470 [be2net] sriov_numvfs_store+0x20b/0x380 kernfs_fop_write_iter+0x354/0x530 vfs_write+0x9b9/0xf60 ksys_write+0xf3/0x1d0 do_syscall_64+0x8c/0x3d0 be_cmd_set_mac_list() calls dma_free_coherent() under a spin_lock_bh. Fix it by freeing only after the lock has been released. | 2025-08-19 | not yet calculated | CVE-2025-38569 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: eth: fbnic: unlink NAPIs from queues on error to open CI hit a UaF in fbnic in the AF_XDP portion of the queues.py test. The UaF is in the __sk_mark_napi_id_once() call in xsk_bind(), NAPI has been freed. Looks like the device failed to open earlier, and we lack clearing the NAPI pointer from the queue. | 2025-08-19 | not yet calculated | CVE-2025-38570 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix client side handling of tls alerts A security exploit was discovered in NFS over TLS in tls_alert_recv due to its assumption that there is valid data in the msghdr's iterator's kvec. Instead, this patch proposes the rework how control messages are setup and used by sock_recvmsg(). If no control message structure is setup, kTLS layer will read and process TLS data record types. As soon as it encounters a TLS control message, it would return an error. At that point, NFS can setup a kvec backed control buffer and read in the control message such as a TLS alert. Scott found that a msg iterator can advance the kvec pointer as a part of the copy process thus we need to revert the iterator before calling into the tls_alert_recv. | 2025-08-19 | not yet calculated | CVE-2025-38571 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: reject malicious packets in ipv6_gso_segment() syzbot was able to craft a packet with very long IPv6 extension headers leading to an overflow of skb->transport_header. This 16bit field has a limited range. Add skb_reset_transport_header_careful() helper and use it from ipv6_gso_segment() WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline] WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Modules linked in: CPU: 0 UID: 0 PID: 5871 Comm: syz-executor211 Not tainted 6.16.0-rc6-syzkaller-g7abc678e3084 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:skb_reset_transport_header include/linux/skbuff.h:3032 [inline] RIP: 0010:ipv6_gso_segment+0x15e2/0x21e0 net/ipv6/ip6_offload.c:151 Call Trace: <TASK> skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 nsh_gso_segment+0x54a/0xe10 net/nsh/nsh.c:110 skb_mac_gso_segment+0x31c/0x640 net/core/gso.c:53 __skb_gso_segment+0x342/0x510 net/core/gso.c:124 skb_gso_segment include/net/gso.h:83 [inline] validate_xmit_skb+0x857/0x11b0 net/core/dev.c:3950 validate_xmit_skb_list+0x84/0x120 net/core/dev.c:4000 sch_direct_xmit+0xd3/0x4b0 net/sched/sch_generic.c:329 __dev_xmit_skb net/core/dev.c:4102 [inline] __dev_queue_xmit+0x17b6/0x3a70 net/core/dev.c:4679 | 2025-08-19 | not yet calculated | CVE-2025-38572 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: cs42l43: Property entry should be a null-terminated array The software node does not specify a count of property entries, so the array must be null-terminated. When unterminated, this can lead to a fault in the downstream cs35l56 amplifier driver, because the node parse walks off the end of the array into unknown memory. | 2025-08-19 | not yet calculated | CVE-2025-38573 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pptp: ensure minimal skb length in pptp_xmit() Commit aabc6596ffb3 ("net: ppp: Add bound checking for skb data on ppp_sync_txmung") fixed ppp_sync_txmunge() We need a similar fix in pptp_xmit(), otherwise we might read uninit data as reported by syzbot. BUG: KMSAN: uninit-value in pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193 pptp_xmit+0xc34/0x2720 drivers/net/ppp/pptp.c:193 ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2290 [inline] ppp_input+0x1d6/0xe60 drivers/net/ppp/ppp_generic.c:2314 pppoe_rcv_core+0x1e8/0x760 drivers/net/ppp/pppoe.c:379 sk_backlog_rcv+0x142/0x420 include/net/sock.h:1148 __release_sock+0x1d3/0x330 net/core/sock.c:3213 release_sock+0x6b/0x270 net/core/sock.c:3767 pppoe_sendmsg+0x15d/0xcb0 drivers/net/ppp/pppoe.c:904 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:727 ____sys_sendmsg+0x893/0xd80 net/socket.c:2566 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620 __sys_sendmmsg+0x2d9/0x7c0 net/socket.c:2709 | 2025-08-19 | not yet calculated | CVE-2025-38574 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/eeh: Make EEH driver device hotplug safe Multiple race conditions existed between the PCIe hotplug driver and the EEH driver, leading to a variety of kernel oopses of the same general nature: <pcie device unplug> <eeh driver trigger> <hotplug removal trigger> <pcie tree reconfiguration> <eeh recovery next step> <oops in EEH driver bus iteration loop> A second class of oops is also seen when the underlying bus disappears during device recovery. Refactor the EEH module to be PCI rescan and remove safe. Also clean up a few minor formatting / readability issues. | 2025-08-19 | not yet calculated | CVE-2025-38576 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid panic in f2fs_evict_inode As syzbot [1] reported as below: R10: 0000000000000100 R11: 0000000000000206 R12: 00007ffe17473450 R13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520 </TASK> ---[ end trace 0000000000000000 ]--- ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62 Read of size 8 at addr ffff88812d962278 by task syz-executor/564 CPU: 1 PID: 564 Comm: syz-executor Tainted: G W 6.1.129-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> __dump_stack+0x21/0x24 lib/dump_stack.c:88 dump_stack_lvl+0xee/0x158 lib/dump_stack.c:106 print_address_description+0x71/0x210 mm/kasan/report.c:316 print_report+0x4a/0x60 mm/kasan/report.c:427 kasan_report+0x122/0x150 mm/kasan/report.c:531 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351 __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62 __list_del_entry include/linux/list.h:134 [inline] list_del_init include/linux/list.h:206 [inline] f2fs_inode_synced+0xf7/0x2e0 fs/f2fs/super.c:1531 f2fs_update_inode+0x74/0x1c40 fs/f2fs/inode.c:585 f2fs_update_inode_page+0x137/0x170 fs/f2fs/inode.c:703 f2fs_write_inode+0x4ec/0x770 fs/f2fs/inode.c:731 write_inode fs/fs-writeback.c:1460 [inline] __writeback_single_inode+0x4a0/0xab0 fs/fs-writeback.c:1677 writeback_single_inode+0x221/0x8b0 fs/fs-writeback.c:1733 sync_inode_metadata+0xb6/0x110 fs/fs-writeback.c:2789 f2fs_sync_inode_meta+0x16d/0x2a0 fs/f2fs/checkpoint.c:1159 block_operations fs/f2fs/checkpoint.c:1269 [inline] f2fs_write_checkpoint+0xca3/0x2100 fs/f2fs/checkpoint.c:1658 kill_f2fs_super+0x231/0x390 fs/f2fs/super.c:4668 deactivate_locked_super+0x98/0x100 fs/super.c:332 deactivate_super+0xaf/0xe0 fs/super.c:363 cleanup_mnt+0x45f/0x4e0 fs/namespace.c:1186 __cleanup_mnt+0x19/0x20 fs/namespace.c:1193 task_work_run+0x1c6/0x230 kernel/task_work.c:203 exit_task_work include/linux/task_work.h:39 [inline] do_exit+0x9fb/0x2410 kernel/exit.c:871 do_group_exit+0x210/0x2d0 kernel/exit.c:1021 __do_sys_exit_group kernel/exit.c:1032 [inline] __se_sys_exit_group kernel/exit.c:1030 [inline] __x64_sys_exit_group+0x3f/0x40 kernel/exit.c:1030 x64_sys_call+0x7b4/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x4c/0xa0 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 RIP: 0033:0x7f28b1b8e169 Code: Unable to access opcode bytes at 0x7f28b1b8e13f. RSP: 002b:00007ffe174710a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 00007f28b1c10879 RCX: 00007f28b1b8e169 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000001 RBP: 0000000000000002 R08: 00007ffe1746ee47 R09: 00007ffe17472360 R10: 0000000000000009 R11: 0000000000000246 R12: 00007ffe17472360 R13: 00007f28b1c10854 R14: 000000000000dae5 R15: 00007ffe17474520 </TASK> Allocated by task 569: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_alloc_info+0x25/0x30 mm/kasan/generic.c:505 __kasan_slab_alloc+0x72/0x80 mm/kasan/common.c:328 kasan_slab_alloc include/linux/kasan.h:201 [inline] slab_post_alloc_hook+0x4f/0x2c0 mm/slab.h:737 slab_alloc_node mm/slub.c:3398 [inline] slab_alloc mm/slub.c:3406 [inline] __kmem_cache_alloc_lru mm/slub.c:3413 [inline] kmem_cache_alloc_lru+0x104/0x220 mm/slub.c:3429 alloc_inode_sb include/linux/fs.h:3245 [inline] f2fs_alloc_inode+0x2d/0x340 fs/f2fs/super.c:1419 alloc_inode fs/inode.c:261 [inline] iget_locked+0x186/0x880 fs/inode.c:1373 f2fs_iget+0x55/0x4c60 fs/f2fs/inode.c:483 f2fs_lookup+0x366/0xab0 fs/f2fs/namei.c:487 __lookup_slow+0x2a3/0x3d0 fs/namei.c:1690 lookup_slow+0x57/0x70 fs/namei.c:1707 walk_component+0x2e6/0x410 fs/namei ---truncated--- | 2025-08-19 | not yet calculated | CVE-2025-38577 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid UAF in f2fs_sync_inode_meta() syzbot reported an UAF issue as below: [1] [2] [1] https://syzkaller.appspot.com/text?tag=CrashReport&x=16594c60580000 ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62 Read of size 8 at addr ffff888100567dc8 by task kworker/u4:0/8 CPU: 1 PID: 8 Comm: kworker/u4:0 Tainted: G W 6.1.129-syzkaller-00017-g642656a36791 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Workqueue: writeback wb_workfn (flush-7:0) Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x151/0x1b7 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:316 [inline] print_report+0x158/0x4e0 mm/kasan/report.c:427 kasan_report+0x13c/0x170 mm/kasan/report.c:531 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report_generic.c:351 __list_del_entry_valid+0xa6/0x130 lib/list_debug.c:62 __list_del_entry include/linux/list.h:134 [inline] list_del_init include/linux/list.h:206 [inline] f2fs_inode_synced+0x100/0x2e0 fs/f2fs/super.c:1553 f2fs_update_inode+0x72/0x1c40 fs/f2fs/inode.c:588 f2fs_update_inode_page+0x135/0x170 fs/f2fs/inode.c:706 f2fs_write_inode+0x416/0x790 fs/f2fs/inode.c:734 write_inode fs/fs-writeback.c:1460 [inline] __writeback_single_inode+0x4cf/0xb80 fs/fs-writeback.c:1677 writeback_sb_inodes+0xb32/0x1910 fs/fs-writeback.c:1903 __writeback_inodes_wb+0x118/0x3f0 fs/fs-writeback.c:1974 wb_writeback+0x3da/0xa00 fs/fs-writeback.c:2081 wb_check_background_flush fs/fs-writeback.c:2151 [inline] wb_do_writeback fs/fs-writeback.c:2239 [inline] wb_workfn+0xbba/0x1030 fs/fs-writeback.c:2266 process_one_work+0x73d/0xcb0 kernel/workqueue.c:2299 worker_thread+0xa60/0x1260 kernel/workqueue.c:2446 kthread+0x26d/0x300 kernel/kthread.c:386 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 </TASK> Allocated by task 298: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_alloc_info+0x1f/0x30 mm/kasan/generic.c:505 __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:333 kasan_slab_alloc include/linux/kasan.h:202 [inline] slab_post_alloc_hook+0x53/0x2c0 mm/slab.h:768 slab_alloc_node mm/slub.c:3421 [inline] slab_alloc mm/slub.c:3431 [inline] __kmem_cache_alloc_lru mm/slub.c:3438 [inline] kmem_cache_alloc_lru+0x102/0x270 mm/slub.c:3454 alloc_inode_sb include/linux/fs.h:3255 [inline] f2fs_alloc_inode+0x2d/0x350 fs/f2fs/super.c:1437 alloc_inode fs/inode.c:261 [inline] iget_locked+0x18c/0x7e0 fs/inode.c:1373 f2fs_iget+0x55/0x4ca0 fs/f2fs/inode.c:486 f2fs_lookup+0x3c1/0xb50 fs/f2fs/namei.c:484 __lookup_slow+0x2b9/0x3e0 fs/namei.c:1689 lookup_slow+0x5a/0x80 fs/namei.c:1706 walk_component+0x2e7/0x410 fs/namei.c:1997 lookup_last fs/namei.c:2454 [inline] path_lookupat+0x16d/0x450 fs/namei.c:2478 filename_lookup+0x251/0x600 fs/namei.c:2507 vfs_statx+0x107/0x4b0 fs/stat.c:229 vfs_fstatat fs/stat.c:267 [inline] vfs_lstat include/linux/fs.h:3434 [inline] __do_sys_newlstat fs/stat.c:423 [inline] __se_sys_newlstat+0xda/0x7c0 fs/stat.c:417 __x64_sys_newlstat+0x5b/0x70 fs/stat.c:417 x64_sys_call+0x52/0x9a0 arch/x86/include/generated/asm/syscalls_64.h:7 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x3b/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x68/0xd2 Freed by task 0: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4b/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:516 ____kasan_slab_free+0x131/0x180 mm/kasan/common.c:241 __kasan_slab_free+0x11/0x20 mm/kasan/common.c:249 kasan_slab_free include/linux/kasan.h:178 [inline] slab_free_hook mm/slub.c:1745 [inline] slab_free_freelist_hook mm/slub.c:1771 [inline] slab_free mm/slub.c:3686 [inline] kmem_cache_free+0x ---truncated--- | 2025-08-19 | not yet calculated | CVE-2025-38578 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix KMSAN uninit-value in extent_info usage KMSAN reported a use of uninitialized value in `__is_extent_mergeable()` and `__is_back_mergeable()` via the read extent tree path. The root cause is that `get_read_extent_info()` only initializes three fields (`fofs`, `blk`, `len`) of `struct extent_info`, leaving the remaining fields uninitialized. This leads to undefined behavior when those fields are accessed later, especially during extent merging. Fix it by zero-initializing the `extent_info` struct before population. | 2025-08-19 | not yet calculated | CVE-2025-38579 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix inode use after free in ext4_end_io_rsv_work() In ext4_io_end_defer_completion(), check if io_end->list_vec is empty to avoid adding an io_end that requires no conversion to the i_rsv_conversion_list, which in turn prevents starting an unnecessary worker. An ext4_emergency_state() check is also added to avoid attempting to abort the journal in an emergency state. Additionally, ext4_put_io_end_defer() is refactored to call ext4_io_end_defer_completion() directly instead of being open-coded. This also prevents starting an unnecessary worker when EXT4_IO_END_FAILED is set but data_err=abort is not enabled. This ensures that the check in ext4_put_io_end_defer() is consistent with the check in ext4_end_bio(). Otherwise, we might add an io_end to the i_rsv_conversion_list and then call ext4_finish_bio(), after which the inode could be freed before ext4_end_io_rsv_work() is called, triggering a use-after-free issue. | 2025-08-19 | not yet calculated | CVE-2025-38580 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix crash when rebind ccp device for ccp.ko When CONFIG_CRYPTO_DEV_CCP_DEBUGFS is enabled, rebinding the ccp device causes the following crash: $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/unbind $ echo '0000:0a:00.2' > /sys/bus/pci/drivers/ccp/bind [ 204.976930] BUG: kernel NULL pointer dereference, address: 0000000000000098 [ 204.978026] #PF: supervisor write access in kernel mode [ 204.979126] #PF: error_code(0x0002) - not-present page [ 204.980226] PGD 0 P4D 0 [ 204.981317] Oops: Oops: 0002 [#1] SMP NOPTI ... [ 204.997852] Call Trace: [ 204.999074] <TASK> [ 205.000297] start_creating+0x9f/0x1c0 [ 205.001533] debugfs_create_dir+0x1f/0x170 [ 205.002769] ? srso_return_thunk+0x5/0x5f [ 205.004000] ccp5_debugfs_setup+0x87/0x170 [ccp] [ 205.005241] ccp5_init+0x8b2/0x960 [ccp] [ 205.006469] ccp_dev_init+0xd4/0x150 [ccp] [ 205.007709] sp_init+0x5f/0x80 [ccp] [ 205.008942] sp_pci_probe+0x283/0x2e0 [ccp] [ 205.010165] ? srso_return_thunk+0x5/0x5f [ 205.011376] local_pci_probe+0x4f/0xb0 [ 205.012584] pci_device_probe+0xdb/0x230 [ 205.013810] really_probe+0xed/0x380 [ 205.015024] __driver_probe_device+0x7e/0x160 [ 205.016240] device_driver_attach+0x2f/0x60 [ 205.017457] bind_store+0x7c/0xb0 [ 205.018663] drv_attr_store+0x28/0x40 [ 205.019868] sysfs_kf_write+0x5f/0x70 [ 205.021065] kernfs_fop_write_iter+0x145/0x1d0 [ 205.022267] vfs_write+0x308/0x440 [ 205.023453] ksys_write+0x6d/0xe0 [ 205.024616] __x64_sys_write+0x1e/0x30 [ 205.025778] x64_sys_call+0x16ba/0x2150 [ 205.026942] do_syscall_64+0x56/0x1e0 [ 205.028108] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 205.029276] RIP: 0033:0x7fbc36f10104 [ 205.030420] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 8d 05 e1 08 2e 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 f3 c3 66 90 41 54 55 49 89 d4 53 48 89 f5 This patch sets ccp_debugfs_dir to NULL after destroying it in ccp5_debugfs_destroy, allowing the directory dentry to be recreated when rebinding the ccp device. Tested on AMD Ryzen 7 1700X. | 2025-08-19 | not yet calculated | CVE-2025-38581 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix double destruction of rsv_qp rsv_qp may be double destroyed in error flow, first in free_mr_init(), and then in hns_roce_exit(). Fix it by moving the free_mr_init() call into hns_roce_v2_init(). list_del corruption, ffff589732eb9b50->next is LIST_POISON1 (dead000000000100) WARNING: CPU: 8 PID: 1047115 at lib/list_debug.c:53 __list_del_entry_valid+0x148/0x240 ... Call trace: __list_del_entry_valid+0x148/0x240 hns_roce_qp_remove+0x4c/0x3f0 [hns_roce_hw_v2] hns_roce_v2_destroy_qp_common+0x1dc/0x5f4 [hns_roce_hw_v2] hns_roce_v2_destroy_qp+0x22c/0x46c [hns_roce_hw_v2] free_mr_exit+0x6c/0x120 [hns_roce_hw_v2] hns_roce_v2_exit+0x170/0x200 [hns_roce_hw_v2] hns_roce_exit+0x118/0x350 [hns_roce_hw_v2] __hns_roce_hw_v2_init_instance+0x1c8/0x304 [hns_roce_hw_v2] hns_roce_hw_v2_reset_notify_init+0x170/0x21c [hns_roce_hw_v2] hns_roce_hw_v2_reset_notify+0x6c/0x190 [hns_roce_hw_v2] hclge_notify_roce_client+0x6c/0x160 [hclge] hclge_reset_rebuild+0x150/0x5c0 [hclge] hclge_reset+0x10c/0x140 [hclge] hclge_reset_subtask+0x80/0x104 [hclge] hclge_reset_service_task+0x168/0x3ac [hclge] hclge_service_task+0x50/0x100 [hclge] process_one_work+0x250/0x9a0 worker_thread+0x324/0x990 kthread+0x190/0x210 ret_from_fork+0x10/0x18 | 2025-08-19 | not yet calculated | CVE-2025-38582 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: xilinx: vcu: unregister pll_post only if registered correctly If registration of pll_post is failed, it will be set to NULL or ERR, unregistering same will fail with following call trace: Unable to handle kernel NULL pointer dereference at virtual address 008 pc : clk_hw_unregister+0xc/0x20 lr : clk_hw_unregister_fixed_factor+0x18/0x30 sp : ffff800011923850 ... Call trace: clk_hw_unregister+0xc/0x20 clk_hw_unregister_fixed_factor+0x18/0x30 xvcu_unregister_clock_provider+0xcc/0xf4 [xlnx_vcu] xvcu_probe+0x2bc/0x53c [xlnx_vcu] | 2025-08-19 | not yet calculated | CVE-2025-38583 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: padata: Fix pd UAF once and for all There is a race condition/UAF in padata_reorder that goes back to the initial commit. A reference count is taken at the start of the process in padata_do_parallel, and released at the end in padata_serial_worker. This reference count is (and only is) required for padata_replace to function correctly. If padata_replace is never called then there is no issue. In the function padata_reorder which serves as the core of padata, as soon as padata is added to queue->serial.list, and the associated spin lock released, that padata may be processed and the reference count on pd would go away. Fix this by getting the next padata before the squeue->serial lock is released. In order to make this possible, simplify padata_reorder by only calling it once the next padata arrives. | 2025-08-19 | not yet calculated | CVE-2025-38584 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() When gmin_get_config_var() calls efi.get_variable() and the EFI variable is larger than the expected buffer size, two behaviors combine to create a stack buffer overflow: 1. gmin_get_config_var() does not return the proper error code when efi.get_variable() fails. It returns the stale 'ret' value from earlier operations instead of indicating the EFI failure. 2. When efi.get_variable() returns EFI_BUFFER_TOO_SMALL, it updates *out_len to the required buffer size but writes no data to the output buffer. However, due to bug #1, gmin_get_var_int() believes the call succeeded. The caller gmin_get_var_int() then performs: - Allocates val[CFG_VAR_NAME_MAX + 1] (65 bytes) on stack - Calls gmin_get_config_var(dev, is_gmin, var, val, &len) with len=64 - If EFI variable is >64 bytes, efi.get_variable() sets len=required_size - Due to bug #1, thinks call succeeded with len=required_size - Executes val[len] = 0, writing past end of 65-byte stack buffer This creates a stack buffer overflow when EFI variables are larger than 64 bytes. Since EFI variables can be controlled by firmware or system configuration, this could potentially be exploited for code execution. Fix the bug by returning proper error codes from gmin_get_config_var() based on EFI status instead of stale 'ret' value. The gmin_get_var_int() function is called during device initialization for camera sensor configuration on Intel Bay Trail and Cherry Trail platforms using the atomisp camera stack. | 2025-08-19 | not yet calculated | CVE-2025-38585 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Fix fp initialization for exception boundary In the ARM64 BPF JIT when prog->aux->exception_boundary is set for a BPF program, find_used_callee_regs() is not called because for a program acting as exception boundary, all callee saved registers are saved. find_used_callee_regs() sets `ctx->fp_used = true;` when it sees FP being used in any of the instructions. For programs acting as exception boundary, ctx->fp_used remains false even if frame pointer is used by the program and therefore, FP is not set-up for such programs in the prologue. This can cause the kernel to crash due to a pagefault. Fix it by setting ctx->fp_used = true for exception boundary programs as fp is always saved in such programs. | 2025-08-19 | not yet calculated | CVE-2025-38586 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible infinite loop in fib6_info_uses_dev() fib6_info_uses_dev() seems to rely on RCU without an explicit protection. Like the prior fix in rt6_nlmsg_size(), we need to make sure fib6_del_route() or fib6_add_rt2node() have not removed the anchor from the list, or we risk an infinite loop. | 2025-08-19 | not yet calculated | CVE-2025-38587 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent infinite loop in rt6_nlmsg_size() While testing prior patch, I was able to trigger an infinite loop in rt6_nlmsg_size() in the following place: list_for_each_entry_rcu(sibling, &f6i->fib6_siblings, fib6_siblings) { rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len); } This is because fib6_del_route() and fib6_add_rt2node() uses list_del_rcu(), which can confuse rcu readers, because they might no longer see the head of the list. Restart the loop if f6i->fib6_nsiblings is zero. | 2025-08-19 | not yet calculated | CVE-2025-38588 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: neighbour: Fix null-ptr-deref in neigh_flush_dev(). kernel test robot reported null-ptr-deref in neigh_flush_dev(). [0] The cited commit introduced per-netdev neighbour list and converted neigh_flush_dev() to use it instead of the global hash table. One thing we missed is that neigh_table_clear() calls neigh_ifdown() with NULL dev. Let's restore the hash table iteration. Note that IPv6 module is no longer unloadable, so neigh_table_clear() is called only when IPv6 fails to initialise, which is unlikely to happen. [0]: IPv6: Attempt to unregister permanent protocol 136 IPv6: Attempt to unregister permanent protocol 17 Oops: general protection fault, probably for non-canonical address 0xdffffc00000001a0: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000d00-0x0000000000000d07] CPU: 1 UID: 0 PID: 1 Comm: systemd Tainted: G T 6.12.0-rc6-01246-gf7f52738637f #1 Tainted: [T]=RANDSTRUCT Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:neigh_flush_dev.llvm.6395807810224103582+0x52/0x570 Code: c1 e8 03 42 8a 04 38 84 c0 0f 85 15 05 00 00 31 c0 41 83 3e 0a 0f 94 c0 48 8d 1c c3 48 81 c3 f8 0c 00 00 48 89 d8 48 c1 e8 03 <42> 80 3c 38 00 74 08 48 89 df e8 f7 49 93 fe 4c 8b 3b 4d 85 ff 0f RSP: 0000:ffff88810026f408 EFLAGS: 00010206 RAX: 00000000000001a0 RBX: 0000000000000d00 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffc0631640 RBP: ffff88810026f470 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffffffffc0625250 R14: ffffffffc0631640 R15: dffffc0000000000 FS: 00007f575cb83940(0000) GS:ffff8883aee00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f575db40008 CR3: 00000002bf936000 CR4: 00000000000406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __neigh_ifdown.llvm.6395807810224103582+0x44/0x390 neigh_table_clear+0xb1/0x268 ndisc_cleanup+0x21/0x38 [ipv6] init_module+0x2f5/0x468 [ipv6] do_one_initcall+0x1ba/0x628 do_init_module+0x21a/0x530 load_module+0x2550/0x2ea0 __se_sys_finit_module+0x3d2/0x620 __x64_sys_finit_module+0x76/0x88 x64_sys_call+0x7ff/0xde8 do_syscall_64+0xfb/0x1e8 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x7f575d6f2719 Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b7 06 0d 00 f7 d8 64 89 01 48 RSP: 002b:00007fff82a2a268 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 0000557827b45310 RCX: 00007f575d6f2719 RDX: 0000000000000000 RSI: 00007f575d584efd RDI: 0000000000000004 RBP: 00007f575d584efd R08: 0000000000000000 R09: 0000557827b47b00 R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000020000 R13: 0000000000000000 R14: 0000557827b470e0 R15: 00007f575dbb4270 </TASK> Modules linked in: ipv6(+) | 2025-08-19 | not yet calculated | CVE-2025-38589 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Remove skb secpath if xfrm state is not found Hardware returns a unique identifier for a decrypted packet's xfrm state, this state is looked up in an xarray. However, the state might have been freed by the time of this lookup. Currently, if the state is not found, only a counter is incremented. The secpath (sp) extension on the skb is not removed, resulting in sp->len becoming 0. Subsequently, functions like __xfrm_policy_check() attempt to access fields such as xfrm_input_state(skb)->xso.type (which dereferences sp->xvec[sp->len - 1]) without first validating sp->len. This leads to a crash when dereferencing an invalid state pointer. This patch prevents the crash by explicitly removing the secpath extension from the skb if the xfrm state is not found after hardware decryption. This ensures downstream functions do not operate on a zero-length secpath. BUG: unable to handle page fault for address: ffffffff000002c8 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 282e067 P4D 282e067 PUD 0 Oops: Oops: 0000 [#1] SMP CPU: 12 UID: 0 PID: 0 Comm: swapper/12 Not tainted 6.15.0-rc7_for_upstream_min_debug_2025_05_27_22_44 #1 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:__xfrm_policy_check+0x61a/0xa30 Code: b6 77 7f 83 e6 02 74 14 4d 8b af d8 00 00 00 41 0f b6 45 05 c1 e0 03 48 98 49 01 c5 41 8b 45 00 83 e8 01 48 98 49 8b 44 c5 10 <0f> b6 80 c8 02 00 00 83 e0 0c 3c 04 0f 84 0c 02 00 00 31 ff 80 fa RSP: 0018:ffff88885fb04918 EFLAGS: 00010297 RAX: ffffffff00000000 RBX: 0000000000000002 RCX: 0000000000000000 RDX: 0000000000000002 RSI: 0000000000000002 RDI: 0000000000000000 RBP: ffffffff8311af80 R08: 0000000000000020 R09: 00000000c2eda353 R10: ffff88812be2bbc8 R11: 000000001faab533 R12: ffff88885fb049c8 R13: ffff88812be2bbc8 R14: 0000000000000000 R15: ffff88811896ae00 FS: 0000000000000000(0000) GS:ffff8888dca82000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffff000002c8 CR3: 0000000243050002 CR4: 0000000000372eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> ? try_to_wake_up+0x108/0x4c0 ? udp4_lib_lookup2+0xbe/0x150 ? udp_lib_lport_inuse+0x100/0x100 ? __udp4_lib_lookup+0x2b0/0x410 __xfrm_policy_check2.constprop.0+0x11e/0x130 udp_queue_rcv_one_skb+0x1d/0x530 udp_unicast_rcv_skb+0x76/0x90 __udp4_lib_rcv+0xa64/0xe90 ip_protocol_deliver_rcu+0x20/0x130 ip_local_deliver_finish+0x75/0xa0 ip_local_deliver+0xc1/0xd0 ? ip_protocol_deliver_rcu+0x130/0x130 ip_sublist_rcv+0x1f9/0x240 ? ip_rcv_finish_core+0x430/0x430 ip_list_rcv+0xfc/0x130 __netif_receive_skb_list_core+0x181/0x1e0 netif_receive_skb_list_internal+0x200/0x360 ? mlx5e_build_rx_skb+0x1bc/0xda0 [mlx5_core] gro_receive_skb+0xfd/0x210 mlx5e_handle_rx_cqe_mpwrq+0x141/0x280 [mlx5_core] mlx5e_poll_rx_cq+0xcc/0x8e0 [mlx5_core] ? mlx5e_handle_rx_dim+0x91/0xd0 [mlx5_core] mlx5e_napi_poll+0x114/0xab0 [mlx5_core] __napi_poll+0x25/0x170 net_rx_action+0x32d/0x3a0 ? mlx5_eq_comp_int+0x8d/0x280 [mlx5_core] ? notifier_call_chain+0x33/0xa0 handle_softirqs+0xda/0x250 irq_exit_rcu+0x6d/0xc0 common_interrupt+0x81/0xa0 </IRQ> | 2025-08-19 | not yet calculated | CVE-2025-38590 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Reject narrower access to pointer ctx fields The following BPF program, simplified from a syzkaller repro, causes a kernel warning: r0 = *(u8 *)(r1 + 169); exit; With pointer field sk being at offset 168 in __sk_buff. This access is detected as a narrower read in bpf_skb_is_valid_access because it doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed and later proceeds to bpf_convert_ctx_access. Note that for the "is_narrower_load" case in the convert_ctx_accesses(), the insn->off is aligned, so the cnt may not be 0 because it matches the offsetof(struct __sk_buff, sk) in the bpf_convert_ctx_access. However, the target_size stays 0 and the verifier errors with a kernel warning: verifier bug: error during ctx access conversion(1) This patch fixes that to return a proper "invalid bpf_context access off=X size=Y" error on the load instruction. The same issue affects multiple other fields in context structures that allow narrow access. Some other non-affected fields (for sk_msg, sk_lookup, and sockopt) were also changed to use bpf_ctx_range_ptr for consistency. Note this syzkaller crash was reported in the "Closes" link below, which used to be about a different bug, fixed in commit fce7bd8e385a ("bpf/verifier: Handle BPF_LOAD_ACQ instructions in insn_def_regno()"). Because syzbot somehow confused the two bugs, the new crash and repro didn't get reported to the mailing list. | 2025-08-19 | not yet calculated | CVE-2025-38591 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_devcd_dump: fix out-of-bounds via dev_coredumpv Currently both dev_coredumpv and skb_put_data in hci_devcd_dump use hdev->dump.head. However, dev_coredumpv can free the buffer. From dev_coredumpm_timeout documentation, which is used by dev_coredumpv: > Creates a new device coredump for the given device. If a previous one hasn't > been read yet, the new coredump is discarded. The data lifetime is determined > by the device coredump framework and when it is no longer needed the @free > function will be called to free the data. If the data has not been read by the userspace yet, dev_coredumpv will discard new buffer, freeing hdev->dump.head. This leads to vmalloc-out-of-bounds error when skb_put_data tries to access hdev->dump.head. A crash report from syzbot illustrates this: ================================================================== BUG: KASAN: vmalloc-out-of-bounds in skb_put_data include/linux/skbuff.h:2752 [inline] BUG: KASAN: vmalloc-out-of-bounds in hci_devcd_dump+0x142/0x240 net/bluetooth/coredump.c:258 Read of size 140 at addr ffffc90004ed5000 by task kworker/u9:2/5844 CPU: 1 UID: 0 PID: 5844 Comm: kworker/u9:2 Not tainted 6.14.0-syzkaller-10892-g4e82c87058f4 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Workqueue: hci0 hci_devcd_timeout Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 __asan_memcpy+0x23/0x60 mm/kasan/shadow.c:105 skb_put_data include/linux/skbuff.h:2752 [inline] hci_devcd_dump+0x142/0x240 net/bluetooth/coredump.c:258 hci_devcd_timeout+0xb5/0x2e0 net/bluetooth/coredump.c:413 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> The buggy address ffffc90004ed5000 belongs to a vmalloc virtual mapping Memory state around the buggy address: ffffc90004ed4f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc90004ed4f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >ffffc90004ed5000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ ffffc90004ed5080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ffffc90004ed5100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== To avoid this issue, reorder dev_coredumpv to be called after skb_put_data that does not free the data. | 2025-08-19 | not yet calculated | CVE-2025-38592 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()' Function 'hci_discovery_filter_clear()' frees 'uuids' array and then sets it to NULL. There is a tiny chance of the following race: 'hci_cmd_sync_work()' 'update_passive_scan_sync()' 'hci_update_passive_scan_sync()' 'hci_discovery_filter_clear()' kfree(uuids); <-------------------------preempted--------------------------------> 'start_service_discovery()' 'hci_discovery_filter_clear()' kfree(uuids); // DOUBLE FREE <-------------------------preempted--------------------------------> uuids = NULL; To fix it let's add locking around 'kfree()' call and NULL pointer assignment. Otherwise the following backtrace fires: [ ] ------------[ cut here ]------------ [ ] kernel BUG at mm/slub.c:547! [ ] Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [ ] CPU: 3 UID: 0 PID: 246 Comm: bluetoothd Tainted: G O 6.12.19-kernel #1 [ ] Tainted: [O]=OOT_MODULE [ ] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ ] pc : __slab_free+0xf8/0x348 [ ] lr : __slab_free+0x48/0x348 ... [ ] Call trace: [ ] __slab_free+0xf8/0x348 [ ] kfree+0x164/0x27c [ ] start_service_discovery+0x1d0/0x2c0 [ ] hci_sock_sendmsg+0x518/0x924 [ ] __sock_sendmsg+0x54/0x60 [ ] sock_write_iter+0x98/0xf8 [ ] do_iter_readv_writev+0xe4/0x1c8 [ ] vfs_writev+0x128/0x2b0 [ ] do_writev+0xfc/0x118 [ ] __arm64_sys_writev+0x20/0x2c [ ] invoke_syscall+0x68/0xf0 [ ] el0_svc_common.constprop.0+0x40/0xe0 [ ] do_el0_svc+0x1c/0x28 [ ] el0_svc+0x30/0xd0 [ ] el0t_64_sync_handler+0x100/0x12c [ ] el0t_64_sync+0x194/0x198 [ ] Code: 8b0002e6 eb17031f 54fffbe1 d503201f (d4210000) [ ] ---[ end trace 0000000000000000 ]--- | 2025-08-19 | not yet calculated | CVE-2025-38593 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix UAF on sva unbind with pending IOPFs Commit 17fce9d2336d ("iommu/vt-d: Put iopf enablement in domain attach path") disables IOPF on device by removing the device from its IOMMU's IOPF queue when the last IOPF-capable domain is detached from the device. Unfortunately, it did this in a wrong place where there are still pending IOPFs. As a result, a use-after-free error is potentially triggered and eventually a kernel panic with a kernel trace similar to the following: refcount_t: underflow; use-after-free. WARNING: CPU: 3 PID: 313 at lib/refcount.c:28 refcount_warn_saturate+0xd8/0xe0 Workqueue: iopf_queue/dmar0-iopfq iommu_sva_handle_iopf Call Trace: <TASK> iopf_free_group+0xe/0x20 process_one_work+0x197/0x3d0 worker_thread+0x23a/0x350 ? rescuer_thread+0x4a0/0x4a0 kthread+0xf8/0x230 ? finish_task_switch.isra.0+0x81/0x260 ? kthreads_online_cpu+0x110/0x110 ? kthreads_online_cpu+0x110/0x110 ret_from_fork+0x13b/0x170 ? kthreads_online_cpu+0x110/0x110 ret_from_fork_asm+0x11/0x20 </TASK> ---[ end trace 0000000000000000 ]--- The intel_pasid_tear_down_entry() function is responsible for blocking hardware from generating new page faults and flushing all in-flight ones. Therefore, moving iopf_for_domain_remove() after this function should resolve this. | 2025-08-19 | not yet calculated | CVE-2025-38594 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xen: fix UAF in dmabuf_exp_from_pages() [dma_buf_fd() fixes; no preferences regarding the tree it goes through - up to xen folks] As soon as we'd inserted a file reference into descriptor table, another thread could close it. That's fine for the case when all we are doing is returning that descriptor to userland (it's a race, but it's a userland race and there's nothing the kernel can do about it). However, if we follow fd_install() with any kind of access to objects that would be destroyed on close (be it the struct file itself or anything destroyed by its ->release()), we have a UAF. dma_buf_fd() is a combination of reserving a descriptor and fd_install(). gntdev dmabuf_exp_from_pages() calls it and then proceeds to access the objects destroyed on close - starting with gntdev_dmabuf itself. Fix that by doing reserving descriptor before anything else and do fd_install() only when everything had been set up. | 2025-08-19 | not yet calculated | CVE-2025-38595 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix UAF in panthor_gem_create_with_handle() debugfs code The object is potentially already gone after the drm_gem_object_put(). In general the object should be fully constructed before calling drm_gem_handle_create(), except the debugfs tracking uses a separate lock and list and separate flag to denotate whether the object is actually initialized. Since I'm touching this all anyway simplify this by only adding the object to the debugfs when it's ready for that, which allows us to delete that separate flag. panthor_gem_debugfs_bo_rm() already checks whether we've actually been added to the list or this is some error path cleanup. v2: Fix build issues for !CONFIG_DEBUGFS (Adrián) v3: Add linebreak and remove outdated comment (Liviu) | 2025-08-19 | not yet calculated | CVE-2025-38596 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/rockchip: vop2: fail cleanly if missing a primary plane for a video-port Each window of a vop2 is usable by a specific set of video ports, so while binding the vop2, we look through the list of available windows trying to find one designated as primary-plane and usable by that specific port. The code later wants to use drm_crtc_init_with_planes with that found primary plane, but nothing has checked so far if a primary plane was actually found. For whatever reason, the rk3576 vp2 does not have a usable primary window (if vp0 is also in use) which brought the issue to light and ended in a null-pointer dereference further down. As we expect a primary-plane to exist for a video-port, add a check at the end of the window-iteration and fail probing if none was found. | 2025-08-19 | not yet calculated | CVE-2025-38597 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix use-after-free in amdgpu_userq_suspend+0x51a/0x5a0 [ +0.000020] BUG: KASAN: slab-use-after-free in amdgpu_userq_suspend+0x51a/0x5a0 [amdgpu] [ +0.000817] Read of size 8 at addr ffff88812eec8c58 by task amd_pci_unplug/1733 [ +0.000027] CPU: 10 UID: 0 PID: 1733 Comm: amd_pci_unplug Tainted: G W 6.14.0+ #2 [ +0.000009] Tainted: [W]=WARN [ +0.000003] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [ +0.000004] Call Trace: [ +0.000004] <TASK> [ +0.000003] dump_stack_lvl+0x76/0xa0 [ +0.000011] print_report+0xce/0x600 [ +0.000009] ? srso_return_thunk+0x5/0x5f [ +0.000006] ? kasan_complete_mode_report_info+0x76/0x200 [ +0.000007] ? kasan_addr_to_slab+0xd/0xb0 [ +0.000006] ? amdgpu_userq_suspend+0x51a/0x5a0 [amdgpu] [ +0.000707] kasan_report+0xbe/0x110 [ +0.000006] ? amdgpu_userq_suspend+0x51a/0x5a0 [amdgpu] [ +0.000541] __asan_report_load8_noabort+0x14/0x30 [ +0.000005] amdgpu_userq_suspend+0x51a/0x5a0 [amdgpu] [ +0.000535] ? stop_cpsch+0x396/0x600 [amdgpu] [ +0.000556] ? stop_cpsch+0x429/0x600 [amdgpu] [ +0.000536] ? __pfx_amdgpu_userq_suspend+0x10/0x10 [amdgpu] [ +0.000536] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? kgd2kfd_suspend+0x132/0x1d0 [amdgpu] [ +0.000542] amdgpu_device_fini_hw+0x581/0xe90 [amdgpu] [ +0.000485] ? down_write+0xbb/0x140 [ +0.000007] ? __mutex_unlock_slowpath.constprop.0+0x317/0x360 [ +0.000005] ? __pfx_amdgpu_device_fini_hw+0x10/0x10 [amdgpu] [ +0.000482] ? __kasan_check_write+0x14/0x30 [ +0.000004] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? up_write+0x55/0xb0 [ +0.000007] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? blocking_notifier_chain_unregister+0x6c/0xc0 [ +0.000008] amdgpu_driver_unload_kms+0x69/0x90 [amdgpu] [ +0.000484] amdgpu_pci_remove+0x93/0x130 [amdgpu] [ +0.000482] pci_device_remove+0xae/0x1e0 [ +0.000008] device_remove+0xc7/0x180 [ +0.000008] device_release_driver_internal+0x3d4/0x5a0 [ +0.000007] device_release_driver+0x12/0x20 [ +0.000004] pci_stop_bus_device+0x104/0x150 [ +0.000006] pci_stop_and_remove_bus_device_locked+0x1b/0x40 [ +0.000005] remove_store+0xd7/0xf0 [ +0.000005] ? __pfx_remove_store+0x10/0x10 [ +0.000006] ? __pfx__copy_from_iter+0x10/0x10 [ +0.000006] ? __pfx_dev_attr_store+0x10/0x10 [ +0.000006] dev_attr_store+0x3f/0x80 [ +0.000006] sysfs_kf_write+0x125/0x1d0 [ +0.000004] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? __kasan_check_write+0x14/0x30 [ +0.000005] kernfs_fop_write_iter+0x2ea/0x490 [ +0.000005] ? rw_verify_area+0x70/0x420 [ +0.000005] ? __pfx_kernfs_fop_write_iter+0x10/0x10 [ +0.000006] vfs_write+0x90d/0xe70 [ +0.000005] ? srso_return_thunk+0x5/0x5f [ +0.000005] ? __pfx_vfs_write+0x10/0x10 [ +0.000004] ? local_clock+0x15/0x30 [ +0.000008] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? __kasan_slab_free+0x5f/0x80 [ +0.000005] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? __kasan_check_read+0x11/0x20 [ +0.000004] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? fdget_pos+0x1d3/0x500 [ +0.000007] ksys_write+0x119/0x220 [ +0.000005] ? putname+0x1c/0x30 [ +0.000006] ? __pfx_ksys_write+0x10/0x10 [ +0.000007] __x64_sys_write+0x72/0xc0 [ +0.000006] x64_sys_call+0x18ab/0x26f0 [ +0.000006] do_syscall_64+0x7c/0x170 [ +0.000004] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? __pfx___x64_sys_openat+0x10/0x10 [ +0.000006] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? __kasan_check_read+0x11/0x20 [ +0.000003] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? fpregs_assert_state_consistent+0x21/0xb0 [ +0.000006] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? syscall_exit_to_user_mode+0x4e/0x240 [ +0.000005] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? do_syscall_64+0x88/0x170 [ +0.000003] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? irqentry_exit+0x43/0x50 [ +0.000004] ? srso_return_thunk+0x5 ---truncated--- | 2025-08-19 | not yet calculated | CVE-2025-38598 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Fix possible OOB access in mt7996_tx() Fis possible Out-Of-Boundary access in mt7996_tx routine if link_id is set to IEEE80211_LINK_UNSPECIFIED | 2025-08-19 | not yet calculated | CVE-2025-38599 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: fix off by one in mt7925_mcu_hw_scan() The ssid->ssids[] and sreq->ssids[] arrays have MT7925_RNR_SCAN_MAX_BSSIDS elements so this >= needs to be > to prevent an out of bounds access. | 2025-08-19 | not yet calculated | CVE-2025-38600 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: clear initialized flag for deinit-ed srng lists In a number of cases we see kernel panics on resume due to ath11k kernel page fault, which happens under the following circumstances: 1) First ath11k_hal_dump_srng_stats() call Last interrupt received for each group: ath11k_pci 0000:01:00.0: group_id 0 22511ms before ath11k_pci 0000:01:00.0: group_id 1 14440788ms before [..] ath11k_pci 0000:01:00.0: failed to receive control response completion, polling.. ath11k_pci 0000:01:00.0: Service connect timeout ath11k_pci 0000:01:00.0: failed to connect to HTT: -110 ath11k_pci 0000:01:00.0: failed to start core: -110 ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM ath11k_pci 0000:01:00.0: already resetting count 2 ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110 ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110 ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery [..] 2) At this point reconfiguration fails (we have 2 resets) and ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit() which destroys srng lists. However, it does not reset per-list ->initialized flag. 3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized flag and attempts to dump srng stats: Last interrupt received for each group: ath11k_pci 0000:01:00.0: group_id 0 66785ms before ath11k_pci 0000:01:00.0: group_id 1 14485062ms before ath11k_pci 0000:01:00.0: group_id 2 14485062ms before ath11k_pci 0000:01:00.0: group_id 3 14485062ms before ath11k_pci 0000:01:00.0: group_id 4 14780845ms before ath11k_pci 0000:01:00.0: group_id 5 14780845ms before ath11k_pci 0000:01:00.0: group_id 6 14485062ms before ath11k_pci 0000:01:00.0: group_id 7 66814ms before ath11k_pci 0000:01:00.0: group_id 8 68997ms before ath11k_pci 0000:01:00.0: group_id 9 67588ms before ath11k_pci 0000:01:00.0: group_id 10 69511ms before BUG: unable to handle page fault for address: ffffa007404eb010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0 Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k] Call Trace: <TASK> ? __die_body+0xae/0xb0 ? page_fault_oops+0x381/0x3e0 ? exc_page_fault+0x69/0xa0 ? asm_exc_page_fault+0x22/0x30 ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)] ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)] worker_thread+0x389/0x930 kthread+0x149/0x170 Clear per-list ->initialized flag in ath11k_hal_srng_deinit(). | 2025-08-19 | not yet calculated | CVE-2025-38601 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iwlwifi: Add missing check for alloc_ordered_workqueue Add check for the return value of alloc_ordered_workqueue since it may return NULL pointer. | 2025-08-19 | not yet calculated | CVE-2025-38602 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix slab-use-after-free in amdgpu_userq_mgr_fini+0x70c The issue was reproduced on NV10 using IGT pci_unplug test. It is expected that `amdgpu_driver_postclose_kms()` is called prior to `amdgpu_drm_release()`. However, the bug is that `amdgpu_fpriv` was freed in `amdgpu_driver_postclose_kms()`, and then later accessed in `amdgpu_drm_release()` via a call to `amdgpu_userq_mgr_fini()`. As a result, KASAN detected a use-after-free condition, as shown in the log below. The proposed fix is to move the calls to `amdgpu_eviction_fence_destroy()` and `amdgpu_userq_mgr_fini()` into `amdgpu_driver_postclose_kms()`, so they are invoked before `amdgpu_fpriv` is freed. This also ensures symmetry with the initialization path in `amdgpu_driver_open_kms()`, where the following components are initialized: - `amdgpu_userq_mgr_init()` - `amdgpu_eviction_fence_init()` - `amdgpu_ctx_mgr_init()` Correspondingly, in `amdgpu_driver_postclose_kms()` we should clean up using: - `amdgpu_userq_mgr_fini()` - `amdgpu_eviction_fence_destroy()` - `amdgpu_ctx_mgr_fini()` This change eliminates the use-after-free and improves consistency in resource management between open and close paths. [ +0.094367] ================================================================== [ +0.000026] BUG: KASAN: slab-use-after-free in amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu] [ +0.000866] Write of size 8 at addr ffff88811c068c60 by task amd_pci_unplug/1737 [ +0.000026] CPU: 3 UID: 0 PID: 1737 Comm: amd_pci_unplug Not tainted 6.14.0+ #2 [ +0.000008] Hardware name: ASUS System Product Name/ROG STRIX B550-F GAMING (WI-FI), BIOS 1401 12/03/2020 [ +0.000004] Call Trace: [ +0.000004] <TASK> [ +0.000003] dump_stack_lvl+0x76/0xa0 [ +0.000010] print_report+0xce/0x600 [ +0.000009] ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu] [ +0.000790] ? srso_return_thunk+0x5/0x5f [ +0.000007] ? kasan_complete_mode_report_info+0x76/0x200 [ +0.000008] ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu] [ +0.000684] kasan_report+0xbe/0x110 [ +0.000007] ? amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu] [ +0.000601] __asan_report_store8_noabort+0x17/0x30 [ +0.000007] amdgpu_userq_mgr_fini+0x70c/0x730 [amdgpu] [ +0.000801] ? __pfx_amdgpu_userq_mgr_fini+0x10/0x10 [amdgpu] [ +0.000819] ? srso_return_thunk+0x5/0x5f [ +0.000008] amdgpu_drm_release+0xa3/0xe0 [amdgpu] [ +0.000604] __fput+0x354/0xa90 [ +0.000010] __fput_sync+0x59/0x80 [ +0.000005] __x64_sys_close+0x7d/0xe0 [ +0.000006] x64_sys_call+0x2505/0x26f0 [ +0.000006] do_syscall_64+0x7c/0x170 [ +0.000004] ? kasan_record_aux_stack+0xae/0xd0 [ +0.000005] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? kmem_cache_free+0x398/0x580 [ +0.000006] ? __fput+0x543/0xa90 [ +0.000006] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? __fput+0x543/0xa90 [ +0.000004] ? __kasan_check_read+0x11/0x20 [ +0.000007] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? __kasan_check_read+0x11/0x20 [ +0.000003] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? fpregs_assert_state_consistent+0x21/0xb0 [ +0.000006] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? syscall_exit_to_user_mode+0x4e/0x240 [ +0.000005] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? do_syscall_64+0x88/0x170 [ +0.000003] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? do_syscall_64+0x88/0x170 [ +0.000004] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? irqentry_exit+0x43/0x50 [ +0.000004] ? srso_return_thunk+0x5/0x5f [ +0.000004] ? exc_page_fault+0x7c/0x110 [ +0.000006] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ +0.000005] RIP: 0033:0x7ffff7b14f67 [ +0.000005] Code: ff e8 0d 16 02 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 73 ba f7 ff [ +0.000004] RSP: 002b:00007fffffffe358 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ +0.000006] RAX: ffffffffff ---truncated--- | 2025-08-19 | not yet calculated | CVE-2025-38603 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: Kill URBs before clearing tx status queue In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing b_tx_status.queue. This change prevents callbacks from using already freed skb due to anchor was not killed before freeing such skb. BUG: kernel NULL pointer dereference, address: 0000000000000080 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 7 UID: 0 PID: 0 Comm: swapper/7 Not tainted 6.15.0 #8 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:ieee80211_tx_status_irqsafe+0x21/0xc0 [mac80211] Call Trace: <IRQ> rtl8187_tx_cb+0x116/0x150 [rtl8187] __usb_hcd_giveback_urb+0x9d/0x120 usb_giveback_urb_bh+0xbb/0x140 process_one_work+0x19b/0x3c0 bh_worker+0x1a7/0x210 tasklet_action+0x10/0x30 handle_softirqs+0xf0/0x340 __irq_exit_rcu+0xcd/0xf0 common_interrupt+0x85/0xa0 </IRQ> Tested on RTL8187BvE device. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2025-08-19 | not yet calculated | CVE-2025-38604 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Pass ab pointer directly to ath12k_dp_tx_get_encap_type() In ath12k_dp_tx_get_encap_type(), the arvif parameter is only used to retrieve the ab pointer. In vdev delete sequence the arvif->ar could become NULL and that would trigger kernel panic. Since the caller ath12k_dp_tx() already has a valid ab pointer, pass it directly to avoid panic and unnecessary dereferencing. PC points to "ath12k_dp_tx+0x228/0x988 [ath12k]" LR points to "ath12k_dp_tx+0xc8/0x988 [ath12k]". The Backtrace obtained is as follows: ath12k_dp_tx+0x228/0x988 [ath12k] ath12k_mac_tx_check_max_limit+0x608/0x920 [ath12k] ieee80211_process_measurement_req+0x320/0x348 [mac80211] ieee80211_tx_dequeue+0x9ac/0x1518 [mac80211] ieee80211_tx_dequeue+0xb14/0x1518 [mac80211] ieee80211_tx_prepare_skb+0x224/0x254 [mac80211] ieee80211_xmit+0xec/0x100 [mac80211] __ieee80211_subif_start_xmit+0xc50/0xf40 [mac80211] ieee80211_subif_start_xmit+0x2e8/0x308 [mac80211] netdev_start_xmit+0x150/0x18c dev_hard_start_xmit+0x74/0xc0 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 | 2025-08-19 | not yet calculated | CVE-2025-38605 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Avoid accessing uninitialized arvif->ar during beacon miss During beacon miss handling, ath12k driver iterates over active virtual interfaces (vifs) and attempts to access the radio object (ar) via arvif->deflink->ar. However, after commit aa80f12f3bed ("wifi: ath12k: defer vdev creation for MLO"), arvif is linked to a radio only after vdev creation, typically when a channel is assigned or a scan is requested. For P2P capable devices, a default P2P interface is created by wpa_supplicant along with regular station interfaces, these serve as dummy interfaces for P2P-capable stations, lack an associated netdev and initiate frequent scans to discover neighbor p2p devices. When a scan is initiated on such P2P vifs, driver selects destination radio (ar) based on scan frequency, creates a scan vdev, and attaches arvif to the radio. Once the scan completes or is aborted, the scan vdev is deleted, detaching arvif from the radio and leaving arvif->ar uninitialized. While handling beacon miss for station interfaces, P2P interface is also encountered in the vif iteration and ath12k_mac_handle_beacon_miss_iter() tries to dereference the uninitialized arvif->deflink->ar. Fix this by verifying that vdev is created for the arvif before accessing its ar during beacon miss handling and similar vif iterator callbacks. ========================================================================== wlp6s0: detected beacon loss from AP (missed 7 beacons) - probing KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] CPU: 5 UID: 0 PID: 0 Comm: swapper/5 Not tainted 6.16.0-rc1-wt-ath+ #2 PREEMPT(full) RIP: 0010:ath12k_mac_handle_beacon_miss_iter+0xb5/0x1a0 [ath12k] Call Trace: __iterate_interfaces+0x11a/0x410 [mac80211] ieee80211_iterate_active_interfaces_atomic+0x61/0x140 [mac80211] ath12k_mac_handle_beacon_miss+0xa1/0xf0 [ath12k] ath12k_roam_event+0x393/0x560 [ath12k] ath12k_wmi_op_rx+0x1486/0x28c0 [ath12k] ath12k_htc_process_trailer.isra.0+0x2fb/0x620 [ath12k] ath12k_htc_rx_completion_handler+0x448/0x830 [ath12k] ath12k_ce_recv_process_cb+0x549/0x9e0 [ath12k] ath12k_ce_per_engine_service+0xbe/0xf0 [ath12k] ath12k_pci_ce_workqueue+0x69/0x120 [ath12k] process_one_work+0xe3a/0x1430 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00284.1-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 | 2025-08-19 | not yet calculated | CVE-2025-38606 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: handle jset (if a & b ...) as a jump in CFG computation BPF_JSET is a conditional jump and currently verifier.c:can_jump() does not know about that. This can lead to incorrect live registers and SCC computation. E.g. in the following example: 1: r0 = 1; 2: r2 = 2; 3: if r1 & 0x7 goto +1; 4: exit; 5: r0 = r2; 6: exit; W/o this fix insn_successors(3) will return only (4), a jump to (5) would be missed and r2 won't be marked as alive at (3). | 2025-08-19 | not yet calculated | CVE-2025-38607 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls When sending plaintext data, we initially calculated the corresponding ciphertext length. However, if we later reduced the plaintext data length via socket policy, we failed to recalculate the ciphertext length. This results in transmitting buffers containing uninitialized data during ciphertext transmission. This causes uninitialized bytes to be appended after a complete "Application Data" packet, leading to errors on the receiving end when parsing TLS record. | 2025-08-19 | not yet calculated | CVE-2025-38608 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PM / devfreq: Check governor before using governor->name Commit 96ffcdf239de ("PM / devfreq: Remove redundant governor_name from struct devfreq") removes governor_name and uses governor->name to replace it. But devfreq->governor may be NULL and directly using devfreq->governor->name may cause null pointer exception. Move the check of governor to before using governor->name. | 2025-08-19 | not yet calculated | CVE-2025-38609 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw() The get_pd_power_uw() function can crash with a NULL pointer dereference when em_cpu_get() returns NULL. This occurs when a CPU becomes impossible during runtime, causing get_cpu_device() to return NULL, which propagates through em_cpu_get() and leads to a crash when em_span_cpus() dereferences the NULL pointer. Add a NULL check after em_cpu_get() and return 0 if unavailable, matching the existing fallback behavior in __dtpm_cpu_setup(). [ rjw: Drop an excess empty code line ] | 2025-08-19 | not yet calculated | CVE-2025-38610 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vmci: Prevent the dispatching of uninitialized payloads The reproducer executes the host's unlocked_ioctl call in two different tasks. When init_context fails, the struct vmci_event_ctx is not fully initialized when executing vmci_datagram_dispatch() to send events to all vm contexts. This affects the datagram taken from the datagram queue of its context by another task, because the datagram payload is not initialized according to the size payload_size, which causes the kernel data to leak to the user space. Before dispatching the datagram, and before setting the payload content, explicitly set the payload content to 0 to avoid data leakage caused by incomplete payload initialization. | 2025-08-19 | not yet calculated | CVE-2025-38611 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() In the error paths after fb_info structure is successfully allocated, the memory allocated in fb_deferred_io_init() for info->pagerefs is not freed. Fix that by adding the cleanup function on the error path. | 2025-08-19 | not yet calculated | CVE-2025-38612 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: staging: gpib: fix unset padding field copy back to userspace The introduction of a padding field in the gpib_board_info_ioctl is showing up as initialized data on the stack frame being copyied back to userspace in function board_info_ioctl. The simplest fix is to initialize the entire struct to zero to ensure all unassigned padding fields are zero'd before being copied back to userspace. | 2025-08-19 | not yet calculated | CVE-2025-38613 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: eventpoll: Fix semi-unbounded recursion Ensure that epoll instances can never form a graph deeper than EP_MAX_NESTS+1 links. Currently, ep_loop_check_proc() ensures that the graph is loop-free and does some recursion depth checks, but those recursion depth checks don't limit the depth of the resulting tree for two reasons: - They don't look upwards in the tree. - If there are multiple downwards paths of different lengths, only one of the paths is actually considered for the depth check since commit 28d82dc1c4ed ("epoll: limit paths"). Essentially, the current recursion depth check in ep_loop_check_proc() just serves to prevent it from recursing too deeply while checking for loops. A more thorough check is done in reverse_path_check() after the new graph edge has already been created; this checks, among other things, that no paths going upwards from any non-epoll file with a length of more than 5 edges exist. However, this check does not apply to non-epoll files. As a result, it is possible to recurse to a depth of at least roughly 500, tested on v6.15. (I am unsure if deeper recursion is possible; and this may have changed with commit 8c44dac8add7 ("eventpoll: Fix priority inversion problem").) To fix it: 1. In ep_loop_check_proc(), note the subtree depth of each visited node, and use subtree depths for the total depth calculation even when a subtree has already been visited. 2. Add ep_get_upwards_depth_proc() for similarly determining the maximum depth of an upwards walk. 3. In ep_loop_check(), use these values to limit the total path length between epoll nodes to EP_MAX_NESTS edges. | 2025-08-19 | not yet calculated | CVE-2025-38614 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: cancle set bad inode after removing name fails The reproducer uses a file0 on a ntfs3 file system with a corrupted i_link. When renaming, the file0's inode is marked as a bad inode because the file name cannot be deleted. The underlying bug is that make_bad_inode() is called on a live inode. In some cases it's "icache lookup finds a normal inode, d_splice_alias() is called to attach it to dentry, while another thread decides to call make_bad_inode() on it - that would evict it from icache, but we'd already found it there earlier". In some it's outright "we have an inode attached to dentry - that's how we got it in the first place; let's call make_bad_inode() on it just for shits and giggles". | 2025-08-19 | not yet calculated | CVE-2025-38615 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tls: handle data disappearing from under the TLS ULP TLS expects that it owns the receive queue of the TCP socket. This cannot be guaranteed in case the reader of the TCP socket entered before the TLS ULP was installed, or uses some non-standard read API (eg. zerocopy ones). Replace the WARN_ON() and a buggy early exit (which leaves anchor pointing to a freed skb) with real error handling. Wipe the parsing state and tell the reader to retry. We already reload the anchor every time we (re)acquire the socket lock, so the only condition we need to avoid is an out of bounds read (not having enough bytes in the socket for previously parsed record len). If some data was read from under TLS but there's enough in the queue we'll reload and decrypt what is most likely not a valid TLS record. Leading to some undefined behavior from TLS perspective (corrupting a stream? missing an alert? missing an attack?) but no kernel crash should take place. | 2025-08-22 | not yet calculated | CVE-2025-38616 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/packet: fix a race in packet_set_ring() and packet_notifier() When packet_set_ring() releases po->bind_lock, another thread can run packet_notifier() and process an NETDEV_UP event. This race and the fix are both similar to that of commit 15fe076edea7 ("net/packet: fix a race in packet_bind() and packet_notifier()"). There too the packet_notifier NETDEV_UP event managed to run while a po->bind_lock critical section had to be temporarily released. And the fix was similarly to temporarily set po->num to zero to keep the socket unhooked until the lock is retaken. The po->bind_lock in packet_set_ring and packet_notifier precede the introduction of git history. | 2025-08-22 | not yet calculated | CVE-2025-38617 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vsock: Do not allow binding to VMADDR_PORT_ANY It is possible for a vsock to autobind to VMADDR_PORT_ANY. This can cause a use-after-free when a connection is made to the bound socket. The socket returned by accept() also has port VMADDR_PORT_ANY but is not on the list of unbound sockets. Binding it will result in an extra refcount decrement similar to the one fixed in fcdd2242c023 (vsock: Keep the binding until socket destruction). Modify the check in __vsock_bind_connectible() to also prevent binding to VMADDR_PORT_ANY. | 2025-08-22 | not yet calculated | CVE-2025-38618 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: ti: j721e-csi2rx: fix list_del corruption If ti_csi2rx_start_dma() fails in ti_csi2rx_dma_callback(), the buffer is marked done with VB2_BUF_STATE_ERROR but is not removed from the DMA queue. This causes the same buffer to be retried in the next iteration, resulting in a double list_del() and eventual list corruption. Fix this by removing the buffer from the queue before calling vb2_buffer_done() on error. This resolves a crash due to list_del corruption: [ 37.811243] j721e-csi2rx 30102000.ticsi2rx: Failed to queue the next buffer for DMA [ 37.832187] slab kmalloc-2k start ffff00000255b000 pointer offset 1064 size 2048 [ 37.839761] list_del corruption. next->prev should be ffff00000255bc28, but was ffff00000255d428. (next=ffff00000255b428) [ 37.850799] ------------[ cut here ]------------ [ 37.855424] kernel BUG at lib/list_debug.c:65! [ 37.859876] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 37.866061] Modules linked in: i2c_dev usb_f_rndis u_ether libcomposite dwc3 udc_core usb_common aes_ce_blk aes_ce_cipher ghash_ce gf128mul sha1_ce cpufreq_dt dwc3_am62 phy_gmii_sel sa2ul [ 37.882830] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.16.0-rc3+ #28 VOLUNTARY [ 37.890851] Hardware name: Bosch STLA-GSRV2-B0 (DT) [ 37.895737] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 37.902703] pc : __list_del_entry_valid_or_report+0xdc/0x114 [ 37.908390] lr : __list_del_entry_valid_or_report+0xdc/0x114 [ 37.914059] sp : ffff800080003db0 [ 37.917375] x29: ffff800080003db0 x28: 0000000000000007 x27: ffff800080e50000 [ 37.924521] x26: 0000000000000000 x25: ffff0000016abb50 x24: dead000000000122 [ 37.931666] x23: ffff0000016abb78 x22: ffff0000016ab080 x21: ffff800080003de0 [ 37.938810] x20: ffff00000255bc00 x19: ffff00000255b800 x18: 000000000000000a [ 37.945956] x17: 20747562202c3832 x16: 6362353532303030 x15: 0720072007200720 [ 37.953101] x14: 0720072007200720 x13: 0720072007200720 x12: 00000000ffffffea [ 37.960248] x11: ffff800080003b18 x10: 00000000ffffefff x9 : ffff800080f5b568 [ 37.967396] x8 : ffff800080f5b5c0 x7 : 0000000000017fe8 x6 : c0000000ffffefff [ 37.974542] x5 : ffff00000fea6688 x4 : 0000000000000000 x3 : 0000000000000000 [ 37.981686] x2 : 0000000000000000 x1 : ffff800080ef2b40 x0 : 000000000000006d [ 37.988832] Call trace: [ 37.991281] __list_del_entry_valid_or_report+0xdc/0x114 (P) [ 37.996959] ti_csi2rx_dma_callback+0x84/0x1c4 [ 38.001419] udma_vchan_complete+0x1e0/0x344 [ 38.005705] tasklet_action_common+0x118/0x310 [ 38.010163] tasklet_action+0x30/0x3c [ 38.013832] handle_softirqs+0x10c/0x2e0 [ 38.017761] __do_softirq+0x14/0x20 [ 38.021256] ____do_softirq+0x10/0x20 [ 38.024931] call_on_irq_stack+0x24/0x60 [ 38.028873] do_softirq_own_stack+0x1c/0x40 [ 38.033064] __irq_exit_rcu+0x130/0x15c [ 38.036909] irq_exit_rcu+0x10/0x20 [ 38.040403] el1_interrupt+0x38/0x60 [ 38.043987] el1h_64_irq_handler+0x18/0x24 [ 38.048091] el1h_64_irq+0x6c/0x70 [ 38.051501] default_idle_call+0x34/0xe0 (P) [ 38.055783] do_idle+0x1f8/0x250 [ 38.059021] cpu_startup_entry+0x34/0x3c [ 38.062951] rest_init+0xb4/0xc0 [ 38.066186] console_on_rootfs+0x0/0x6c [ 38.070031] __primary_switched+0x88/0x90 [ 38.074059] Code: b00037e0 91378000 f9400462 97e9bf49 (d4210000) [ 38.080168] ---[ end trace 0000000000000000 ]--- [ 38.084795] Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt [ 38.092197] SMP: stopping secondary CPUs [ 38.096139] Kernel Offset: disabled [ 38.099631] CPU features: 0x0000,00002000,02000801,0400420b [ 38.105202] Memory Limit: none [ 38.108260] ---[ end Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt ]--- | 2025-08-22 | not yet calculated | CVE-2025-38619 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: zloop: fix KASAN use-after-free of tag set When a zoned loop device, or zloop device, is removed, KASAN enabled kernel reports "BUG KASAN use-after-free" in blk_mq_free_tag_set(). The BUG happens because zloop_ctl_remove() calls put_disk(), which invokes zloop_free_disk(). The zloop_free_disk() frees the memory allocated for the zlo pointer. However, after the memory is freed, zloop_ctl_remove() calls blk_mq_free_tag_set(&zlo->tag_set), which accesses the freed zlo. Hence the KASAN use-after-free. zloop_ctl_remove() put_disk(zlo->disk) put_device() kobject_put() ... zloop_free_disk() kvfree(zlo) blk_mq_free_tag_set(&zlo->tag_set) To avoid the BUG, move the call to blk_mq_free_tag_set(&zlo->tag_set) from zloop_ctl_remove() into zloop_free_disk(). This ensures that the tag_set is freed before the call to kvfree(zlo). | 2025-08-22 | not yet calculated | CVE-2025-38620 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md: make rdev_addable usable for rcu mode Our testcase trigger panic: BUG: kernel NULL pointer dereference, address: 00000000000000e0 ... Oops: Oops: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 85 Comm: kworker/2:1 Not tainted 6.16.0+ #94 PREEMPT(none) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Workqueue: md_misc md_start_sync RIP: 0010:rdev_addable+0x4d/0xf0 ... Call Trace: <TASK> md_start_sync+0x329/0x480 process_one_work+0x226/0x6d0 worker_thread+0x19e/0x340 kthread+0x10f/0x250 ret_from_fork+0x14d/0x180 ret_from_fork_asm+0x1a/0x30 </TASK> Modules linked in: raid10 CR2: 00000000000000e0 ---[ end trace 0000000000000000 ]--- RIP: 0010:rdev_addable+0x4d/0xf0 md_spares_need_change in md_start_sync will call rdev_addable which protected by rcu_read_lock/rcu_read_unlock. This rcu context will help protect rdev won't be released, but rdev->mddev will be set to NULL before we call synchronize_rcu in md_kick_rdev_from_array. Fix this by using READ_ONCE and check does rdev->mddev still alive. | 2025-08-22 | not yet calculated | CVE-2025-38621 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: drop UFO packets in udp_rcv_segment() When sending a packet with virtio_net_hdr to tun device, if the gso_type in virtio_net_hdr is SKB_GSO_UDP and the gso_size is less than udphdr size, below crash may happen. ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:4572! Oops: invalid opcode: 0000 [#1] SMP NOPTI CPU: 0 UID: 0 PID: 62 Comm: mytest Not tainted 6.16.0-rc7 #203 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:skb_pull_rcsum+0x8e/0xa0 Code: 00 00 5b c3 cc cc cc cc 8b 93 88 00 00 00 f7 da e8 37 44 38 00 f7 d8 89 83 88 00 00 00 48 8b 83 c8 00 00 00 5b c3 cc cc cc cc <0f> 0b 0f 0b 66 66 2e 0f 1f 84 00 000 RSP: 0018:ffffc900001fba38 EFLAGS: 00000297 RAX: 0000000000000004 RBX: ffff8880040c1000 RCX: ffffc900001fb948 RDX: ffff888003e6d700 RSI: 0000000000000008 RDI: ffff88800411a062 RBP: ffff8880040c1000 R08: 0000000000000000 R09: 0000000000000001 R10: ffff888003606c00 R11: 0000000000000001 R12: 0000000000000000 R13: ffff888004060900 R14: ffff888004050000 R15: ffff888004060900 FS: 000000002406d3c0(0000) GS:ffff888084a19000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000040 CR3: 0000000004007000 CR4: 00000000000006f0 Call Trace: <TASK> udp_queue_rcv_one_skb+0x176/0x4b0 net/ipv4/udp.c:2445 udp_queue_rcv_skb+0x155/0x1f0 net/ipv4/udp.c:2475 udp_unicast_rcv_skb+0x71/0x90 net/ipv4/udp.c:2626 __udp4_lib_rcv+0x433/0xb00 net/ipv4/udp.c:2690 ip_protocol_deliver_rcu+0xa6/0x160 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x72/0x90 net/ipv4/ip_input.c:233 ip_sublist_rcv_finish+0x5f/0x70 net/ipv4/ip_input.c:579 ip_sublist_rcv+0x122/0x1b0 net/ipv4/ip_input.c:636 ip_list_rcv+0xf7/0x130 net/ipv4/ip_input.c:670 __netif_receive_skb_list_core+0x21d/0x240 net/core/dev.c:6067 netif_receive_skb_list_internal+0x186/0x2b0 net/core/dev.c:6210 napi_complete_done+0x78/0x180 net/core/dev.c:6580 tun_get_user+0xa63/0x1120 drivers/net/tun.c:1909 tun_chr_write_iter+0x65/0xb0 drivers/net/tun.c:1984 vfs_write+0x300/0x420 fs/read_write.c:593 ksys_write+0x60/0xd0 fs/read_write.c:686 do_syscall_64+0x50/0x1c0 arch/x86/entry/syscall_64.c:63 </TASK> To trigger gso segment in udp_queue_rcv_skb(), we should also set option UDP_ENCAP_ESPINUDP to enable udp_sk(sk)->encap_rcv. When the encap_rcv hook return 1 in udp_queue_rcv_one_skb(), udp_csum_pull_header() will try to pull udphdr, but the skb size has been segmented to gso size, which leads to this crash. Previous commit cf329aa42b66 ("udp: cope with UDP GRO packet misdirection") introduces segmentation in UDP receive path only for GRO, which was never intended to be used for UFO, so drop UFO packets in udp_rcv_segment(). | 2025-08-22 | not yet calculated | CVE-2025-38622 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: pnv_php: Fix surprise plug detection and recovery The existing PowerNV hotplug code did not handle surprise plug events correctly, leading to a complete failure of the hotplug system after device removal and a required reboot to detect new devices. This comes down to two issues: 1) When a device is surprise removed, often the bridge upstream port will cause a PE freeze on the PHB. If this freeze is not cleared, the MSI interrupts from the bridge hotplug notification logic will not be received by the kernel, stalling all plug events on all slots associated with the PE. 2) When a device is removed from a slot, regardless of surprise or programmatic removal, the associated PHB/PE ls left frozen. If this freeze is not cleared via a fundamental reset, skiboot is unable to clear the freeze and cannot retrain / rescan the slot. This also requires a reboot to clear the freeze and redetect the device in the slot. Issue the appropriate unfreeze and rescan commands on hotplug events, and don't oops on hotplug if pci_bus_to_OF_node() returns NULL. [bhelgaas: tidy comments] | 2025-08-22 | not yet calculated | CVE-2025-38623 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI: pnv_php: Clean up allocated IRQs on unplug When the root of a nested PCIe bridge configuration is unplugged, the pnv_php driver leaked the allocated IRQ resources for the child bridges' hotplug event notifications, resulting in a panic. Fix this by walking all child buses and deallocating all its IRQ resources before calling pci_hp_remove_devices(). Also modify the lifetime of the workqueue at struct pnv_php_slot::wq so that it is only destroyed in pnv_php_free_slot(), instead of pnv_php_disable_irq(). This is required since pnv_php_disable_irq() will now be called by workers triggered by hot unplug interrupts, so the workqueue needs to stay allocated. The abridged kernel panic that occurs without this patch is as follows: WARNING: CPU: 0 PID: 687 at kernel/irq/msi.c:292 msi_device_data_release+0x6c/0x9c CPU: 0 UID: 0 PID: 687 Comm: bash Not tainted 6.14.0-rc5+ #2 Call Trace: msi_device_data_release+0x34/0x9c (unreliable) release_nodes+0x64/0x13c devres_release_all+0xc0/0x140 device_del+0x2d4/0x46c pci_destroy_dev+0x5c/0x194 pci_hp_remove_devices+0x90/0x128 pci_hp_remove_devices+0x44/0x128 pnv_php_disable_slot+0x54/0xd4 power_write_file+0xf8/0x18c pci_slot_attr_store+0x40/0x5c sysfs_kf_write+0x64/0x78 kernfs_fop_write_iter+0x1b0/0x290 vfs_write+0x3bc/0x50c ksys_write+0x84/0x140 system_call_exception+0x124/0x230 system_call_vectored_common+0x15c/0x2ec [bhelgaas: tidy comments] | 2025-08-22 | not yet calculated | CVE-2025-38624 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vfio/pds: Fix missing detach_ioas op When CONFIG_IOMMUFD is enabled and a device is bound to the pds_vfio_pci driver, the following WARN_ON() trace is seen and probe fails: WARNING: CPU: 0 PID: 5040 at drivers/vfio/vfio_main.c:317 __vfio_register_dev+0x130/0x140 [vfio] <...> pds_vfio_pci 0000:08:00.1: probe with driver pds_vfio_pci failed with error -22 This is because the driver's vfio_device_ops.detach_ioas isn't set. Fix this by using the generic vfio_iommufd_physical_detach_ioas function. | 2025-08-22 | not yet calculated | CVE-2025-38625 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode w/ "mode=lfs" mount option, generic/299 will cause system panic as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/segment.c:2835! Call Trace: <TASK> f2fs_allocate_data_block+0x6f4/0xc50 f2fs_map_blocks+0x970/0x1550 f2fs_iomap_begin+0xb2/0x1e0 iomap_iter+0x1d6/0x430 __iomap_dio_rw+0x208/0x9a0 f2fs_file_write_iter+0x6b3/0xfa0 aio_write+0x15d/0x2e0 io_submit_one+0x55e/0xab0 __x64_sys_io_submit+0xa5/0x230 do_syscall_64+0x84/0x2f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0010:new_curseg+0x70f/0x720 The root cause of we run out-of-space is: in f2fs_map_blocks(), f2fs may trigger foreground gc only if it allocates any physical block, it will be a little bit later when there is multiple threads writing data w/ aio/dio/bufio method in parallel, since we always use OPU in lfs mode, so f2fs_map_blocks() does block allocations aggressively. In order to fix this issue, let's give a chance to trigger foreground gc in prior to block allocation in f2fs_map_blocks(). | 2025-08-22 | not yet calculated | CVE-2025-38626 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic The decompress_io_ctx may be released asynchronously after I/O completion. If this file is deleted immediately after read, and the kworker of processing post_read_wq has not been executed yet due to high workloads, It is possible that the inode(f2fs_inode_info) is evicted and freed before it is used f2fs_free_dic. The UAF case as below: Thread A Thread B - f2fs_decompress_end_io - f2fs_put_dic - queue_work add free_dic work to post_read_wq - do_unlink - iput - evict - call_rcu This file is deleted after read. Thread C kworker to process post_read_wq - rcu_do_batch - f2fs_free_inode - kmem_cache_free inode is freed by rcu - process_scheduled_works - f2fs_late_free_dic - f2fs_free_dic - f2fs_release_decomp_mem read (dic->inode)->i_compress_algorithm This patch store compress_algorithm and sbi in dic to avoid inode UAF. In addition, the previous solution is deprecated in [1] may cause system hang. [1] https://lore.kernel.org/all/c36ab955-c8db-4a8b-a9d0-f07b5f426c3f@kernel.org | 2025-08-22 | not yet calculated | CVE-2025-38627 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vdpa/mlx5: Fix release of uninitialized resources on error path The commit in the fixes tag made sure that mlx5_vdpa_free() is the single entrypoint for removing the vdpa device resources added in mlx5_vdpa_dev_add(), even in the cleanup path of mlx5_vdpa_dev_add(). This means that all functions from mlx5_vdpa_free() should be able to handle uninitialized resources. This was not the case though: mlx5_vdpa_destroy_mr_resources() and mlx5_cmd_cleanup_async_ctx() were not able to do so. This caused the splat below when adding a vdpa device without a MAC address. This patch fixes these remaining issues: - Makes mlx5_vdpa_destroy_mr_resources() return early if called on uninitialized resources. - Moves mlx5_cmd_init_async_ctx() early on during device addition because it can't fail. This means that mlx5_cmd_cleanup_async_ctx() also can't fail. To mirror this, move the call site of mlx5_cmd_cleanup_async_ctx() in mlx5_vdpa_free(). An additional comment was added in mlx5_vdpa_free() to document the expectations of functions called from this context. Splat: mlx5_core 0000:b5:03.2: mlx5_vdpa_dev_add:3950:(pid 2306) warning: No mac address provisioned? ------------[ cut here ]------------ WARNING: CPU: 13 PID: 2306 at kernel/workqueue.c:4207 __flush_work+0x9a/0xb0 [...] Call Trace: <TASK> ? __try_to_del_timer_sync+0x61/0x90 ? __timer_delete_sync+0x2b/0x40 mlx5_vdpa_destroy_mr_resources+0x1c/0x40 [mlx5_vdpa] mlx5_vdpa_free+0x45/0x160 [mlx5_vdpa] vdpa_release_dev+0x1e/0x50 [vdpa] device_release+0x31/0x90 kobject_cleanup+0x37/0x130 mlx5_vdpa_dev_add+0x327/0x890 [mlx5_vdpa] vdpa_nl_cmd_dev_add_set_doit+0x2c1/0x4d0 [vdpa] genl_family_rcv_msg_doit+0xd8/0x130 genl_family_rcv_msg+0x14b/0x220 ? __pfx_vdpa_nl_cmd_dev_add_set_doit+0x10/0x10 [vdpa] genl_rcv_msg+0x47/0xa0 ? __pfx_genl_rcv_msg+0x10/0x10 netlink_rcv_skb+0x53/0x100 genl_rcv+0x24/0x40 netlink_unicast+0x27b/0x3b0 netlink_sendmsg+0x1f7/0x430 __sys_sendto+0x1fa/0x210 ? ___pte_offset_map+0x17/0x160 ? next_uptodate_folio+0x85/0x2b0 ? percpu_counter_add_batch+0x51/0x90 ? filemap_map_pages+0x515/0x660 __x64_sys_sendto+0x20/0x30 do_syscall_64+0x7b/0x2c0 ? do_read_fault+0x108/0x220 ? do_pte_missing+0x14a/0x3e0 ? __handle_mm_fault+0x321/0x730 ? count_memcg_events+0x13f/0x180 ? handle_mm_fault+0x1fb/0x2d0 ? do_user_addr_fault+0x20c/0x700 ? syscall_exit_work+0x104/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f0c25b0feca [...] ---[ end trace 0000000000000000 ]--- | 2025-08-22 | not yet calculated | CVE-2025-38628 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb: scarlett2: Fix missing NULL check scarlett2_input_select_ctl_info() sets up the string arrays allocated via kasprintf(), but it misses NULL checks, which may lead to NULL dereference Oops. Let's add the proper NULL check. | 2025-08-22 | not yet calculated | CVE-2025-38629 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref fb_add_videomode() can fail with -ENOMEM when its internal kmalloc() cannot allocate a struct fb_modelist. If that happens, the modelist stays empty but the driver continues to register. Add a check for its return value to prevent poteintial null-ptr-deref, which is similar to the commit 17186f1f90d3 ("fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var"). | 2025-08-22 | not yet calculated | CVE-2025-38630 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: imx95-blk-ctl: Fix synchronous abort When enabling runtime PM for clock suppliers that also belong to a power domain, the following crash is thrown: error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP Workqueue: events_unbound deferred_probe_work_func pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : clk_mux_get_parent+0x60/0x90 lr : clk_core_reparent_orphans_nolock+0x58/0xd8 Call trace: clk_mux_get_parent+0x60/0x90 clk_core_reparent_orphans_nolock+0x58/0xd8 of_clk_add_hw_provider.part.0+0x90/0x100 of_clk_add_hw_provider+0x1c/0x38 imx95_bc_probe+0x2e0/0x3f0 platform_probe+0x70/0xd8 Enabling runtime PM without explicitly resuming the device caused the power domain cut off after clk_register() is called. As a result, a crash happens when the clock hardware provider is added and attempts to access the BLK_CTL register. Fix this by using devm_pm_runtime_enable() instead of pm_runtime_enable() and getting rid of the pm_runtime_disable() in the cleanup path. | 2025-08-22 | not yet calculated | CVE-2025-38631 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pinmux: fix race causing mux_owner NULL with active mux_usecount commit 5a3e85c3c397 ("pinmux: Use sequential access to access desc->pinmux data") tried to address the issue when two client of the same gpio calls pinctrl_select_state() for the same functionality, was resulting in NULL pointer issue while accessing desc->mux_owner. However, issue was not completely fixed due to the way it was handled and it can still result in the same NULL pointer. The issue occurs due to the following interleaving: cpu0 (process A) cpu1 (process B) pin_request() { pin_free() { mutex_lock() desc->mux_usecount--; //becomes 0 .. mutex_unlock() mutex_lock(desc->mux) desc->mux_usecount++; // becomes 1 desc->mux_owner = owner; mutex_unlock(desc->mux) mutex_lock(desc->mux) desc->mux_owner = NULL; mutex_unlock(desc->mux) This sequence leads to a state where the pin appears to be in use (`mux_usecount == 1`) but has no owner (`mux_owner == NULL`), which can cause NULL pointer on next pin_request on the same pin. Ensure that updates to mux_usecount and mux_owner are performed atomically under the same lock. Only clear mux_owner when mux_usecount reaches zero and no new owner has been assigned. | 2025-08-22 | not yet calculated | CVE-2025-38632 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: spacemit: mark K1 pll1_d8 as critical The pll1_d8 clock is enabled by the boot loader, and is ultimately a parent for numerous clocks, including those used by APB and AXI buses. Guodong Xu discovered that this clock got disabled while responding to getting -EPROBE_DEFER when requesting a reset controller. The needed clock (CLK_DMA, along with its parents) had already been enabled. To respond to the probe deferral return, the CLK_DMA clock was disabled, and this led to parent clocks also reducing their enable count. When the enable count for pll1_d8 was decremented it became 0, which caused it to be disabled. This led to a system hang. Marking that clock critical resolves this by preventing it from being disabled. Define a new macro CCU_FACTOR_GATE_DEFINE() to allow clock flags to be supplied for a CCU_FACTOR_GATE clock. | 2025-08-22 | not yet calculated | CVE-2025-38633 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: cpcap-charger: Fix null check for power_supply_get_by_name In the cpcap_usb_detect() function, the power_supply_get_by_name() function may return `NULL` instead of an error pointer. To prevent potential null pointer dereferences, Added a null check. | 2025-08-22 | not yet calculated | CVE-2025-38634 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: davinci: Add NULL check in davinci_lpsc_clk_register() devm_kasprintf() returns NULL when memory allocation fails. Currently, davinci_lpsc_clk_register() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue and ensuring no resources are left allocated. | 2025-08-22 | not yet calculated | CVE-2025-38635 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rv: Use strings in da monitors tracepoints Using DA monitors tracepoints with KASAN enabled triggers the following warning: BUG: KASAN: global-out-of-bounds in do_trace_event_raw_event_event_da_monitor+0xd6/0x1a0 Read of size 32 at addr ffffffffaada8980 by task ... Call Trace: <TASK> [...] do_trace_event_raw_event_event_da_monitor+0xd6/0x1a0 ? __pfx_do_trace_event_raw_event_event_da_monitor+0x10/0x10 ? trace_event_sncid+0x83/0x200 trace_event_sncid+0x163/0x200 [...] The buggy address belongs to the variable: automaton_snep+0x4e0/0x5e0 This is caused by the tracepoints reading 32 bytes __array instead of __string from the automata definition. Such strings are literals and reading 32 bytes ends up in out of bound memory accesses (e.g. the next automaton's data in this case). The error is harmless as, while printing the string, we stop at the null terminator, but it should still be fixed. Use the __string facilities while defining the tracepoints to avoid reading out of bound memory. | 2025-08-22 | not yet calculated | CVE-2025-38636 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: add a retry logic in net6_rt_notify() inet6_rt_notify() can be called under RCU protection only. This means the route could be changed concurrently and rt6_fill_node() could return -EMSGSIZE. Re-size the skb when this happens and retry, removing one WARN_ON() that syzbot was able to trigger: WARNING: CPU: 3 PID: 6291 at net/ipv6/route.c:6342 inet6_rt_notify+0x475/0x4b0 net/ipv6/route.c:6342 Modules linked in: CPU: 3 UID: 0 PID: 6291 Comm: syz.0.77 Not tainted 6.16.0-rc7-syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:inet6_rt_notify+0x475/0x4b0 net/ipv6/route.c:6342 Code: fc ff ff e8 6d 52 ea f7 e9 47 fc ff ff 48 8b 7c 24 08 4c 89 04 24 e8 5a 52 ea f7 4c 8b 04 24 e9 94 fd ff ff e8 9c fe 84 f7 90 <0f> 0b 90 e9 bd fd ff ff e8 6e 52 ea f7 e9 bb fb ff ff 48 89 df e8 RSP: 0018:ffffc900035cf1d8 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffffc900035cf540 RCX: ffffffff8a36e790 RDX: ffff88802f7e8000 RSI: ffffffff8a36e9d4 RDI: 0000000000000005 RBP: ffff88803c230f00 R08: 0000000000000005 R09: 00000000ffffffa6 R10: 00000000ffffffa6 R11: 0000000000000001 R12: 00000000ffffffa6 R13: 0000000000000900 R14: ffff888032ea4100 R15: 0000000000000000 FS: 00007fac7b89a6c0(0000) GS:ffff8880d6a20000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fac7b899f98 CR3: 0000000034b3f000 CR4: 0000000000352ef0 Call Trace: <TASK> ip6_route_mpath_notify+0xde/0x280 net/ipv6/route.c:5356 ip6_route_multipath_add+0x1181/0x1bd0 net/ipv6/route.c:5536 inet6_rtm_newroute+0xe4/0x1a0 net/ipv6/route.c:5647 rtnetlink_rcv_msg+0x95e/0xe90 net/core/rtnetlink.c:6944 netlink_rcv_skb+0x155/0x420 net/netlink/af_netlink.c:2552 netlink_unicast_kernel net/netlink/af_netlink.c:1320 [inline] netlink_unicast+0x58d/0x850 net/netlink/af_netlink.c:1346 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1896 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] ____sys_sendmsg+0xa95/0xc70 net/socket.c:2566 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620 | 2025-08-22 | not yet calculated | CVE-2025-38638 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: xt_nfacct: don't assume acct name is null-terminated BUG: KASAN: slab-out-of-bounds in .. lib/vsprintf.c:721 Read of size 1 at addr ffff88801eac95c8 by task syz-executor183/5851 [..] string+0x231/0x2b0 lib/vsprintf.c:721 vsnprintf+0x739/0xf00 lib/vsprintf.c:2874 [..] nfacct_mt_checkentry+0xd2/0xe0 net/netfilter/xt_nfacct.c:41 xt_check_match+0x3d1/0xab0 net/netfilter/x_tables.c:523 nfnl_acct_find_get() handles non-null input, but the error printk relied on its presence. | 2025-08-22 | not yet calculated | CVE-2025-38639 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Disable migration in nf_hook_run_bpf(). syzbot reported that the netfilter bpf prog can be called without migration disabled in xmit path. Then the assertion in __bpf_prog_run() fails, triggering the splat below. [0] Let's use bpf_prog_run_pin_on_cpu() in nf_hook_run_bpf(). [0]: BUG: assuming non migratable context at ./include/linux/filter.h:703 in_atomic(): 0, irqs_disabled(): 0, migration_disabled() 0 pid: 5829, name: sshd-session 3 locks held by sshd-session/5829: #0: ffff88807b4e4218 (sk_lock-AF_INET){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1667 [inline] #0: ffff88807b4e4218 (sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_sendmsg+0x20/0x50 net/ipv4/tcp.c:1395 #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline] #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline] #1: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: __ip_queue_xmit+0x69/0x26c0 net/ipv4/ip_output.c:470 #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_lock_acquire include/linux/rcupdate.h:331 [inline] #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: rcu_read_lock include/linux/rcupdate.h:841 [inline] #2: ffffffff8e5c4e00 (rcu_read_lock){....}-{1:3}, at: nf_hook+0xb2/0x680 include/linux/netfilter.h:241 CPU: 0 UID: 0 PID: 5829 Comm: sshd-session Not tainted 6.16.0-rc6-syzkaller-00002-g155a3c003e55 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 __cant_migrate kernel/sched/core.c:8860 [inline] __cant_migrate+0x1c7/0x250 kernel/sched/core.c:8834 __bpf_prog_run include/linux/filter.h:703 [inline] bpf_prog_run include/linux/filter.h:725 [inline] nf_hook_run_bpf+0x83/0x1e0 net/netfilter/nf_bpf_link.c:20 nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline] nf_hook_slow+0xbb/0x200 net/netfilter/core.c:623 nf_hook+0x370/0x680 include/linux/netfilter.h:272 NF_HOOK_COND include/linux/netfilter.h:305 [inline] ip_output+0x1bc/0x2a0 net/ipv4/ip_output.c:433 dst_output include/net/dst.h:459 [inline] ip_local_out net/ipv4/ip_output.c:129 [inline] __ip_queue_xmit+0x1d7d/0x26c0 net/ipv4/ip_output.c:527 __tcp_transmit_skb+0x2686/0x3e90 net/ipv4/tcp_output.c:1479 tcp_transmit_skb net/ipv4/tcp_output.c:1497 [inline] tcp_write_xmit+0x1274/0x84e0 net/ipv4/tcp_output.c:2838 __tcp_push_pending_frames+0xaf/0x390 net/ipv4/tcp_output.c:3021 tcp_push+0x225/0x700 net/ipv4/tcp.c:759 tcp_sendmsg_locked+0x1870/0x42b0 net/ipv4/tcp.c:1359 tcp_sendmsg+0x2e/0x50 net/ipv4/tcp.c:1396 inet_sendmsg+0xb9/0x140 net/ipv4/af_inet.c:851 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] sock_write_iter+0x4aa/0x5b0 net/socket.c:1131 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x6c7/0x1150 fs/read_write.c:686 ksys_write+0x1f8/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe7d365d407 Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff RSP: | 2025-08-22 | not yet calculated | CVE-2025-38640 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: Fix potential NULL dereference on kmalloc failure Avoid potential NULL pointer dereference by checking the return value of kmalloc and handling allocation failure properly. | 2025-08-22 | not yet calculated | CVE-2025-38641 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix WARN_ON for monitor mode on some devices On devices without WANT_MONITOR_VIF (and probably without channel context support) we get a WARN_ON for changing the per-link setting of a monitor interface. Since we already skip AP_VLAN interfaces and MONITOR with WANT_MONITOR_VIF and/or NO_VIRTUAL_MONITOR should update the settings, catch this in the link change code instead of the warning. | 2025-08-22 | not yet calculated | CVE-2025-38642 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() Callers of wdev_chandef() must hold the wiphy mutex. But the worker cfg80211_propagate_cac_done_wk() never takes the lock. Which triggers the warning below with the mesh_peer_connected_dfs test from hostapd and not (yet) released mac80211 code changes: WARNING: CPU: 0 PID: 495 at net/wireless/chan.c:1552 wdev_chandef+0x60/0x165 Modules linked in: CPU: 0 UID: 0 PID: 495 Comm: kworker/u4:2 Not tainted 6.14.0-rc5-wt-g03960e6f9d47 #33 13c287eeabfe1efea01c0bcc863723ab082e17cf Workqueue: cfg80211 cfg80211_propagate_cac_done_wk Stack: 00000000 00000001 ffffff00 6093267c 00000000 6002ec30 6d577c50 60037608 00000000 67e8d108 6063717b 00000000 Call Trace: [<6002ec30>] ? _printk+0x0/0x98 [<6003c2b3>] show_stack+0x10e/0x11a [<6002ec30>] ? _printk+0x0/0x98 [<60037608>] dump_stack_lvl+0x71/0xb8 [<6063717b>] ? wdev_chandef+0x60/0x165 [<6003766d>] dump_stack+0x1e/0x20 [<6005d1b7>] __warn+0x101/0x20f [<6005d3a8>] warn_slowpath_fmt+0xe3/0x15d [<600b0c5c>] ? mark_lock.part.0+0x0/0x4ec [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 [<600b11a2>] ? mark_held_locks+0x5a/0x6e [<6005d2c5>] ? warn_slowpath_fmt+0x0/0x15d [<60052e53>] ? unblock_signals+0x3a/0xe7 [<60052f2d>] ? um_set_signals+0x2d/0x43 [<60751191>] ? __this_cpu_preempt_check+0x0/0x16 [<607508b2>] ? lock_is_held_type+0x207/0x21f [<6063717b>] wdev_chandef+0x60/0x165 [<605f89b4>] regulatory_propagate_dfs_state+0x247/0x43f [<60052f00>] ? um_set_signals+0x0/0x43 [<605e6bfd>] cfg80211_propagate_cac_done_wk+0x3a/0x4a [<6007e460>] process_scheduled_works+0x3bc/0x60e [<6007d0ec>] ? move_linked_works+0x4d/0x81 [<6007d120>] ? assign_work+0x0/0xaa [<6007f81f>] worker_thread+0x220/0x2dc [<600786ef>] ? set_pf_worker+0x0/0x57 [<60087c96>] ? to_kthread+0x0/0x43 [<6008ab3c>] kthread+0x2d3/0x2e2 [<6007f5ff>] ? worker_thread+0x0/0x2dc [<6006c05b>] ? calculate_sigpending+0x0/0x56 [<6003b37d>] new_thread_handler+0x4a/0x64 irq event stamp: 614611 hardirqs last enabled at (614621): [<00000000600bc96b>] __up_console_sem+0x82/0xaf hardirqs last disabled at (614630): [<00000000600bc92c>] __up_console_sem+0x43/0xaf softirqs last enabled at (614268): [<00000000606c55c6>] __ieee80211_wake_queue+0x933/0x985 softirqs last disabled at (614266): [<00000000606c52d6>] __ieee80211_wake_queue+0x643/0x985 | 2025-08-22 | not yet calculated | CVE-2025-38643 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: reject TDLS operations when station is not associated syzbot triggered a WARN in ieee80211_tdls_oper() by sending NL80211_TDLS_ENABLE_LINK immediately after NL80211_CMD_CONNECT, before association completed and without prior TDLS setup. This left internal state like sdata->u.mgd.tdls_peer uninitialized, leading to a WARN_ON() in code paths that assumed it was valid. Reject the operation early if not in station mode or not associated. | 2025-08-22 | not yet calculated | CVE-2025-38644 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Check device memory pointer before usage Add a NULL check before accessing device memory to prevent a crash if dev->dm allocation in mlx5_init_once() fails. | 2025-08-22 | not yet calculated | CVE-2025-38645 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band With a quite rare chance, RX report might be problematic to make SW think a packet is received on 6 GHz band even if the chip does not support 6 GHz band actually. Since SW won't initialize stuffs for unsupported bands, NULL dereference will happen then in the sequence, rtw89_vif_rx_stats_iter() -> rtw89_core_cancel_6ghz_probe_tx(). So, add a check to avoid it. The following is a crash log for this case. BUG: kernel NULL pointer dereference, address: 0000000000000032 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 1907 Comm: irq/131-rtw89_p Tainted: G U 6.6.56-05896-g89f5fb0eb30b #1 (HASH:1400 4) Hardware name: Google Telith/Telith, BIOS Google_Telith.15217.747.0 11/12/2024 RIP: 0010:rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core] Code: 4c 89 7d c8 48 89 55 c0 49 8d 44 24 02 48 89 45 b8 45 31 ff eb 11 41 c6 45 3a 01 41 b7 01 4d 8b 6d 00 4d 39 f5 74 42 8b 43 10 <41> 33 45 32 0f b7 4b 14 66 41 33 4d 36 0f b7 c9 09 c1 74 d8 4d 85 RSP: 0018:ffff9f3080138ca0 EFLAGS: 00010246 RAX: 00000000b8bf5770 RBX: ffff91b5e8c639c0 RCX: 0000000000000011 RDX: ffff91b582de1be8 RSI: 0000000000000000 RDI: ffff91b5e8c639e6 RBP: ffff9f3080138d00 R08: 0000000000000000 R09: 0000000000000000 R10: ffff91b59de70000 R11: ffffffffc069be50 R12: ffff91b5e8c639e4 R13: 0000000000000000 R14: ffff91b5828020b8 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff91b8efa40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000032 CR3: 00000002bf838000 CR4: 0000000000750ee0 PKRU: 55555554 Call Trace: <IRQ> ? __die_body+0x68/0xb0 ? page_fault_oops+0x379/0x3e0 ? exc_page_fault+0x4f/0xa0 ? asm_exc_page_fault+0x22/0x30 ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)] ? rtw89_vif_rx_stats_iter+0xd2/0x310 [rtw89_core (HASH:1400 5)] __iterate_interfaces+0x59/0x110 [mac80211 (HASH:1400 6)] ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)] ? __pfx_rtw89_vif_rx_stats_iter+0x10/0x10 [rtw89_core (HASH:1400 5)] ieee80211_iterate_active_interfaces_atomic+0x36/0x50 [mac80211 (HASH:1400 6)] rtw89_core_rx_to_mac80211+0xfd/0x1b0 [rtw89_core (HASH:1400 5)] rtw89_core_rx+0x43a/0x980 [rtw89_core (HASH:1400 5)] | 2025-08-22 | not yet calculated | CVE-2025-38646 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: sar: drop lockdep assertion in rtw89_set_sar_from_acpi The following assertion is triggered on the rtw89 driver startup. It looks meaningless to hold wiphy lock on the early init stage so drop the assertion. WARNING: CPU: 7 PID: 629 at drivers/net/wireless/realtek/rtw89/sar.c:502 rtw89_set_sar_from_acpi+0x365/0x4d0 [rtw89_core] CPU: 7 UID: 0 PID: 629 Comm: (udev-worker) Not tainted 6.15.0+ #29 PREEMPT(lazy) Hardware name: LENOVO 21D0/LNVNB161216, BIOS J6CN50WW 09/27/2024 RIP: 0010:rtw89_set_sar_from_acpi+0x365/0x4d0 [rtw89_core] Call Trace: <TASK> rtw89_sar_init+0x68/0x2c0 [rtw89_core] rtw89_core_init+0x188e/0x1e50 [rtw89_core] rtw89_pci_probe+0x530/0xb50 [rtw89_pci] local_pci_probe+0xd9/0x190 pci_call_probe+0x183/0x540 pci_device_probe+0x171/0x2c0 really_probe+0x1e1/0x890 __driver_probe_device+0x18c/0x390 driver_probe_device+0x4a/0x120 __driver_attach+0x1a0/0x530 bus_for_each_dev+0x10b/0x190 bus_add_driver+0x2eb/0x540 driver_register+0x1a3/0x3a0 do_one_initcall+0xd5/0x450 do_init_module+0x2cc/0x8f0 init_module_from_file+0xe1/0x150 idempotent_init_module+0x226/0x760 __x64_sys_finit_module+0xcd/0x150 do_syscall_64+0x94/0x380 entry_SYSCALL_64_after_hwframe+0x76/0x7e Found by Linux Verification Center (linuxtesting.org). | 2025-08-22 | not yet calculated | CVE-2025-38647 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: stm32: Check for cfg availability in stm32_spi_probe The stm32_spi_probe function now includes a check to ensure that the pointer returned by of_device_get_match_data is not NULL before accessing its members. This resolves a warning where a potential NULL pointer dereference could occur when accessing cfg->has_device_mode. Before accessing the 'has_device_mode' member, we verify that 'cfg' is not NULL. If 'cfg' is NULL, an error message is logged. This change ensures that the driver does not attempt to access configuration data if it is not available, thus preventing a potential system crash due to a NULL pointer dereference. | 2025-08-22 | not yet calculated | CVE-2025-38648 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arm64: dts: qcom: qcs615: fix a crash issue caused by infinite loop for Coresight An infinite loop has been created by the Coresight devices. When only a source device is enabled, the coresight_find_activated_sysfs_sink function is recursively invoked in an attempt to locate an active sink device, ultimately leading to a stack overflow and system crash. Therefore, disable the replicator1 to break the infinite loop and prevent a potential stack overflow. replicator1_out -> funnel_swao_in6 -> tmc_etf_swao_in -> tmc_etf_swao_out | | replicator1_in replicator_swao_in | | replicator0_out1 replicator_swao_out0 | | replicator0_in funnel_in1_in3 | | tmc_etf_out <- tmc_etf_in <- funnel_merg_out <- funnel_merg_in1 <- funnel_in1_out [call trace] dump_backtrace+0x9c/0x128 show_stack+0x20/0x38 dump_stack_lvl+0x48/0x60 dump_stack+0x18/0x28 panic+0x340/0x3b0 nmi_panic+0x94/0xa0 panic_bad_stack+0x114/0x138 handle_bad_stack+0x34/0xb8 __bad_stack+0x78/0x80 coresight_find_activated_sysfs_sink+0x28/0xa0 [coresight] coresight_find_activated_sysfs_sink+0x5c/0xa0 [coresight] coresight_find_activated_sysfs_sink+0x5c/0xa0 [coresight] coresight_find_activated_sysfs_sink+0x5c/0xa0 [coresight] coresight_find_activated_sysfs_sink+0x5c/0xa0 [coresight] ... coresight_find_activated_sysfs_sink+0x5c/0xa0 [coresight] coresight_enable_sysfs+0x80/0x2a0 [coresight] side effect after the change: Only trace data originating from AOSS can reach the ETF_SWAO and EUD sinks. | 2025-08-22 | not yet calculated | CVE-2025-38649 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hfsplus: remove mutex_lock check in hfsplus_free_extents Syzbot reported an issue in hfsplus filesystem: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 4400 at fs/hfsplus/extents.c:346 hfsplus_free_extents+0x700/0xad0 Call Trace: <TASK> hfsplus_file_truncate+0x768/0xbb0 fs/hfsplus/extents.c:606 hfsplus_write_begin+0xc2/0xd0 fs/hfsplus/inode.c:56 cont_expand_zero fs/buffer.c:2383 [inline] cont_write_begin+0x2cf/0x860 fs/buffer.c:2446 hfsplus_write_begin+0x86/0xd0 fs/hfsplus/inode.c:52 generic_cont_expand_simple+0x151/0x250 fs/buffer.c:2347 hfsplus_setattr+0x168/0x280 fs/hfsplus/inode.c:263 notify_change+0xe38/0x10f0 fs/attr.c:420 do_truncate+0x1fb/0x2e0 fs/open.c:65 do_sys_ftruncate+0x2eb/0x380 fs/open.c:193 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd To avoid deadlock, Commit 31651c607151 ("hfsplus: avoid deadlock on file truncation") unlock extree before hfsplus_free_extents(), and add check wheather extree is locked in hfsplus_free_extents(). However, when operations such as hfsplus_file_release, hfsplus_setattr, hfsplus_unlink, and hfsplus_get_block are executed concurrently in different files, it is very likely to trigger the WARN_ON, which will lead syzbot and xfstest to consider it as an abnormality. The comment above this warning also describes one of the easy triggering situations, which can easily trigger and cause xfstest&syzbot to report errors. [task A] [task B] ->hfsplus_file_release ->hfsplus_file_truncate ->hfs_find_init ->mutex_lock ->mutex_unlock ->hfsplus_write_begin ->hfsplus_get_block ->hfsplus_file_extend ->hfsplus_ext_read_extent ->hfs_find_init ->mutex_lock ->hfsplus_free_extents WARN_ON(mutex_is_locked) !!! Several threads could try to lock the shared extents tree. And warning can be triggered in one thread when another thread has locked the tree. This is the wrong behavior of the code and we need to remove the warning. | 2025-08-22 | not yet calculated | CVE-2025-38650 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: landlock: Fix warning from KUnit tests get_id_range() expects a positive value as first argument but get_random_u8() can return 0. Fix this by clamping it. Validated by running the test in a for loop for 1000 times. Note that MAX() is wrong as it is only supposed to be used for constants, but max() is good here. [..] ok 9 test_range2_rand1 [..] ok 10 test_range2_rand2 [..] ok 11 test_range2_rand15 [..] ------------[ cut here ]------------ [..] WARNING: CPU: 6 PID: 104 at security/landlock/id.c:99 test_range2_rand16 (security/landlock/id.c:99 (discriminator 1) security/landlock/id.c:234 (discriminator 1)) [..] Modules linked in: [..] CPU: 6 UID: 0 PID: 104 Comm: kunit_try_catch Tainted: G N 6.16.0-rc1-dev-00001-g314a2f98b65f #1 PREEMPT(undef) [..] Tainted: [N]=TEST [..] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [..] RIP: 0010:test_range2_rand16 (security/landlock/id.c:99 (discriminator 1) security/landlock/id.c:234 (discriminator 1)) [..] Code: 49 c7 c0 10 70 30 82 4c 89 ff 48 c7 c6 a0 63 1e 83 49 c7 45 a0 e0 63 1e 83 e8 3f 95 17 00 e9 1f ff ff ff 0f 0b e9 df fd ff ff <0f> 0b ba 01 00 00 00 e9 68 fe ff ff 49 89 45 a8 49 8d 4d a0 45 31 [..] RSP: 0000:ffff888104eb7c78 EFLAGS: 00010246 [..] RAX: 0000000000000000 RBX: 000000000870822c RCX: 0000000000000000 ^^^^^^^^^^^^^^^^ [..] [..] Call Trace: [..] [..] ---[ end trace 0000000000000000 ]--- [..] ok 12 test_range2_rand16 [..] # landlock_id: pass:12 fail:0 skip:0 total:12 [..] # Totals: pass:12 fail:0 skip:0 total:12 [..] ok 1 landlock_id [mic: Minor cosmetic improvements] | 2025-08-22 | not yet calculated | CVE-2025-38651 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid out-of-boundary access in devs.path - touch /mnt/f2fs/012345678901234567890123456789012345678901234567890123 - truncate -s $((1024*1024*1024)) \ /mnt/f2fs/012345678901234567890123456789012345678901234567890123 - touch /mnt/f2fs/file - truncate -s $((1024*1024*1024)) /mnt/f2fs/file - mkfs.f2fs /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \ -c /mnt/f2fs/file - mount /mnt/f2fs/012345678901234567890123456789012345678901234567890123 \ /mnt/f2fs/loop [16937.192225] F2FS-fs (loop0): Mount Device [ 0]: /mnt/f2fs/012345678901234567890123456789012345678901234567890123\xff\x01, 511, 0 - 3ffff [16937.192268] F2FS-fs (loop0): Failed to find devices If device path length equals to MAX_PATH_LEN, sbi->devs.path[] may not end up w/ null character due to path array is fully filled, So accidently, fields locate after path[] may be treated as part of device path, result in parsing wrong device path. struct f2fs_dev_info { ... char path[MAX_PATH_LEN]; ... }; Let's add one byte space for sbi->devs.path[] to store null character of device path string. | 2025-08-22 | not yet calculated | CVE-2025-38652 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al Check pde->proc_ops->proc_lseek directly may cause UAF in rmmod scenario. It's a gap in proc_reg_open() after commit 654b33ada4ab("proc: fix UAF in proc_get_inode()"). Followed by AI Viro's suggestion, fix it in same manner. | 2025-08-22 | not yet calculated | CVE-2025-38653 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: canaan: k230: Fix order of DT parse and pinctrl register Move DT parse before pinctrl register. This ensures that device tree parsing is done before calling devm_pinctrl_register() to prevent using uninitialized pin resources. | 2025-08-22 | not yet calculated | CVE-2025-38654 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: canaan: k230: add NULL check in DT parse Add a NULL check for the return value of of_get_property() when retrieving the "pinmux" property in the group parser. This avoids a potential NULL pointer dereference if the property is missing from the device tree node. Also fix a typo ("sintenel") in the device ID match table comment, correcting it to "sentinel". | 2025-08-22 | not yet calculated | CVE-2025-38655 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: Fix error code in iwl_op_mode_dvm_start() Preserve the error code if iwl_setup_deferred_work() fails. The current code returns ERR_PTR(0) (which is NULL) on this path. I believe the missing error code potentially leads to a use after free involving debugfs. | 2025-08-22 | not yet calculated | CVE-2025-38656 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: mcc: prevent shift wrapping in rtw89_core_mlsr_switch() The "link_id" value comes from the user via debugfs. If it's larger than BITS_PER_LONG then that would result in shift wrapping and potentially an out of bounds access later. In fact, we can limit it to IEEE80211_MLD_MAX_NUM_LINKS (15). Fortunately, only root can write to debugfs files so the security impact is minimal. | 2025-08-22 | not yet calculated | CVE-2025-38657 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvmet: pci-epf: Do not complete commands twice if nvmet_req_init() fails Have nvmet_req_init() and req->execute() complete failed commands. Description of the problem: nvmet_req_init() calls __nvmet_req_complete() internally upon failure, e.g., unsupported opcode, which calls the "queue_response" callback, this results in nvmet_pci_epf_queue_response() being called, which will call nvmet_pci_epf_complete_iod() if data_len is 0 or if dma_dir is different from DMA_TO_DEVICE. This results in a double completion as nvmet_pci_epf_exec_iod_work() also calls nvmet_pci_epf_complete_iod() when nvmet_req_init() fails. Steps to reproduce: On the host send a command with an unsupported opcode with nvme-cli, For example the admin command "security receive" $ sudo nvme security-recv /dev/nvme0n1 -n1 -x4096 This triggers a double completion as nvmet_req_init() fails and nvmet_pci_epf_queue_response() is called, here iod->dma_dir is still in the default state of "DMA_NONE" as set by default in nvmet_pci_epf_alloc_iod(), so nvmet_pci_epf_complete_iod() is called. Because nvmet_req_init() failed nvmet_pci_epf_complete_iod() is also called in nvmet_pci_epf_exec_iod_work() leading to a double completion. This not only sends two completions to the host but also corrupts the state of the PCI NVMe target leading to kernel oops. This patch lets nvmet_req_init() and req->execute() complete all failed commands, and removes the double completion case in nvmet_pci_epf_exec_iod_work() therefore fixing the edge cases where double completions occurred. | 2025-08-22 | not yet calculated | CVE-2025-38658 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gfs2: No more self recovery When a node withdraws and it turns out that it is the only node that has the filesystem mounted, gfs2 currently tries to replay the local journal to bring the filesystem back into a consistent state. Not only is that a very bad idea, it has also never worked because gfs2_recover_func() will refuse to do anything during a withdraw. However, before even getting to this point, gfs2_recover_func() dereferences sdp->sd_jdesc->jd_inode. This was a use-after-free before commit 04133b607a78 ("gfs2: Prevent double iput for journal on error") and is a NULL pointer dereference since then. Simply get rid of self recovery to fix that. | 2025-08-22 | not yet calculated | CVE-2025-38659 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: [ceph] parse_longname(): strrchr() expects NUL-terminated string ... and parse_longname() is not guaranteed that. That's the reason why it uses kmemdup_nul() to build the argument for kstrtou64(); the problem is, kstrtou64() is not the only thing that need it. Just get a NUL-terminated copy of the entire thing and be done with that... | 2025-08-22 | not yet calculated | CVE-2025-38660 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86: alienware-wmi-wmax: Fix `dmi_system_id` array Add missing empty member to `awcc_dmi_table`. | 2025-08-22 | not yet calculated | CVE-2025-38661 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8365-dai-i2s: pass correct size to mt8365_dai_set_priv Given mt8365_dai_set_priv allocate priv_size space to copy priv_data which means we should pass mt8365_i2s_priv[i] or "struct mtk_afe_i2s_priv" instead of afe_priv which has the size of "struct mt8365_afe_private". Otherwise the KASAN complains about. [ 59.389765] BUG: KASAN: global-out-of-bounds in mt8365_dai_set_priv+0xc8/0x168 [snd_soc_mt8365_pcm] ... [ 59.394789] Call trace: [ 59.395167] dump_backtrace+0xa0/0x128 [ 59.395733] show_stack+0x20/0x38 [ 59.396238] dump_stack_lvl+0xe8/0x148 [ 59.396806] print_report+0x37c/0x5e0 [ 59.397358] kasan_report+0xac/0xf8 [ 59.397885] kasan_check_range+0xe8/0x190 [ 59.398485] asan_memcpy+0x3c/0x98 [ 59.399022] mt8365_dai_set_priv+0xc8/0x168 [snd_soc_mt8365_pcm] [ 59.399928] mt8365_dai_i2s_register+0x1e8/0x2b0 [snd_soc_mt8365_pcm] [ 59.400893] mt8365_afe_pcm_dev_probe+0x4d0/0xdf0 [snd_soc_mt8365_pcm] [ 59.401873] platform_probe+0xcc/0x228 [ 59.402442] really_probe+0x340/0x9e8 [ 59.402992] driver_probe_device+0x16c/0x3f8 [ 59.403638] driver_probe_device+0x64/0x1d8 [ 59.404256] driver_attach+0x1dc/0x4c8 [ 59.404840] bus_for_each_dev+0x100/0x190 [ 59.405442] driver_attach+0x44/0x68 [ 59.405980] bus_add_driver+0x23c/0x500 [ 59.406550] driver_register+0xf8/0x3d0 [ 59.407122] platform_driver_register+0x68/0x98 [ 59.407810] mt8365_afe_pcm_driver_init+0x2c/0xff8 [snd_soc_mt8365_pcm] | 2025-08-22 | not yet calculated | CVE-2025-38662 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nilfs2: reject invalid file types when reading inodes To prevent inodes with invalid file types from tripping through the vfs and causing malfunctions or assertion failures, add a missing sanity check when reading an inode from a block device. If the file type is not valid, treat it as a filesystem error. | 2025-08-22 | not yet calculated | CVE-2025-38663 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ice: Fix a null pointer dereference in ice_copy_and_init_pkg() Add check for the return value of devm_kmemdup() to prevent potential null pointer dereference. | 2025-08-22 | not yet calculated | CVE-2025-38664 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode Andrei Lalaev reported a NULL pointer deref when a CAN device is restarted from Bus Off and the driver does not implement the struct can_priv::do_set_mode callback. There are 2 code path that call struct can_priv::do_set_mode: - directly by a manual restart from the user space, via can_changelink() - delayed automatic restart after bus off (deactivated by default) To prevent the NULL pointer deference, refuse a manual restart or configure the automatic restart delay in can_changelink() and report the error via extack to user space. As an additional safety measure let can_restart() return an error if can_priv::do_set_mode is not set instead of dereferencing it unchecked. | 2025-08-22 | not yet calculated | CVE-2025-38665 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix use-after-free in AARP proxy probe The AARP proxyâ€probe routine (aarp_proxy_probe_network) sends a probe, releases the aarp_lock, sleeps, then re-acquires the lock. During that window an expire timer thread (__aarp_expire_timer) can remove and kfree() the same entry, leading to a use-after-free. race condition: cpu 0 | cpu 1 atalk_sendmsg() | atif_proxy_probe_device() aarp_send_ddp() | aarp_proxy_probe_network() mod_timer() | lock(aarp_lock) // LOCK!! timeout around 200ms | alloc(aarp_entry) and then call | proxies[hash] = aarp_entry aarp_expire_timeout() | aarp_send_probe() | unlock(aarp_lock) // UNLOCK!! lock(aarp_lock) // LOCK!! | msleep(100); __aarp_expire_timer(&proxies[ct]) | free(aarp_entry) | unlock(aarp_lock) // UNLOCK!! | | lock(aarp_lock) // LOCK!! | UAF aarp_entry !! ================================================================== BUG: KASAN: slab-use-after-free in aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 Read of size 4 at addr ffff8880123aa360 by task repro/13278 CPU: 3 UID: 0 PID: 13278 Comm: repro Not tainted 6.15.2 #3 PREEMPT(full) Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1b0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc1/0x630 mm/kasan/report.c:521 kasan_report+0xca/0x100 mm/kasan/report.c:634 aarp_proxy_probe_network+0x560/0x630 net/appletalk/aarp.c:493 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 sock_do_ioctl+0xdc/0x260 net/socket.c:1190 sock_ioctl+0x239/0x6a0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x194/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcb/0x250 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Allocated: aarp_alloc net/appletalk/aarp.c:382 [inline] aarp_proxy_probe_network+0xd8/0x630 net/appletalk/aarp.c:468 atif_proxy_probe_device net/appletalk/ddp.c:332 [inline] atif_ioctl+0xb58/0x16c0 net/appletalk/ddp.c:857 atalk_ioctl+0x198/0x2f0 net/appletalk/ddp.c:1818 Freed: kfree+0x148/0x4d0 mm/slub.c:4841 __aarp_expire net/appletalk/aarp.c:90 [inline] __aarp_expire_timer net/appletalk/aarp.c:261 [inline] aarp_expire_timeout+0x480/0x6e0 net/appletalk/aarp.c:317 The buggy address belongs to the object at ffff8880123aa300 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 96 bytes inside of freed 192-byte region [ffff8880123aa300, ffff8880123aa3c0) Memory state around the buggy address: ffff8880123aa200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880123aa280: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880123aa300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880123aa380: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8880123aa400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== | 2025-08-22 | not yet calculated | CVE-2025-38666 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: fix potential out-of-bound write The buffer is set to 20 characters. If a caller write more characters, count is truncated to the max available space in "simple_write_to_buffer". To protect from OoB access, check that the input size fit into buffer and add a zero terminator after copy to the end of the copied data. | 2025-08-22 | not yet calculated | CVE-2025-38667 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix NULL dereference on unbind due to stale coupling data Failing to reset coupling_desc.n_coupled after freeing coupled_rdevs can lead to NULL pointer dereference when regulators are accessed post-unbind. This can happen during runtime PM or other regulator operations that rely on coupling metadata. For example, on ridesx4, unbinding the 'reg-dummy' platform device triggers a panic in regulator_lock_recursive() due to stale coupling state. Ensure n_coupled is set to 0 to prevent access to invalid pointers. | 2025-08-22 | not yet calculated | CVE-2025-38668 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Revert "drm/gem-shmem: Use dma_buf from GEM object instance" This reverts commit 1a148af06000e545e714fe3210af3d77ff903c11. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer: Acquire internal references on GEM handles") only solved the problem partially. They especially don't work for buffer objects without a DRM framebuffer associated. Hence, this revert to going back to using .import_attach->dmabuf. v3: - cc stable | 2025-08-22 | not yet calculated | CVE-2025-38669 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() `cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change to different stacks along with the Shadow Call Stack if it is enabled. Those two stack changes cannot be done atomically and both functions can be interrupted by SErrors or Debug Exceptions which, though unlikely, is very much broken : if interrupted, we can end up with mismatched stacks and Shadow Call Stack leading to clobbered stacks. In `cpu_switch_to()`, it can happen when SP_EL0 points to the new task, but x18 stills points to the old task's SCS. When the interrupt handler tries to save the task's SCS pointer, it will save the old task SCS pointer (x18) into the new task struct (pointed to by SP_EL0), clobbering it. In `call_on_irq_stack()`, it can happen when switching from the task stack to the IRQ stack and when switching back. In both cases, we can be interrupted when the SCS pointer points to the IRQ SCS, but SP points to the task stack. The nested interrupt handler pushes its return addresses on the IRQ SCS. It then detects that SP points to the task stack, calls `call_on_irq_stack()` and clobbers the task SCS pointer with the IRQ SCS pointer, which it will also use ! This leads to tasks returning to addresses on the wrong SCS, or even on the IRQ SCS, triggering kernel panics via CONFIG_VMAP_STACK or FPAC if enabled. This is possible on a default config, but unlikely. However, when enabling CONFIG_ARM64_PSEUDO_NMI, DAIF is unmasked and instead the GIC is responsible for filtering what interrupts the CPU should receive based on priority. Given the goal of emulating NMIs, pseudo-NMIs can be received by the CPU even in `cpu_switch_to()` and `call_on_irq_stack()`, possibly *very* frequently depending on the system configuration and workload, leading to unpredictable kernel panics. Completely mask DAIF in `cpu_switch_to()` and restore it when returning. Do the same in `call_on_irq_stack()`, but restore and mask around the branch. Mask DAIF even if CONFIG_SHADOW_CALL_STACK is not enabled for consistency of behaviour between all configurations. Introduce and use an assembly macro for saving and masking DAIF, as the existing one saves but only masks IF. | 2025-08-22 | not yet calculated | CVE-2025-38670 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: i2c: qup: jump out of the loop in case of timeout Original logic only sets the return value but doesn't jump out of the loop if the bus is kept active by a client. This is not expected. A malicious or buggy i2c client can hang the kernel in this case and should be avoided. This is observed during a long time test with a PCA953x GPIO extender. Fix it by changing the logic to not only sets the return value, but also jumps out of the loop and return to the caller with -ETIMEDOUT. | 2025-08-22 | not yet calculated | CVE-2025-38671 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Revert "drm/gem-dma: Use dma_buf from GEM object instance" This reverts commit e8afa1557f4f963c9a511bd2c6074a941c308685. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer: Acquire internal references on GEM handles") only solved the problem partially. They especially don't work for buffer objects without a DRM framebuffer associated. Hence, this revert to going back to using .import_attach->dmabuf. v3: - cc stable | 2025-08-22 | not yet calculated | CVE-2025-38672 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Revert "drm/gem-framebuffer: Use dma_buf from GEM object instance" This reverts commit cce16fcd7446dcff7480cd9d2b6417075ed81065. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer: Acquire internal references on GEM handles") only solved the problem partially. They especially don't work for buffer objects without a DRM framebuffer associated. Hence, this revert to going back to using .import_attach->dmabuf. v3: - cc stable | 2025-08-22 | not yet calculated | CVE-2025-38673 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Revert "drm/prime: Use dma_buf from GEM object instance" This reverts commit f83a9b8c7fd0557b0c50784bfdc1bbe9140c9bf8. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") and commit f6bfc9afc751 ("drm/framebuffer: Acquire internal references on GEM handles") only solved the problem partially. They especially don't work for buffer objects without a DRM framebuffer associated. Hence, this revert to going back to using .import_attach->dmabuf. v3: - cc stable | 2025-08-22 | not yet calculated | CVE-2025-38674 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: state: initialize state_ptrs earlier in xfrm_state_find In case of preemption, xfrm_state_look_at will find a different pcpu_id and look up states for that other CPU. If we matched a state for CPU2 in the state_cache while the lookup started on CPU1, we will jump to "found", but the "best" state that we got will be ignored and we will enter the "acquire" block. This block uses state_ptrs, which isn't initialized at this point. Let's initialize state_ptrs just after taking rcu_read_lock. This will also prevent a possible misuse in the future, if someone adjusts this function. | 2025-08-22 | not yet calculated | CVE-2025-38675 |
| Liuxz Software--FTP Synchronizer Professional | A stack-based buffer overflow exists in FTP Synchronizer Professional <= v4.0.73.274. When the client connects to an FTP server and issues a LIST command-typically during sync preview or profile creation-the server's response containing an overly long filename triggers a buffer overflow. This results in the corruption of the Structured Exception Handler (SEH), potentially allowing remote code execution. | 2025-08-21 | not yet calculated | CVE-2010-20107 |
| LogicData--eCommerce Framework | An authenticated arbitrary file upload vulnerability in the Content Explorer feature of LogicData eCommerce Framework v5.0.9.7000 allows attackers to execute arbitrary code via uploading a crafted file. | 2025-08-19 | not yet calculated | CVE-2025-52337 |
| LogicData--eCommerce Framework | An issue in the default configuration of the password reset function in LogicData eCommerce Framework v5.0.9.7000 allows attackers to bypass authentication and compromise user accounts via a bruteforce attack. | 2025-08-19 | not yet calculated | CVE-2025-52338 |
| lunary-ai--lunary-ai/lunary | An Insecure Direct Object Reference (IDOR) vulnerability was identified in the `POST /v1/templates` endpoint of the Lunary API, affecting versions up to 0.8.8. This vulnerability allows authenticated users to create templates in another user's project by altering the `projectId` query parameter. The root cause of this issue is the absence of server-side validation to ensure that the authenticated user owns the specified `projectId`. The vulnerability has been addressed in version 1.9.23. | 2025-08-18 | not yet calculated | CVE-2025-4962 |
| lunary-ai--lunary-ai/lunary | A critical stored Cross-Site Scripting (XSS) vulnerability exists in the Analytics component of lunary-ai/lunary versions up to 1.9.23, where the NEXT_PUBLIC_CUSTOM_SCRIPT environment variable is directly injected into the DOM using dangerouslySetInnerHTML without any sanitization or validation. This allows arbitrary JavaScript execution in all users' browsers if an attacker can control the environment variable during deployment or through server compromise. The vulnerability can lead to complete account takeover, data exfiltration, malware distribution, and persistent attacks affecting all users until the environment variable is cleaned. The issue is fixed in version 1.9.25. | 2025-08-23 | not yet calculated | CVE-2025-5352 |
| MAGIX Software GmbH--Magix Musik Maker | Magix Musik Maker 16 is vulnerable to a stack-based buffer overflow due to improper handling of .mmm arrangement files. The vulnerability arises from an unsafe strcpy() operation that fails to validate input length, allowing attackers to overwrite the Structured Exception Handler (SEH). By crafting a malicious .mmm file, an attacker can trigger the overflow when the file is opened, potentially leading to arbitrary code execution. This vulnerability was remediated in version 17. | 2025-08-20 | not yet calculated | CVE-2011-10021 |
| Maplesoft--Maple | Maple versions up to and including 13's Maplet framework allows embedded commands to be executed automatically when a .maplet file is opened. This behavior bypasses standard security restrictions that normally prevent code execution in regular Maple worksheets. The vulnerability enables attackers to craft malicious .maplet files that execute arbitrary code without user interaction. | 2025-08-21 | not yet calculated | CVE-2010-20120 |
| markdown-it--markdown-it | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in markdown-it allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/renderer.mjs. This issue affects markdown-it: 14.1.0. | 2025-08-21 | not yet calculated | CVE-2025-7969 |
| mermaid-js--mermaid | Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input for architecture diagram icons is passed to the d3 html() method, creating a sink for cross site scripting. This vulnerability is fixed in 11.10.0. | 2025-08-19 | not yet calculated | CVE-2025-54880 |
| mermaid-js--mermaid | Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 10.9.0-rc.1 to 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML during calculation of element size, causing XSS. | 2025-08-19 | not yet calculated | CVE-2025-54881 |
| MGeurts--genealogy | Genealogy is a family tree PHP application. Prior to 4.4.0, Authenticated Stored Cross-Site Scripting (XSS) vulnerability was identified in the Genealogy application. Authenticated attackers could run arbitrary JavaScript in another user's session, leading to session hijacking, data theft, and UI manipulation. This vulnerability is fixed in 4.4.0. | 2025-08-18 | not yet calculated | CVE-2025-55287 |
| Microsoft--Knack | Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. extract_full_summary_from_signature employs an inefficient regular expression pattern: "\s(:param)\s+(.+?)\s:(.*)" that is susceptible to catastrophic backtracking when processing crafted docstrings containing a large volume of whitespace without a terminating colon. An attacker who can control or inject docstring content into affected applications can trigger excessive CPU consumption. This software is used by Azure CLI. | 2025-08-20 | not yet calculated | CVE-2025-54363 |
| Microsoft--Knack | Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module. option_descriptions employs an inefficient regular expression pattern: "\s(:param)\s+(.+?)\s:(.*)" that is susceptible to catastrophic backtracking when processing crafted docstrings containing a large volume of whitespace without a terminating colon. An attacker who can control or inject docstring content into affected applications can trigger excessive CPU consumption. This software is used by Azure CLI. | 2025-08-20 | not yet calculated | CVE-2025-54364 |
| Millenium--MP3 Studio | Millenium MP3 Studio versions up to and including 2.0 is vulnerable to a stack-based buffer overflow when parsing .pls playlist files. The application fails to properly validate the length of the File1 field within the playlist, allowing an attacker to craft a malicious .pls file that overwrites the Structured Exception Handler (SEH) and executes arbitrary code. Exploitation requires the victim to open the file locally, though remote execution may be possible if the .pls extension is registered to the application and opened via a browser. | 2025-08-21 | not yet calculated | CVE-2009-20002 |
| MJM Software--Core Player | MJM Core Player (likely now referred to as MJM Player) 2011 is vulnerable to a stack-based buffer overflow when parsing specially crafted .s3m music files. The vulnerability arises from improper bounds checking in the file parser, allowing an attacker to overwrite memory on the stack and execute arbitrary code. Exploitation is triggered when a user opens a malicious .s3m file, and the exploit bypasses DEP and ASLR protections using a ROP chain. | 2025-08-20 | not yet calculated | CVE-2011-10024 |
| MJM Software--QuickPlayer | MJM QuickPlayer (likely now referred to as MJM Player) version 2010 contains a stack-based buffer overflow vulnerability triggered by opening a malicious .s3m music file. The flaw occurs due to improper bounds checking in the file parser, allowing an attacker to overwrite memory and execute arbitrary code. Exploitation is achieved via a crafted payload that bypasses DEP and ASLR protections using ROP techniques, and requires user interaction to open the file. | 2025-08-20 | not yet calculated | CVE-2011-10023 |
| mouse07410--asn1c | An issue was discovered in mouse07410 asn1c thru 0.9.29 (2025-03-20) - a fork of vlm asn1c. In UPER (Unaligned Packed Encoding Rules), asn1c-generated decoders fail to enforce INTEGER constraints when the bound is positive and exceeds 32 bits in length, potentially allowing incorrect or malicious input to be processed. | 2025-08-22 | not yet calculated | CVE-2025-55398 |
| Mozilla--Firefox | In the address bar, Firefox for Android truncated the display of URLs from the end instead of prioritizing the origin. This vulnerability affects Firefox < 141. | 2025-08-19 | not yet calculated | CVE-2025-8041 |
| Mozilla--Firefox | Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability affects Firefox < 141. | 2025-08-19 | not yet calculated | CVE-2025-8042 |
| Mozilla--Firefox | A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.* This vulnerability affects Firefox < 141. | 2025-08-19 | not yet calculated | CVE-2025-8364 |
| Mozilla--Firefox | An attacker was able to perform memory corruption in the GMP process which processes encrypted media. This process is also heavily sandboxed, but represents slightly different privileges from the content process. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. | 2025-08-19 | not yet calculated | CVE-2025-9179 |
| Mozilla--Firefox | 'Same-origin policy bypass in the Graphics: Canvas2D component.' This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. | 2025-08-19 | not yet calculated | CVE-2025-9180 |
| Mozilla--Firefox | Uninitialized memory in the JavaScript Engine component. This vulnerability affects Firefox < 142, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. | 2025-08-19 | not yet calculated | CVE-2025-9181 |
| Mozilla--Firefox | 'Denial-of-service due to out-of-memory in the Graphics: WebRender component.' This vulnerability affects Firefox < 142, Firefox ESR < 140.2, Thunderbird < 142, and Thunderbird < 140.2. | 2025-08-19 | not yet calculated | CVE-2025-9182 |
| Mozilla--Firefox | Spoofing issue in the Address Bar component. This vulnerability affects Firefox < 142 and Firefox ESR < 140.2. | 2025-08-19 | not yet calculated | CVE-2025-9183 |
| Mozilla--Firefox | Memory safety bugs present in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142, Firefox ESR < 140.2, Thunderbird < 142, and Thunderbird < 140.2. | 2025-08-19 | not yet calculated | CVE-2025-9184 |
| Mozilla--Firefox | Memory safety bugs present in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142, Firefox ESR < 115.27, Firefox ESR < 128.14, Firefox ESR < 140.2, Thunderbird < 142, Thunderbird < 128.14, and Thunderbird < 140.2. | 2025-08-19 | not yet calculated | CVE-2025-9185 |
| Mozilla--Firefox | Spoofing issue in the Address Bar component of Firefox Focus for Android. This vulnerability affects Firefox < 142. | 2025-08-19 | not yet calculated | CVE-2025-9186 |
| Mozilla--Firefox | Memory safety bugs present in Firefox 141 and Thunderbird 141. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 142 and Thunderbird < 142. | 2025-08-19 | not yet calculated | CVE-2025-9187 |
| Mozilla--Firefox for iOS | Sandboxed iframes on webpages could potentially allow downloads to the device, bypassing the expected sandbox restrictions declared on the parent page This vulnerability affects Firefox for iOS < 141. | 2025-08-19 | not yet calculated | CVE-2025-54143 |
| Mozilla--Firefox for iOS | The URL scheme used by Firefox to facilitate searching of text queries could incorrectly allow attackers to open arbitrary website URLs or internal pages if a user was tricked into clicking a link This vulnerability affects Firefox for iOS < 141. | 2025-08-19 | not yet calculated | CVE-2025-54144 |
| Mozilla--Firefox for iOS | The QR scanner could allow arbitrary websites to be opened if a user was tricked into scanning a malicious link that leveraged Firefox's open-text URL scheme This vulnerability affects Firefox for iOS < 141. | 2025-08-19 | not yet calculated | CVE-2025-54145 |
| Mozilla--Firefox for iOS | Malicious scripts utilizing repetitive JavaScript alerts could prevent client user interaction in some scenarios and allow for denial of service attacks This vulnerability affects Firefox for iOS < 142. | 2025-08-19 | not yet calculated | CVE-2025-55028 |
| Mozilla--Firefox for iOS | Malicious scripts could bypass the popup blocker to spam new tabs, potentially resulting in denial of service attacks This vulnerability affects Firefox for iOS < 142. | 2025-08-19 | not yet calculated | CVE-2025-55029 |
| Mozilla--Firefox for iOS | Firefox for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline rather than downloading, potentially allowing for XSS attacks This vulnerability affects Firefox for iOS < 142. | 2025-08-19 | not yet calculated | CVE-2025-55030 |
| Mozilla--Firefox for iOS | Malicious pages could use Firefox for iOS to pass FIDO: links to the OS and trigger the hybrid passkey transport. An attacker within Bluetooth range could have used this to trick the user into using their passkey to log the attacker's computer into the target account. This vulnerability affects Firefox for iOS < 142 and Focus for iOS < 142. | 2025-08-19 | not yet calculated | CVE-2025-55031 |
| Mozilla--Focus for iOS | Focus for iOS would not respect a Content-Disposition header of type Attachment and would incorrectly display the content inline, potentially allowing for XSS attacks This vulnerability affects Focus for iOS < 142. | 2025-08-19 | not yet calculated | CVE-2025-55032 |
| Mozilla--Focus for iOS | Dragging JavaScript links to the URL bar in Focus for iOS could be utilized to run malicious scripts, potentially resulting in XSS attacks This vulnerability affects Focus for iOS < 142. | 2025-08-19 | not yet calculated | CVE-2025-55033 |
| musistudio--claude-code-router | claude-code-router is a powerful tool to route Claude Code requests to different models and customize any request. Due to improper Cross-Origin Resource Sharing (CORS) configuration, there is a risk that user API Keys or equivalent credentials may be exposed to untrusted domains. Attackers could exploit this misconfiguration to steal credentials, abuse accounts, exhaust quotas, or access sensitive data. The issue has been patched in v1.0.34. | 2025-08-21 | not yet calculated | CVE-2025-57755 |
| n/a--Agent-Zero | An issue in the component /api/download_work_dir_file.py of Agent-Zero v0.8.* allows attackers to execute a directory traversal. | 2025-08-21 | not yet calculated | CVE-2025-55523 |
| n/a--Agent-Zero | Insecure permissions in Agent-Zero v0.8.* allow attackers to arbitrarily reset the system via unspecified vectors. | 2025-08-21 | not yet calculated | CVE-2025-55524 |
| n/a--Akaunting | An issue in the component /settings/localisation of Akaunting v3.1.18 allows authenticated attackers to cause a Denial of Service (DoS) via a crafted POST request. | 2025-08-21 | not yet calculated | CVE-2025-55521 |
| n/a--Akaunting | Cross-site scripting (XSS) vulnerability in the component /common/reports of Akaunting v3.1.18 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name parameter. | 2025-08-21 | not yet calculated | CVE-2025-55522 |
| n/a--Cicool Builder | An issue was discovered in Cicool builder 3.4.4 allowing attackers to reset the administrator's password via the /administrator/auth/reset_password endpoint. | 2025-08-19 | not yet calculated | CVE-2025-51543 |
| N/A--cipher-base | Improper Input Validation vulnerability in cipher-base allows Input Data Manipulation. This issue affects cipher-base: through 1.0.4. | 2025-08-20 | not yet calculated | CVE-2025-9287 |
| n/a--DooTask | An authenticated arbitrary file upload vulnerability in the component /msg/sendfiles of DooTask v1.0.51 allows attackers to execute arbitrary code via uploading a crafted file. | 2025-08-22 | not yet calculated | CVE-2025-55454 |
| n/a--DooTask | DooTask v1.0.51 was dicovered to contain an authenticated arbitrary download vulnerability via the component /msg/sendtext. | 2025-08-22 | not yet calculated | CVE-2025-55455 |
| n/a--dts-shop | Incorrect access control in dts-shop v0.0.1-SNAPSHOT allows attackers to bypass authentication via sending a crafted payload to /admin/auth/index. | 2025-08-20 | not yet calculated | CVE-2024-57154 |
| n/a--elysia-cors | An Origin Validation Error in the elysia-cors library thru 1.3.0 allows attackers to bypass Cross-Origin Resource Sharing (CORS) restrictions. The library incorrectly validates the supplied origin by checking if it is a substring of any domain in the site's CORS policy, rather than performing an exact match. For example, a malicious origin like "notexample.com", "example.common.net" is whitelisted when the site's CORS policy specifies "example.com." This vulnerability enables unauthorized access to user data on sites using the elysia-cors library for CORS validation. | 2025-08-20 | not yet calculated | CVE-2025-50864 |
| n/a--EzGED3 | EzGED3 3.5.0 contains an unauthenticated arbitrary file read vulnerability due to improper access control and insufficient input validation in a script exposed via the web interface. A remote attacker can supply a crafted path parameter to a PHP script to read arbitrary files from the filesystem. The script lacks both authentication checks and secure path handling, allowing directory traversal attacks (e.g., ../../../) to access sensitive files such as configuration files, database dumps, source code, and password reset tokens. If phpMyAdmin is exposed, extracted credentials can be used for direct administrative access. In environments without such tools, attacker-controlled file reads still allow full database extraction by targeting raw MySQL data files. The vendor states that the issue is fixed in 3.5.72.27183. | 2025-08-19 | not yet calculated | CVE-2025-51539 |
| n/a--EzGED3 | EzGED3 3.5.0 stores user passwords using an insecure hashing scheme: md5(md5(password)). This hashing method is cryptographically weak and allows attackers to perform efficient offline brute-force attacks if password hashes are disclosed. The lack of salting and use of a fast, outdated algorithm makes it feasible to recover plaintext credentials using precomputed tables or GPU-based cracking tools. The vendor states that the issue is fixed in 3.5.72.27183. | 2025-08-19 | not yet calculated | CVE-2025-51540 |
| n/a--FoxCMS | A Reflected Cross Site Scripting (XSS) vulnerability was found in /index.php in FoxCMS v1.2.6. When a crafted script is sent via a GET request, it is reflected unsanitized into the HTML response. This permits execution of arbitrary JavaScript code when a logged-in user submits the malicious input. | 2025-08-21 | not yet calculated | CVE-2025-55420 |
| n/a--hippo4j | hippo4j 1.0.0 to 1.5.0, uses a hard-coded secret key in its JWT (JSON Web Token) creation. This allows attackers with access to the source code or compiled binary to forge valid access tokens and impersonate any user, including privileged ones such as "admin". The vulnerability poses a critical security risk in systems where authentication and authorization rely on the integrity of JWTs. | 2025-08-21 | not yet calculated | CVE-2025-51606 |
| n/a--Hustoj | Cross site scripting (XSS) vulnerability in Hustoj 2025-01-31 via the TID parameter to thread.php. | 2025-08-19 | not yet calculated | CVE-2025-50938 |
| n/a--itranswarp | Incorrect access control in the doFilter function of itranswarp up to 2.19 allows attackers to access sensitive components without authentication. | 2025-08-20 | not yet calculated | CVE-2025-28041 |
| n/a--Jantent | Incorrect access control in Jantent v1.1 allows attackers to bypass authentication and access sensitive APIs without a token. | 2025-08-20 | not yet calculated | CVE-2024-57157 |
| n/a--JeecgBoot | JeecgBoot versions from 3.4.3 up to 3.8.0 were found to contain a SQL injection vulnerability in the /jeecg-boot/online/cgreport/head/parseSql endpoint, which allows bypassing SQL blacklist restrictions. | 2025-08-22 | not yet calculated | CVE-2025-51825 |
| n/a--JeeWMS | JeeWMS 771e4f5d0c01ffdeae1671be4cf102b73a3fe644 (2025-05-19) contains incorrect authentication bypass vulnerability, which can lead to arbitrary file reading. | 2025-08-20 | not yet calculated | CVE-2025-50901 |
| n/a--Jeewms | Jeewms v3.7 was discovered to contain a SQL injection vulnerability via the CgReportController API. | 2025-08-22 | not yet calculated | CVE-2024-53499 |
| n/a--jeewx-boot | jeewx-boot 1.3 has an authentication bypass vulnerability in the preHandle function | 2025-08-20 | not yet calculated | CVE-2024-50640 |
| n/a--jshERP | Incorrect access control in the component \controller\UserController.java of jshERP v3.5 allows attackers to arbitrarily reset user account passwords and execute a horizontal privilege escalation attack. | 2025-08-21 | not yet calculated | CVE-2025-55366 |
| n/a--jshERP | Incorrect access control in the component \controller\SupplierController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account. | 2025-08-21 | not yet calculated | CVE-2025-55367 |
| n/a--jshERP | Incorrect access control in the component \controller\RoleController.java of jshERP v3.5 allows unauthorized attackers to arbitrarily modify the supplier status under any account. | 2025-08-21 | not yet calculated | CVE-2025-55368 |
| n/a--jshERP | Incorrect access control in the component \controller\ResourceController.java of jshERP v3.5 allows unauthorized attackers to obtain all the corresponding ID data by modifying the ID value. | 2025-08-21 | not yet calculated | CVE-2025-55370 |
| n/a--jshERP | Incorrect access control in the component /controller/PersonController.java of jshERP v3.5 allows unauthorized attackers to obtain all the information of the handler by executing the getAllList method. | 2025-08-21 | not yet calculated | CVE-2025-55371 |
| n/a--libsndfile | A buffer overflow vulnerability exists in libsndfile version 1.2.2 and potentially earlier versions when processing malformed IRCAM audio files. The vulnerability occurs in the ircam_read_header function at src/ircam.c:164 during sample rate processing, leading to memory corruption and potential code execution. | 2025-08-21 | not yet calculated | CVE-2025-52194 |
| n/a--MallChat | MallChat v1.0-SNAPSHOT has an authentication bypass vulnerability. An attacker can exploit this vulnerability to access API without any token. | 2025-08-22 | not yet calculated | CVE-2024-50645 |
| n/a--MCCMS | MCCMS 2.7.0 is vulnerable to Arbitrary file deletion in the Backups.php component. This allows an attacker to execute arbitrary commands | 2025-08-21 | not yet calculated | CVE-2025-51818 |
| n/a--MCSManager | MCSManager 10.5.3 daemon process runs as a root account by default, and its sensitive data (including tokens and terminal content) is stored in the data directory, readable by all users. Other users on the system can read the daemon's key and use it to log in, leading to privilege escalation. | 2025-08-22 | not yet calculated | CVE-2025-50691 |
| n/a--MoonShine | A Stored Cross-Site Scripting (XSS) vulnerability exists in MoonShine version < 3.12.5, allowing to execute arbitrary JavaScript by using "javascript:" payload, instead of the expected HTTPS protocol, in the CutCode Link parameter when creating/updating a new Article. | 2025-08-19 | not yet calculated | CVE-2025-51487 |
| n/a--MoonShine | A Stored Cross-Site Scripting (XSS) vulnerability exists in MoonShine version < 3.12.4, allowing remote attackers to store and execute arbitrary JavaScript by including a malicious HTML payload in the Name parameter when creating a new Admin. | 2025-08-19 | not yet calculated | CVE-2025-51488 |
| n/a--MoonShine | A Stored Cross-Site Scripting (XSS) vulnerability exists in MoonShine version < 3.12.5, allowing remote attackers to upload a malicious SVG file when creating/updating an Article and correctly execute arbitrary JavaScript when the file link is opened. | 2025-08-19 | not yet calculated | CVE-2025-51489 |
| n/a--MoonShine | MoonShine was discovered to contain a SQL injection vulnerability under the Blog -> Categories page when using the moonshine-tree-resource (version < 2.0.2) component. | 2025-08-19 | not yet calculated | CVE-2025-51510 |
| n/a--Moss | Moss before v0.15 has a file upload vulnerability. The "upload" function configuration allows attackers to upload files of any extension to any location on the target server. | 2025-08-21 | not yet calculated | CVE-2025-55383 |
| n/a--mupen64plus | In mupen64plus v2.6.0 there is an array overflow vulnerability in the write_rdram_regs and write_rdram_regs functions, which enables executing arbitrary commands on the host machine. | 2025-08-22 | not yet calculated | CVE-2025-29366 |
| n/a--my-site | Incorrect access control in the preHandle function of my-site v1.0.2.RELEASE allows attackers to access sensitive components without authentication. | 2025-08-20 | not yet calculated | CVE-2024-53495 |
| n/a--my-site | Incorrect access control in the doFilter function of my-site v1.0.2.RELEASE allows attackers to access sensitive components without authentication. | 2025-08-22 | not yet calculated | CVE-2024-53496 |
| n/a--my-site | Incorrect access control in the preHandle function of my-site v1.0.2 allows attackers to access sensitive components without authentication via the cn.luischen.interceptor.BaseInterceptor class | 2025-08-20 | not yet calculated | CVE-2024-57152 |
| n/a--NextChat | NextChat contains a cross-site scripting (XSS) vulnerability in the HTMLPreview component of artifacts.tsx that allows attackers to execute arbitrary JavaScript code when HTML content is rendered in the AI chat interface. The vulnerability occurs because user-influenced HTML from AI responses is rendered in an iframe with 'allow-scripts' sandbox permission without proper sanitization. This can be exploited through specifically crafted prompts that cause the AI to generate malicious HTML/JavaScript code. When a user views the HTML preview, the injected JavaScript executes in the user's browser context, potentially allowing attackers to exfiltrate sensitive information (including API keys stored in localStorage), perform actions on behalf of the user, and steal session data. | 2025-08-22 | not yet calculated | CVE-2025-50733 |
| n/a--Nginx Proxy Manager | A CORS misconfiguration in Nginx Proxy Manager v2.12.3 allows unauthorized domains to access sensitive data, particularly JWT tokens, due to improper validation of the Origin header. This misconfiguration enables attackers to intercept tokens using a simple browser script and exfiltrate them to a remote attacker-controlled server, potentially leading to unauthorized actions within the application. | 2025-08-19 | not yet calculated | CVE-2025-50579 |
| n/a--Online Artwork and Fine Arts MCA Project | A SQL injection vulnerability exists in the id2 parameter of the cancel_booking.php page in Online Artwork and Fine Arts MCA Project 1.0. A remote attacker can inject arbitrary SQL queries, leading to database enumeration and potential remote code execution. | 2025-08-20 | not yet calculated | CVE-2025-55444 |
| n/a--OpenMediaVault | An issue was discovered in the changePassword method in file /usr/share/php/openmediavault/system/user.inc in OpenMediaVault 7.4.17 allowing local authenticated attackers to escalate privileges to root. | 2025-08-22 | not yet calculated | CVE-2025-50674 |
| n/a--OperaMasks SDK ELite | OperaMasks SDK ELite Script Engine v0.5.0 was discovered to contain a deserialization vulnerability. | 2025-08-22 | not yet calculated | CVE-2025-52287 |
| n/a--PandoraNext-TokensTool | An authentication bypass vulnerability in PandoraNext-TokensTool v0.6.8 and before. An attacker can exploit this vulnerability to access API without any token. | 2025-08-21 | not yet calculated | CVE-2024-50641 |
| n/a--radar | Incorrect access control in radar v1.0.8 allows attackers to bypass authentication and access sensitive APIs without a token. | 2025-08-20 | not yet calculated | CVE-2024-57155 |
| n/a--Roadcube API | An issue in Roadcute API v.1 allows a remote attacker to execute arbitrary code via the application exposing a password reset API endpoint that fails to validate the identity of the requester properly | 2025-08-21 | not yet calculated | CVE-2025-52395 |
| N/A--sha.js | Improper Input Validation vulnerability in sha.js allows Input Data Manipulation. This issue affects sha.js: through 2.4.11. | 2025-08-20 | not yet calculated | CVE-2025-9288 |
| n/a--Shopizer | An issue was discovered in Shopizer 3.2.7. The server's CORS implementation reflects the client-supplied Origin header verbatim into Access-Control-Allow-Origin without any whitelist validation, while also enabling Access-Control-Allow-Credentials: true. This allows any malicious origin to make authenticated cross-origin requests and read sensitive responses. | 2025-08-22 | not yet calculated | CVE-2025-51605 |
| n/a--spimsimulator spim | spimsimulator spim v9.1.24 and before is vulnerable to Buffer Overflow in READ_STRING_SYSCALL. | 2025-08-22 | not yet calculated | CVE-2025-29365 |
| n/a--SpringBootBlog | Incorrect access control in the preHandle function of SpringBootBlog v1.0.0 allows attackers to access sensitive components without authentication. | 2025-08-22 | not yet calculated | CVE-2024-53494 |
| n/a--Touch Lebanon Mobile App | A vulnerability in the password reset workflow of the Touch Lebanon Mobile App 2.20.2 allows an attacker to bypass the OTP reset password mechanism. By manipulating the reset process, an unauthorized user may be able to reset the password and gain access to the account without needing to provide a legitimate authentication factor, such as an OTP. This compromises account security and allows for potential unauthorized access to user data. | 2025-08-20 | not yet calculated | CVE-2025-50503 |
| n/a--XWiki | XWiki through version 17.3.0 is affected by multiple stored Cross-Site Scripting (XSS) vulnerabilities in the Administration interface, specifically under the Presentation section of the Global Preferences panel. An authenticated administrator can inject arbitrary JavaScript payloads into the HTTP Meta Info, Footer Copyright, and Footer Version fields. These inputs are stored and subsequently rendered without proper output encoding or sanitization on public-facing pages. As a result, the injected scripts are persistently executed in the browser context of any visitor to the affected instances including both authenticated and unauthenticated users. No user interaction is required beyond visiting a page that includes the malicious content. Successful exploitation can lead to session hijacking, credential theft, unauthorized actions via session riding, or further compromise of the application through client-side attacks. The vulnerability introduces significant risk in any deployment, especially in shared or internet-facing environments where administrator credentials may be compromised. | 2025-08-20 | not yet calculated | CVE-2025-51990 |
| n/a--XWiki | XWiki through version 17.3.0 is vulnerable to Server-Side Template Injection (SSTI) in the Administration interface, specifically within the HTTP Meta Info field of the Global Preferences Presentation section. An authenticated administrator can inject crafted Apache Velocity template code, which is rendered on the server side without proper validation or sandboxing. This enables the execution of arbitrary template logic, which may expose internal server information or, in specific configurations, lead to further exploitation such as remote code execution or sensitive data leakage. The vulnerability resides in improper handling of dynamic template rendering within user-supplied configuration fields. | 2025-08-20 | not yet calculated | CVE-2025-51991 |
| NetSarang Computer, Inc.--Xftp FTP Client | Xftp FTP Client version up to and including 3.0 (build 0238) contain a stack-based buffer overflow vulnerability triggered by a maliciously crafted PWD response from an FTP server. When the client connects to a server and receives an overly long directory string in response to the PWD command, the client fails to properly validate the length of the input before copying it into a fixed-size buffer. This results in memory corruption and allows remote attackers to execute arbitrary code on the client system. | 2025-08-21 | not yet calculated | CVE-2010-20122 |
| New Software S.C.--Gekko Manager FTP Client | Gekko Manager FTP Client <= 0.77 contains a stack-based buffer overflow in its FTP directory listing parser. When processing a server response to a LIST command, the client fails to properly validate the length of filenames. A crafted response containing an overly long filename can overwrite the Structured Exception Handler (SEH), potentially allowing remote code execution. | 2025-08-21 | not yet calculated | CVE-2010-20034 |
| Nutanix--Prism Central | Prism Central versions prior to 2024.3.1 are vulnerable to a stored cross-site scripting attack via the Events component, allowing an attacker to hijack a victim user's session and perform actions in their security context. | 2025-08-20 | not yet calculated | CVE-2024-12223 |
| Odin Software--Odin Secure FTP | Odin Secure FTP <= 4.1 is vulnerable to a stack-based buffer overflow when parsing directory listings received in response to an FTP LIST command. A malicious FTP server can send an overly long filename in the directory listing, which overflows a fixed-size stack buffer in the client and overwrites the Structured Exception Handler (SEH). This allows remote attackers to execute arbitrary code on the client system. | 2025-08-20 | not yet calculated | CVE-2010-10014 |
| old-peanut--Open-Shop | Cross Site Request Forgery (CSRF) vulnerability in old-peanut Open-Shop (aka old-peanut/wechat_applet__open_source) thru 1.0.0 allows attackers to gain sensitive information via crafted HTTP Post message. | 2025-08-20 | not yet calculated | CVE-2025-50902 |
| openfga--openfga | OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.9.3 to v1.9.4 ( openfga-0.2.40 <= Helm chart <= openfga-0.2.41, v1.9.3 <= docker <= v.1.9.4) are vulnerable to improper policy enforcement when certain Check and ListObject calls are executed. This vulnerability is fixed in 1.9.5. | 2025-08-18 | not yet calculated | CVE-2025-55213 |
| OpenSolution--Quick.CMS | QuickCMS is vulnerable to Stored XSS in sTitle parameter in page editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. Regular admin user is not able to inject any JS scripts into the page. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-08-20 | not yet calculated | CVE-2025-54172 |
| OpenSolution--Quick.CMS | QuickCMS is vulnerable to Cross-Site Request Forgery in article creation functionality. Malicious attacker can craft special website, which when visited by the admin, will automatically send a POST request creating a malicious article with content defined by the attacker. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-08-20 | not yet calculated | CVE-2025-54174 |
| OpenSolution--Quick.CMS.EXT | QuickCMS.EXT is vulnerable to Reflected XSS in sFileName parameter in thumbnail viewer functionality. An attacker can craft a malicious URL that results in arbitrary JavaScript execution in the victim's browser when opened. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2025-08-20 | not yet calculated | CVE-2025-54175 |
| PDQ--Smart Deploy | Insecure Permissions vulnerability in PDQ Smart Deploy V.3.0.2040 allows a local attacker to execute arbtirary code via the \HKLM\SYSTEM\Setup\SmartDeploy component | 2025-08-22 | not yet calculated | CVE-2025-52094 |
| PDQ--Smart Deploy | An issue in PDQ Smart Deploy V.3.0.2040 allows an attacker to escalate privileges via the Credential encryption routines in SDCommon.dll | 2025-08-22 | not yet calculated | CVE-2025-52095 |
| Plesk--Plesk Obsidian | In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed by any digit string, then an attacker can login with any other string that evaluates to 0.0 (such as the 0e0 string). This occurs in admin/plib/LoginManager.php. | 2025-08-19 | not yet calculated | CVE-2025-54336 |
| Plex, Inc.--Plex Media Server | Plex Media Server (PMS) versions 1.41.7.x through 1.42.0.x are affected by an unspecified security vulnerability reported via Plex's bug bounty program. While technical details have not been publicly disclosed, the issue was acknowledged by the vendor and resolved in version 1.42.1. The vulnerability may pose a risk to system integrity, confidentiality, or availability, prompting a strong recommendation for all users to upgrade immediately. | 2025-08-21 | not yet calculated | CVE-2025-34158 |
| ProFTPD Project--ProFTPD (Professional FTP Daemon) | A malicious backdoor was embedded in the official ProFTPD 1.3.3c source tarball distributed between November 28 and December 2, 2010. The backdoor implements a hidden FTP command trigger that, when invoked, causes the server to execute arbitrary shell commands with root privileges. This allows remote, unauthenticated attackers to run any OS command on the FTP server host. | 2025-08-20 | not yet calculated | CVE-2010-20103 |
| pyload--pyload | pyLoad is the free and open-source Download Manager written in pure Python. The jk parameter is received in pyLoad CNL Blueprint. Due to the lack of jk parameter verification, the jk parameter input by the user is directly determined as dykpy.evaljs(), resulting in the server CPU being fully occupied and the web-ui becoming unresponsive. This vulnerability is fixed in 0.5.0b3.dev92. | 2025-08-21 | not yet calculated | CVE-2025-57751 |
| QNAP Systems Inc.--File Station 5 | An out-of-bounds write vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to modify or corrupt memory. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4933 and later | 2025-08-18 | not yet calculated | CVE-2025-47206 |
| QuantumNous--new-api | QuantumNous new-api v.0.8.5.2 is vulnerable to Cross Site Scripting (XSS). | 2025-08-22 | not yet calculated | CVE-2025-55573 |
| RealNetworks--RealArcade ActiveX | The RealNetworks RealArcade platform includes an ActiveX control (InstallerDlg.dll, version 2.6.0.445) that exposes a method named Exec via the StubbyUtil.ProcessMgr COM object. This method allows remote attackers to execute arbitrary commands on a victim's Windows machine without proper validation or restrictions. This platform was sometimes referred to or otherwise known as RealArcade or Arcade Games and has since consolidated with RealNetworks' platform, GameHouse. | 2025-08-20 | not yet calculated | CVE-2011-10028 |
| Reolink--Reolink App | Reolink v4.54.0.4.20250526 was discovered to contain a hardcoded encryption key and initialization vector. An attacker can leverage this vulnerability to decrypt access tokens and web session tokens stored inside the app via reverse engineering. | 2025-08-22 | not yet calculated | CVE-2025-55619 |
| Reolink--Reolink App | A cross-site scripting (XSS) vulnerability in the valuateJavascript() function of Reolink v4.54.0.4.20250526 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | 2025-08-22 | not yet calculated | CVE-2025-55620 |
| Reolink--Reolink App | An Insecure Direct Object Reference (IDOR) vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access and download other users' profile photos via a crafted URL. | 2025-08-22 | not yet calculated | CVE-2025-55621 |
| Reolink--Reolink App | Reolink v4.54.0.4.20250526 was discovered to contain a task hijacking vulnerability due to inappropriate taskAffinity settings. | 2025-08-22 | not yet calculated | CVE-2025-55622 |
| Reolink--Reolink App | An issue in the lock screen component of Reolink v4.54.0.4.20250526 allows attackers to bypass authentication via using an ADB (Android Debug Bridge). | 2025-08-22 | not yet calculated | CVE-2025-55623 |
| Reolink--Reolink App | An intent redirection vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access internal functions or access non-public components. | 2025-08-22 | not yet calculated | CVE-2025-55624 |
| Reolink--Reolink App | An open redirect vulnerability in Reolink v4.54.0.4.20250526 allows attackers to redirect users to a malicious site via a crafted URL. | 2025-08-22 | not yet calculated | CVE-2025-55625 |
| Reolink--Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime | An Insecure Direct Object Reference (IDOR) vulnerability in Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allows unauthorized attackers to access the Admin-only settings and edit the session storage. | 2025-08-22 | not yet calculated | CVE-2025-55626 |
| Reolink--Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime | Insufficient privilege verification in Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allows authenticated attackers to create accounts with elevated privileges. | 2025-08-22 | not yet calculated | CVE-2025-55627 |
| Reolink--Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime | Insecure permissions in Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allow attackers to arbitrarily change other users' passwords via manipulation of the userName value. | 2025-08-22 | not yet calculated | CVE-2025-55629 |
| Reolink--Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime | A discrepancy in the error message returned by the login function of Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 when entering the wrong username and password allows attackers to enumerate existing accounts. | 2025-08-22 | not yet calculated | CVE-2025-55630 |
| Reolink--Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime | Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 was discovered to manage users' sessions system wide instead of an account-by-account basis, potentially leading to a Denial of Service (DoS) via resource exhaustion. | 2025-08-22 | not yet calculated | CVE-2025-55631 |
| Reolink--Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime | Incorrect access control in the RTMP server settings of Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 allows unauthorized attackers to cause a Denial of Service (DoS) via initiating a large number of simultaneous ffmpeg-based stream pushes. | 2025-08-22 | not yet calculated | CVE-2025-55634 |
| Reolink--Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime | Reolink Smart 2K+ Plug-in Wi-Fi Video Doorbell with Chime - firmware v3.0.0.4662_2503122283 was discovered to contain a command injection vulnerability via the setddns_pip_system() function. | 2025-08-22 | not yet calculated | CVE-2025-55637 |
| riscv-boom--SonicBOOM | A vulnerability exists in riscv-boom SonicBOOM 1.2 (BOOMv1.2) processor implementation, where valid virtual-to-physical address translations configured with write permissions (PTE_W) in SV39 mode may incorrectly trigger a Store/AMO access fault during store instructions (sd). This occurs despite the presence of proper page table entries and valid memory access modes. The fault is reproducible when transitioning into virtual memory and attempting store operations in mapped kernel memory, indicating a potential flaw in the MMU, PMP, or memory access enforcement logic. This may cause unexpected kernel panics or denial of service in systems using BOOMv1.2. | 2025-08-19 | not yet calculated | CVE-2025-50897 |
| Rocket Software--Seagull FTP Client | Seagull FTP Client <= v3.3 Build 409 contains a stack-based buffer overflow vulnerability in its FTP directory listing parser. When the client connects to an FTP server and receives a crafted response to a LIST command containing an excessively long filename, the application fails to properly validate input length, resulting in a buffer overflow that overwrites the Structured Exception Handler (SEH). This may allow remote attackers to execute arbitrary code on the client system. This product line was discontinued and users were advised to use BlueZone Secure FTP instead, at the time of disclosure. | 2025-08-21 | not yet calculated | CVE-2010-20007 |
| Rockwell Automation--PLC - Micro850 L50E | A security issue exists due to improper handling of malformed CIP Forward Close packets during fuzzing. The controller enters a solid red Fault LED state and becomes unresponsive. Upon power cycle, the controller will enter recoverable fault where the MS LED and Fault LED become flashing red and reports fault code 0xF015. To recover, clear the fault. | 2025-08-18 | not yet calculated | CVE-2025-7693 |
| Salesforce--Tableau Server | Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Windows, Linux (Flow Editor modules) allows Absolute Path Traversal.This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19. | 2025-08-22 | not yet calculated | CVE-2025-26497 |
| Salesforce--Tableau Server | Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Windows, Linux (establish-connection-no-undo modules) allows Absolute Path Traversal.This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19. | 2025-08-22 | not yet calculated | CVE-2025-26498 |
| Salesforce--Tableau Server | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Salesforce Tableau Server on Windows, Linux (abdoc api - create-data-source-from-file-upload modules) allows Absolute Path Traversal.This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19. | 2025-08-22 | not yet calculated | CVE-2025-52450 |
| Salesforce--Tableau Server | Improper Input Validation vulnerability in Salesforce Tableau Server on Windows, Linux (tabdoc api - create-data-source-from-file-upload modules) allows Absolute Path Traversal.This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19. | 2025-08-22 | not yet calculated | CVE-2025-52451 |
| Salesforce--Tableau Server, Tableau Desktop | Access of Resource Using Incompatible Type ('Type Confusion') vulnerability in Salesforce Tableau Server, Tableau Desktop on Windows, Linux (File Upload modules) allows Local Code Inclusion.This issue affects Tableau Server, Tableau Desktop: before 2025.1.3, before 2024.2.12, before 2023.3.19. | 2025-08-22 | not yet calculated | CVE-2025-26496 |
| sapphi-red--vite-plugin-static-copy | vite-plugin-static-copy is rollup-plugin-copy for Vite with dev server support. Files not included in src are accessible with a crafted request. The vulnerability is fixed in 2.3.2 and 3.1.2. | 2025-08-21 | not yet calculated | CVE-2025-57753 |
| Saurus--Saurus CMS Community Edition | Saurus CMS Community Edition 4.7.1 contains a vulnerability in the custom DB::prepare() function, which uses preg_replace() with the deprecated /e (eval) modifier to interpolate SQL query parameters. This leads to injection of user-controlled SQL statements, potentially leading to arbitrary PHP code execution. | 2025-08-19 | not yet calculated | CVE-2025-50567 |
| Schneider Electric--EcoStruxure Power Monitoring Expert (PME) | CWE-502: Deserialization of Untrusted Data vulnerability exists that could cause remote code execution and compromise of system integrity when authenticated users send crafted data to a network-exposed service that performs unsafe deserialization. | 2025-08-20 | not yet calculated | CVE-2025-54923 |
| Schnieder Electric--EcoStruxureTM Building Operation Enterprise Server | CWE-400: Uncontrolled Resource Consumption vulnerability exists that could cause a denial of service when an authenticated user sends a specially crafted request to a specific endpoint from within the BMS network. | 2025-08-20 | not yet calculated | CVE-2025-8449 |
| Six Apart Ltd.--Movable Type (Software Edition) | Movable Type contains an issue with use of less trusted source. If exploited, tampered email to reset a password may be sent by a remote unauthenticated attacker. | 2025-08-20 | not yet calculated | CVE-2025-53522 |
| Six Apart Ltd.--Movable Type (Software Edition) | URL redirection to untrusted site ('Open Redirect') issue exists in Movable Type. If this vulnerability is exploited, an invalid parameter may be inserted into the password reset page, which may lead to redirection to an arbitrary URL. | 2025-08-20 | not yet calculated | CVE-2025-55706 |
| Sockso Project--Music Host Server | Sockso Music Host Server versions <= 1.5 are vulnerable to a path traversal flaw that allows unauthenticated remote attackers to read arbitrary files from the server's filesystem. The vulnerability exists in the HTTP interface on port 4444, where the endpoint /file/ fails to properly sanitize user-supplied input. Attackers can traverse directories and access sensitive files outside the intended web root. | 2025-08-20 | not yet calculated | CVE-2012-10061 |
| SPlayer Project--SPlayer | SPlayer version 3.7 and earlier is vulnerable to a stack-based buffer overflow when processing HTTP responses containing an overly long Content-Type header. The vulnerability occurs due to improper bounds checking on the header value, allowing an attacker to overwrite the Structured Exception Handler (SEH) and execute arbitrary code. Exploitation requires the victim to open a media file that triggers an HTTP request to a malicious server, which responds with a crafted Content-Type header. | 2025-08-20 | not yet calculated | CVE-2011-10022 |
| Spreecommerce--Spreecommerce | Spreecommerce versions prior to 0.50.x contain a remote command execution vulnerability in the API's search functionality. Improper input sanitation allows attackers to inject arbitrary shell commands via the search[instance_eval] parameter, which is dynamically invoked using Ruby's send method. This flaw enables unauthenticated attackers to execute commands on the server. | 2025-08-20 | not yet calculated | CVE-2011-10026 |
| Steinberg--MyMP3Player | Steinberg MyMP3Player version 3.0 (build 3.0.0.67) is vulnerable to a stack-based buffer overflow when parsing .m3u playlist files. The application fails to properly validate the length of input data within the playlist, allowing a specially crafted file to overwrite critical memory structures and execute arbitrary code. This vulnerability can be exploited locally by convincing a user to open a malicious .m3u file. | 2025-08-21 | not yet calculated | CVE-2010-20123 |
| StrongDM--sdm | The StrongDM Windows service incorrectly handled communication related to system certificate management. Attackers could exploit this behavior to install untrusted root certificates or remove trusted ones. | 2025-08-20 | not yet calculated | CVE-2025-6182 |
| StrongDM--sdm-cli | The StrongDM Client insufficiently protected a pre-authentication token. Attackers could exploit this to intercept and reuse the token, potentially redeeming valid authentication credentials through a race condition. | 2025-08-20 | not yet calculated | CVE-2025-6180 |
| StrongDM--sdm-cli | The StrongDM Windows service incorrectly handled input validation. Authenticated attackers could potentially exploit this leading to privilege escalation. | 2025-08-20 | not yet calculated | CVE-2025-6181 |
| StrongDM--sdm-cli | The StrongDM macOS client incorrectly processed JSON-formatted messages. Attackers could potentially modify macOS system configuration by crafting a malicious JSON message. | 2025-08-20 | not yet calculated | CVE-2025-6183 |
| Subtitle Processor--Subtitle Processor | Subtitle Processor 7.7.1 contains a buffer overflow vulnerability in its .m3u file parser. When a crafted playlist file is opened, the application converts input to Unicode and copies it to a fixed-size stack buffer without proper bounds checking. This allows an attacker to overwrite the Structured Exception Handler (SEH) and execute arbitrary code. | 2025-08-20 | not yet calculated | CVE-2011-10025 |
| Tenda--AC15 | Tenda AC15 v15.03.05.19_multi_TD01 has a stack overflow via the list parameter in the fromSetIpMacBind function. | 2025-08-21 | not yet calculated | CVE-2025-55564 |
| Tenda--AC6 | Tenda AC6 V15.03.06.23_multi is vulnerable to Buffer Overflow in the formSetCfm function. | 2025-08-20 | not yet calculated | CVE-2025-55482 |
| Tenda--AC6 | Tenda AC6 V15.03.06.23_multi is vulnerable to Buffer Overflow in the function formSetMacFilterCfg via the parameters macFilterType and deviceList. | 2025-08-20 | not yet calculated | CVE-2025-55483 |
| Tenda--AC6 | Tenda AC6 V15.03.06.23_multi was discovered to contain a buffer overflow via the time parameter in the fromSetSysTime function. | 2025-08-20 | not yet calculated | CVE-2025-55498 |
| Tenda--AC6 | Tenda AC6 V15.03.06.23_multi was discovered to contain a buffer overflow via the ntpServer parameter in the fromSetSysTime function. | 2025-08-20 | not yet calculated | CVE-2025-55499 |
| Tenda--AC6 | Tenda AC6 V15.03.06.23_multi has a stack overflow vulnerability via the deviceName parameter in the saveParentControlInfo function. | 2025-08-20 | not yet calculated | CVE-2025-55503 |
| Tenda--AX3 | Tenda AX3 V16.03.12.10_CN is vulnerable to Buffer Overflow in the fromSetSysTime function via the ntpServer parameter. | 2025-08-22 | not yet calculated | CVE-2025-55603 |
| Tenda--AX3 | Tenda AX3 V16.03.12.10_CN is vulnerable to Buffer Overflow in the saveParentControlInfo function via the deviceName parameter. | 2025-08-22 | not yet calculated | CVE-2025-55605 |
| Tenda--AX3 | Tenda AX3 V16.03.12.10_CN is vulnerable to Buffer Overflow in the fromAdvSetMacMtuWan function via the serverName parameter. | 2025-08-22 | not yet calculated | CVE-2025-55606 |
| Tenda--O3V2 | Tenda O3V2 1.0.0.12(3880) is vulnerable to Buffer Overflow in the fromSafeSetMacFilter function via the mac parameter. | 2025-08-22 | not yet calculated | CVE-2025-55613 |
| Thermo Fisher Scientific--ePort | Thermo Fisher Scientific ePort through 3.0.0 has Incorrect Access Control. | 2025-08-18 | not yet calculated | CVE-2025-32992 |
| TitanHQ--SpamTitan Email Security Gateway | An issue was discovered in TitanHQ SpamTitan Email Security Gateway 8.00.x before 8.00.101 and 8.01.x before 8.01.14. The file quarantine.php within the SpamTitan interface allows unauthenticated users to trigger account-level actions using a crafted GET request. Notably, when a non-existent email address is provided as part of the email parameter, SpamTitan will automatically create a user record and associate quarantine settings with it - all without requiring authentication. | 2025-08-21 | not yet calculated | CVE-2024-45438 |
| TOTOLINK--A3002R | TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain insecure credentials for the telnet service and root account. | 2025-08-18 | not yet calculated | CVE-2025-55584 |
| TOTOLINK--A3002R | TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain an eval injection vulnerability via the eval() function. | 2025-08-18 | not yet calculated | CVE-2025-55585 |
| TOTOLINK--A3002R | TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the url parameter at /boafrm/formFilter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2025-08-18 | not yet calculated | CVE-2025-55586 |
| TOTOLINK--A3002R | TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the hostname parameter at /boafrm/formMapDelDevice. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2025-08-18 | not yet calculated | CVE-2025-55587 |
| TOTOLINK--A3002R | TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain a buffer overflow in the fw_ip parameter at /boafrm/formPortFw. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2025-08-18 | not yet calculated | CVE-2025-55588 |
| TOTOLINK--A3002R | TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain multiple OS command injection vulnerabilities via the macstr, bandstr, and clientoff parameters at /boafrm/formMapDelDevice. | 2025-08-18 | not yet calculated | CVE-2025-55589 |
| TOTOLINK--A3002R | TOTOLINK A3002R v4.0.0-B20230531.1404 was discovered to contain an command injection vulnerability via the component bupload.html. | 2025-08-18 | not yet calculated | CVE-2025-55590 |
| TOTOLINK--A3002R | TOTOLINK-A3002R v4.0.0-B20230531.1404 was discovered to contain a command injection vulnerability in the devicemac parameter in the formMapDel endpoint. | 2025-08-18 | not yet calculated | CVE-2025-55591 |
| Ubiquiti Inc--EdgeMAX EdgeSwitch | An Improper Input Validation in EdgeMAX EdgeSwitch (Version 1.11.0 and earlier) could allow a Command Injection by a malicious actor with access to EdgeSwitch adjacent network. Affected Products: EdgeMAX EdgeSwitch (Version 1.11.0 and earlier) Mitigation: Update the EdgeMAX EdgeSwitch to Version 1.11.1 or later. | 2025-08-21 | not yet calculated | CVE-2025-48978 |
| Ubiquiti Inc--UISP Application | Multiple Incorrect Permission Assignment for Critical Resource in UISP Application may allow a malicious actor with certain permissions to escalate privileges. | 2025-08-21 | not yet calculated | CVE-2025-27216 |
| Ubiquiti Inc--UISP Application | A Server-Side Request Forgery (SSRF) in the UISP Application may allow a malicious actor with certain permissions to make requests outside of UISP Application scope. | 2025-08-21 | not yet calculated | CVE-2025-27217 |
| Ubiquiti Inc--UniFi Connect Display Cast | An Improper Access Control could allow a malicious actor authenticated in the API of certain UniFi Connect Display Cast devices to make unsupported changes to the system. Affected Products: UniFi Connect Display Cast (Version 1.10.3 and earlier) UniFi Connect Display Cast Pro (Version 1.0.89 and earlier) UniFi Connect Display Cast Lite (Version 1.0.3 and earlier) Mitigation: Update UniFi Connect Display Cast to Version 1.10.7 or later Update UniFi Connect Display Cast Pro to Version 1.0.94 or later Update UniFi Connect Display Cast Lite to Version 1.1.8 or later | 2025-08-21 | not yet calculated | CVE-2025-27215 |
| Ubiquiti Inc--UniFi Connect EV Station Lite | Multiple Improper Input Validation vulnerabilities in UniFi Connect EV Station Lite may allow a Command Injection by a malicious actor with network access to the UniFi Connect EV Station Lite. Affected Products: UniFi Connect EV Station Lite (Version 1.5.1 and earlier) Mitigation: Update UniFi Connect EV Station Lite to Version 1.5.2 or later | 2025-08-21 | not yet calculated | CVE-2025-24285 |
| Ubiquiti Inc--UniFi Connect EV Station Pro | An Improper Access Control could allow a malicious actor authenticated in the API of certain UniFi Connect devices to enable Android Debug Bridge (ADB) and make unsupported changes to the system. Affected Products: UniFi Connect EV Station Pro (Version 1.5.18 and earlier) UniFi Connect Display (Version 1.9.324 and earlier) UniFi Connect Display Cast (Version 1.9.301 and earlier) UniFi Connect Display Cast Pro (Version 1.0.78 and earlier) UniFi Connect Display Cast Lite (Version 1.0.3 and earlier) Mitigation: Update UniFi Connect EV Station Pro to Version 1.5.27 or later Update UniFi Connect Display to Version 1.13.6 or later Update UniFi Connect Display Cast to Version 1.10.3 or later Update UniFi Connect Display Cast Pro to Version 1.0.83 or later Update UniFi Connect Display Cast Lite to Version 1.1.3 or later | 2025-08-21 | not yet calculated | CVE-2025-27213 |
| Ubiquiti Inc--UniFi Connect EV Station Pro | A Missing Authentication for Critical Function vulnerability in the UniFi Connect EV Station Pro may allow a malicious actor with physical or adjacent access to perform an unauthorized factory reset. Affected Products: UniFi Connect EV Station Pro (Version 1.5.18 and earlier) Mitigation: Update UniFi Connect EV Station Pro to Version 1.5.27 or later | 2025-08-21 | not yet calculated | CVE-2025-27214 |
| UFO: Alien Invasion Project--UFO: Alien Invasion | UFO: Alien Invasion versions up to and including 2.2.1 contain a buffer overflow vulnerability in its built-in IRC client component. When the client connects to an IRC server and receives a crafted numeric reply (specifically a 001 message), the application fails to properly validate the length of the response string. This results in a stack-based buffer overflow, which may corrupt control flow structures and allow arbitrary code execution. The vulnerability is triggered during automatic IRC connection handling and does not require user interaction beyond launching the game. | 2025-08-22 | not yet calculated | CVE-2009-10006 |
| Unknown--WP Talroo | The WP Talroo WordPress plugin through 2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin and unauthenticated users. | 2025-08-22 | not yet calculated | CVE-2025-8281 |
| unopim--unopim | UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Before 0.2.1, the image upload at the user creation feature performs only client side file type validation. A user can capture the request by uploading an image, capture the request through a Proxy like Burp suite. Make changes to the file extension and content. The vulnerability is fixed in 0.2.1. | 2025-08-21 | not yet calculated | CVE-2025-55743 |
| unopim--unopim | UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Before 0.2.1, some of the endpoints of the application is vulnerable to Cross site Request forgery (CSRF). This vulnerability is fixed in 0.2.1. | 2025-08-21 | not yet calculated | CVE-2025-55744 |
| unopim--unopim | UnoPim is an open-source Product Information Management (PIM) system built on the Laravel framework. Versions 0.3.0 and prior are vulnerable to CSV injection, also known as formula injection, in the Quick Export feature. This vulnerability allows attackers to inject malicious content into exported CSV files. When the CSV file is opened in spreadsheet applications such as Microsoft Excel, the malicious input may be interpreted as a formula or command, potentially resulting in the execution of arbitrary code on the victim's device. Successful exploitation can lead to remote code execution, including the establishment of a reverse shell. Users are advised to upgrade to version 0.3.1 or later. | 2025-08-22 | not yet calculated | CVE-2025-55745 |
| VariCAD--VariCAD EN | VariCAD EN up to and including version 2010-2.05 is vulnerable to a stack-based buffer overflow when parsing .dwb drawing files. The application fails to properly validate the length of input data embedded in the file, allowing a crafted .dwb file to overwrite critical memory structures. This flaw can be exploited locally by convincing a user to open a malicious file, resulting in arbitrary code execution. | 2025-08-21 | not yet calculated | CVE-2010-20114 |
| VishnuSivadasVS--LogIn-SignUp | The LogIn-SignUp project by VishnuSivadasVS is vulnerable to SQL Injection due to unsafe construction of SQL queries in DataBase.php. The functions logIn() and signUp() build queries by directly concatenating user input and unvalidated table names without using prepared statements. While a prepareData() function exists, it is insufficient to prevent SQL injection and does not sanitize the table name. | 2025-08-22 | not yet calculated | CVE-2025-51092 |
| Volcengin--verl | A deserialization vulnerability exists in Volcengine's verl 3.0.0, specifically in the scripts/model_merger.py script when using the "fsdp" backend. The script calls torch.load() with weights_only=False on user-supplied .pt files, allowing attackers to execute arbitrary code if a maliciously crafted model file is loaded. An attacker can exploit this by convincing a victim to download and place a malicious model file in a local directory with a specific filename pattern. This vulnerability may lead to arbitrary code execution with the privileges of the user running the script. | 2025-08-19 | not yet calculated | CVE-2025-50461 |
| Voltronic Power, PowerShield--Voltronic Power ViewPower, PowerShield Netguard | Voltronic Power ViewPower through 1.04-24215, ViewPower Pro through 2.0-22165, and PowerShield Netguard before 1.04-23292 allows a remote attacker to run arbitrary code via an unspecified web interface related to detection of a managed UPS shutting down. An unauthenticated attacker can use this to run arbitrary code immediately regardless of any managed UPS state or presence. | 2025-08-22 | not yet calculated | CVE-2022-31491 |
| Voltronic Power, PowerShield--Voltronic Power ViewPower, PowerShield Netguard | Voltronic Power ViewPower through 1.04-21353 and PowerShield Netguard before 1.04-23292 allows a remote attacker to configure the system via an unspecified web interface. An unauthenticated remote attacker can make changes to the system including: changing the web interface admin password, view/change system configuration, enumerate connected UPS devices and shut down connected UPS devices. This extends to being able to configure operating system commands that should run if the system detects a connected UPS shutting down. | 2025-08-22 | not yet calculated | CVE-2022-43110 |
| Western Digital Corporation--Western Digital Kitfox for Windows | Western Digital Kitfox for Windows provided by Western Digital Corporation registers a Windows service with an unquoted file path. A user with the write permission on the root directory of the system drive may execute arbitrary code with the SYSTEM privilege. | 2025-08-22 | not yet calculated | CVE-2025-57699 |
| WinterChenS--my-site | There is an authentication bypass vulnerability in WinterChenS my-site thru commit 6c79286 (2025-06-11). An attacker can exploit this vulnerability to access /admin/ API without any token. | 2025-08-20 | not yet calculated | CVE-2025-50904 |
| withastro--astro | Astro is a web framework for content-driven websites. In versions of astro before 5.13.2 and 4.16.18, the image optimization endpoint in projects deployed with on-demand rendering allows images from unauthorized third-party domains to be served. On-demand rendered sites built with Astro include an /_image endpoint which returns optimized versions of images. A bug in impacted versions of astro allows an attacker to bypass the third-party domain restrictions by using a protocol-relative URL as the image source, e.g. /_image?href=//example.com/image.png. This vulnerability is fixed in 5.13.2 and 4.16.18. | 2025-08-19 | not yet calculated | CVE-2025-55303 |
| Xenorate--Xenorate | Xenorate versions up to and including 2.50, a Windows-based multimedia player, is vulnerable to a stack-based buffer overflow when processing .xpl playlist files. The application fails to properly validate the length of input data, allowing an attacker to craft a malicious .xpl file that overwrites the Structured Exception Handler (SEH) and enables arbitrary code execution. Exploitation requires local interaction, typically by convincing a user to open the crafted file. | 2025-08-21 | not yet calculated | CVE-2009-20003 |
| Xion--Audio Player | Xion Audio Player versions prior to 1.0.126 are vulnerable to a Unicode-based stack buffer overflow triggered by opening a specially crafted .m3u playlist file. The file contains an overly long string that overwrites the Structured Exception Handler (SEH) chain, allowing an attacker to hijack execution flow and run arbitrary code. | 2025-08-20 | not yet calculated | CVE-2010-20042 |
| Yoosee--Yoosee | An SQL injection vulnerability in Yoosee application v6.32.4 allows authenticated users to inject arbitrary SQL queries via a request to a backend API endpoint. Successful exploitation enables extraction of sensitive database information, including but not limited to, the database server banner and version, current database user and schema, the current DBMS user privileges, and arbitrary data from any table. | 2025-08-22 | not yet calculated | CVE-2025-52085 |
| zhisheng17--zhisheng17 blog | zhisheng17 blog 3.0.1-SNAPSHOT has an authentication bypass vulnerability. An attacker can exploit this vulnerability to access API without any token. | 2025-08-22 | not yet calculated | CVE-2024-50644 |
Vulnerability Summary for the Week of August 11, 2025
Posted on Monday August 18, 2025
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 1000 Projects--Sales Management System | A vulnerability was determined in 1000 Projects Sales Management System 1.0. This vulnerability affects unknown code of the file /superstore/admin/sales.php. The manipulation of the argument ssalescat leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8932 |
| 1000 Projects--Sales Management System | A vulnerability was found in 1000 Projects Sales Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /superstore/custcmp.php. The manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8935 |
| 1000 Projects--Sales Management System | A vulnerability was determined in 1000 Projects Sales Management System 1.0. Affected by this issue is some unknown functionality of the file /superstore/dist/dordupdate.php. The manipulation of the argument select2 leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8936 |
| 2100 Technology--Official Document Management System | Official Document Management System developed by 2100 Technology has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to obtain any user's connection token and use it to log into the system as that user. | 2025-08-11 | 9.8 | CVE-2025-8853 |
| 48hmorris--Assistant for NextGEN Gallery | The Assistant for NextGEN Gallery plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the /wp-json/nextgenassistant/v1.0.0/control REST endpoint in all versions up to, and including, 1.0.9. This makes it possible for unauthenticated attackers to delete arbitrary directories on the server, which can cause a complete loss of availability. | 2025-08-15 | 7.5 | CVE-2025-7641 |
| ABB--ABB AbilityTM zenon | Missing Authentication for Critical Function vulnerability in ABB ABB AbilityTM zenon.This issue affects ABB AbilityTM zenon: from 7.50 through 14. | 2025-08-13 | 7.5 | CVE-2025-8754 |
| ABB--ASPECT | Improper Control of Generation of Code ('Code Injection') vulnerability in ABB ASPECT.This issue affects ASPECT: before <3.08.04-s01. | 2025-08-11 | 7 | CVE-2025-53187 |
| ABB--Aspect | Insufficiently Protected Credentials vulnerability in ABB Aspect.This issue affects Aspect: before <3.08.04-s01. | 2025-08-11 | 7 | CVE-2025-53188 |
| ABB--Aspect | Authorization Bypass Through User-Controlled Key vulnerability in ABB Aspect.This issue affects Aspect: from o before <3.08.04-s01. | 2025-08-11 | 7 | CVE-2025-53189 |
| ABB--Aspect | A vulnerability in ABB Aspect.This issue affects Aspect: before <3.08.04-s01. | 2025-08-11 | 7 | CVE-2025-53190 |
| ABB--Aspect | Missing Authentication for Critical Function vulnerability in ABB Aspect.This issue affects Aspect: before <3.08.04-s01. | 2025-08-11 | 7.7 | CVE-2025-53191 |
| ABB--Aspect | Missing Authentication for Critical Function vulnerability in ABB Aspect.This issue affects Aspect: All versions. | 2025-08-11 | 7.4 | CVE-2025-7679 |
| Acato--WP REST Cache | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Acato WP REST Cache allows PHP Local File Inclusion. This issue affects WP REST Cache: from n/a through 2025.1.0. | 2025-08-14 | 7.5 | CVE-2025-52716 |
| Adobe--Adobe Commerce | Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Cross-Site Request Forgery (CSRF) vulnerability that could result in privilege escalation. A high-privileged attacker could trick a victim into executing unintended actions on a web application where the victim is authenticated, potentially allowing unauthorized access or modification of sensitive data. Exploitation of this issue requires user interaction in that a victim must visit a malicious website or click on a crafted link. Scope is changed. | 2025-08-12 | 8.1 | CVE-2025-49555 |
| Adobe--Adobe Commerce | Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be exploited by a low-privileged attacker to inject malicious scripts into vulnerable form fields. These scripts may be used to escalate privileges within the application or compromise sensitive user data. Exploitation of this issue requires user interaction in that a victim must browse to the page containing the vulnerable field. Scope is changed. | 2025-08-12 | 8.7 | CVE-2025-49557 |
| Adobe--Adobe Commerce | Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Input Validation vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability by providing specially crafted input, causing the application to crash or become unresponsive. Exploitation of this issue does not require user interaction. | 2025-08-12 | 7.5 | CVE-2025-49554 |
| Adobe--Adobe Commerce | Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Incorrect Authorization vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Exploitation of this issue does not require user interaction, and scope is unchanged. | 2025-08-12 | 7.5 | CVE-2025-49556 |
| Adobe--Adobe Framemaker | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54229 |
| Adobe--Adobe Framemaker | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54230 |
| Adobe--Adobe Framemaker | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54231 |
| Adobe--Adobe Framemaker | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54232 |
| Adobe--Animate | Animate versions 23.0.12, 24.0.9 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-49561 |
| Adobe--Illustrator | Illustrator versions 28.7.8, 29.6.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-49563 |
| Adobe--Illustrator | Illustrator versions 28.7.8, 29.6.1 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-49564 |
| Adobe--InCopy | InCopy versions 20.4, 19.5.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54215 |
| Adobe--InCopy | InCopy versions 20.4, 19.5.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54216 |
| Adobe--InCopy | InCopy versions 20.4, 19.5.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54217 |
| Adobe--InCopy | InCopy versions 20.4, 19.5.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54218 |
| Adobe--InCopy | InCopy versions 20.4, 19.5.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54219 |
| Adobe--InCopy | InCopy versions 20.4, 19.5.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54220 |
| Adobe--InCopy | InCopy versions 20.4, 19.5.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54221 |
| Adobe--InCopy | InCopy versions 20.4, 19.5.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54223 |
| Adobe--InDesign Desktop | InDesign Desktop versions 20.4, 19.5.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54206 |
| Adobe--InDesign Desktop | InDesign Desktop versions 20.4, 19.5.4 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54207 |
| Adobe--InDesign Desktop | InDesign Desktop versions 20.4, 19.5.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54208 |
| Adobe--InDesign Desktop | InDesign Desktop versions 20.4, 19.5.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54209 |
| Adobe--InDesign Desktop | InDesign Desktop versions 20.4, 19.5.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54210 |
| Adobe--InDesign Desktop | InDesign Desktop versions 20.4, 19.5.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54211 |
| Adobe--InDesign Desktop | InDesign Desktop versions 20.4, 19.5.4 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54212 |
| Adobe--InDesign Desktop | InDesign Desktop versions 20.4, 19.5.4 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54213 |
| Adobe--InDesign Desktop | InDesign Desktop versions 20.4, 19.5.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54224 |
| Adobe--InDesign Desktop | InDesign Desktop versions 20.4, 19.5.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54225 |
| Adobe--InDesign Desktop | InDesign Desktop versions 20.4, 19.5.4 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54226 |
| Adobe--Photoshop Desktop | Photoshop Desktop versions 25.12.3, 26.8 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-49570 |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.0 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. If the application uses an uncontrolled search path to locate critical resources such as programs, an attacker could modify that search path to point to a malicious program, which the targeted application would then execute. Exploitation of this issue does not require user interaction. | 2025-08-12 | 7.8 | CVE-2025-49571 |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-49572 |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.0 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-49573 |
| Adobe--Substance3D - Painter | Substance3D - Painter versions 11.0.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54187 |
| Adobe--Substance3D - Stager | Substance3D - Stager versions 3.1.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-54222 |
| Adobe--Substance3D - Viewer | Substance3D - Viewer versions 0.25 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-49560 |
| Adobe--Substance3D - Viewer | Substance3D - Viewer versions 0.25 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 7.8 | CVE-2025-49569 |
| Alvind--Billplz Addon for Contact Form 7 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Alvind Billplz Addon for Contact Form 7 allows Reflected XSS. This issue affects Billplz Addon for Contact Form 7: from n/a through 1.2.0. | 2025-08-14 | 7.1 | CVE-2025-31007 |
| ApusTheme--Findgo | Cross-Site Request Forgery (CSRF) vulnerability in ApusTheme Findgo allows Cross Site Request Forgery. This issue affects Findgo: from n/a through 1.3.57. | 2025-08-14 | 8.8 | CVE-2025-53587 |
| Arraytics--Eventin | Deserialization of Untrusted Data vulnerability in Arraytics Eventin allows Object Injection. This issue affects Eventin: from n/a through 4.0.31. | 2025-08-14 | 8.8 | CVE-2025-49869 |
| artkrylov--Icons Factory | The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the delete_files() function in all versions up to, and including, 1.6.12. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2025-08-15 | 9.8 | CVE-2025-7778 |
| Autodesk--AutoCAD | A maliciously crafted DGN file, when linked or imported into Autodesk AutoCAD, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-08-15 | 7.8 | CVE-2025-5046 |
| Autodesk--AutoCAD | A maliciously crafted DGN file, when parsed through Autodesk AutoCAD, can force an Uninitialized Variable vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-08-15 | 7.8 | CVE-2025-5047 |
| Autodesk--AutoCAD | A maliciously crafted DGN file, when linked or imported into Autodesk AutoCAD, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-08-15 | 7.8 | CVE-2025-5048 |
| bbioon--WooCommerce Purchase Orders | The WooCommerce Purchase Orders plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2025-08-12 | 8.1 | CVE-2025-5391 |
| beeteam368--BeeTeam368 Extensions | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 BeeTeam368 Extensions allows PHP Local File Inclusion. This issue affects BeeTeam368 Extensions: from n/a through 1.9.4. | 2025-08-14 | 10 | CVE-2025-25174 |
| beeteam368--VidMov | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidMov allows PHP Local File Inclusion. This issue affects VidMov: from n/a through 1.9.4. | 2025-08-14 | 8.1 | CVE-2025-25172 |
| Ben Ritner - Kadence WP--Kadence WooCommerce Email Designer | Incorrect Privilege Assignment vulnerability in Ben Ritner - Kadence WP Kadence WooCommerce Email Designer allows Privilege Escalation. This issue affects Kadence WooCommerce Email Designer: from n/a through 1.5.16. | 2025-08-14 | 7.2 | CVE-2025-54697 |
| BestiaDurmiente--Visit Counter | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BestiaDurmiente Visit Counter allows Stored XSS. This issue affects Visit Counter: from n/a through 1.0. | 2025-08-14 | 7.1 | CVE-2025-49065 |
| bitpressadmin--Bit Form Custom Contact Form, Multi Step, Conversational, Payment & Quiz Form builder | The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. For this to be exploitable, the PRO version needs to be installed and activated as well. Additionally a form with an advanced file upload element needs to be published. | 2025-08-15 | 9.8 | CVE-2025-6679 |
| Bosch Rexroth AG--ctrlX OS - Setup | A vulnerability in the web application of the ctrlX OS setup mechanism facilitated an authenticated (low privileged) attacker to gain remote access to backup archives created by a user with elevated permissions. Depending on the content of the backup archive, the attacker may have been able to access sensitive data. | 2025-08-14 | 8 | CVE-2025-48860 |
| Bosch Rexroth AG--ctrlX OS - Setup | Ambiguous wording in the web interface of the ctrlX OS setup mechanism could lead the user to believe that the backup file is encrypted when a password is set. However, only the private key - if available in the backup - is encrypted, while the backup file itself remains unencrypted. | 2025-08-14 | 7.1 | CVE-2025-48862 |
| bplugins--B Blocks The ultimate block collection | The B Blocks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization and improper input validation within the rgfr_registration() function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to create a new account and assign it the administrator role. | 2025-08-12 | 9.8 | CVE-2025-8059 |
| bplugins--B Slider- Gutenberg Slider Block for WP | The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Arbitrary Plugin Installation in all versions up to, and including, 1.1.30. This is due to missing capability checks on the activated_plugin function. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the server which can make remote code execution possible. | 2025-08-12 | 8.8 | CVE-2025-8418 |
| Campcodes--Online Flight Booking Management System | A vulnerability was found in Campcodes Online Flight Booking Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/ajax.php?action=login of the component Login. The manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8952 |
| Campcodes--Online Flight Booking Management System | A vulnerability was determined in Campcodes Online Flight Booking Management System 1.0. Affected is an unknown function of the file /flights.php. The manipulation of the argument departure_airport_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8957 |
| Campcodes--Online Flight Booking Management System | A vulnerability has been found in Campcodes Online Flight Booking Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/save_airlines.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8960 |
| Campcodes--Online Recruitment Management System | A vulnerability was identified in Campcodes Online Recruitment Management System 1.0. This issue affects some unknown processing of the file /Recruitment/index.php?page=view_vacancy. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8950 |
| Campcodes--Online Water Billing System | A vulnerability was identified in Campcodes Online Water Billing System 1.0. This issue affects some unknown processing of the file /viewbill.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-13 | 7.3 | CVE-2025-8924 |
| checkpoint--Check Point Harmony SASE | Log files uploaded during troubleshooting by the Harmony SASE agent may have been accessible to unauthorized parties. | 2025-08-12 | 8.1 | CVE-2025-3831 |
| CherryHQ--cherry-studio | Cherry Studio is a desktop client that supports for multiple LLM providers. In version 1.5.1, a remote code execution (RCE) vulnerability exists in the Cherry Studio platform when connecting to streamableHttp MCP servers. The issue arises from the server's implicit trust in the oauth auth redirection endpoints and failure to properly sanitize the URL. This issue has been patched in version 1.5.2. | 2025-08-13 | 9.7 | CVE-2025-54382 |
| CherryHQ--cherry-studio | Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.4.8 to 1.5.0, there is a one-click remote code execution vulnerability through the custom URL handling. An attacker can exploit this by hosting a malicious website or embedding a specially crafted URL on any website. If a victim clicks the exploit link in their browser, the app's custom URL handler is triggered, leading to remote code execution on the victim's machine. This issue has been patched in version 1.5.1. | 2025-08-11 | 8 | CVE-2025-54063 |
| Cisco--Cisco Adaptive Security Appliance (ASA) Software | A vulnerability in the management and VPN web servers of the Remote Access SSL VPN feature of Cisco Secure Firewall ASA Software and Secure FTD Software could allow an unauthenticated, remote attacker to cause the device to unexpectedly stop responding, resulting in a DoS condition. This vulnerability is due to ineffective validation of user-supplied input during the Remote Access SSL VPN authentication process. An attacker could exploit this vulnerability by sending a crafted request to the VPN service on an affected device. A successful exploit could allow the attacker to cause a DoS condition where the device stops responding to Remote Access SSL VPN authentication requests. | 2025-08-14 | 8.6 | CVE-2025-20133 |
| Cisco--Cisco Adaptive Security Appliance (ASA) Software | A vulnerability in the certificate processing of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to improper parsing of SSL/TLS certificates. An attacker could exploit this vulnerability by sending a crafted SSL/TLS certificate to an affected system through a listening SSL/TLS socket. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. | 2025-08-14 | 8.6 | CVE-2025-20134 |
| Cisco--Cisco Adaptive Security Appliance (ASA) Software | A vulnerability in the function that performs IPv4 and IPv6 Network Address Translation (NAT) DNS inspection for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to an infinite loop condition that occurs when a Cisco Secure ASA or Cisco Secure FTD device processes DNS packets with DNS inspection enabled and the device is configured for NAT44, NAT64, or NAT46. An attacker could exploit this vulnerability by sending crafted DNS packets that match a static NAT rule with DNS inspection enabled through an affected device. A successful exploit could allow the attacker to create an infinite loop and cause the device to reload, resulting in a DoS condition. | 2025-08-14 | 8.6 | CVE-2025-20136 |
| Cisco--Cisco Adaptive Security Appliance (ASA) Software | A vulnerability in the management and VPN web servers of Cisco Secure Firewall ASA Software and Secure FTD Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a DoS condition. This vulnerability is due to improper validation of user-supplied input on an interface with VPN web services. An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web server on an affected device. A successful exploit could allow the attacker to cause a DoS condition when the device reloads. | 2025-08-14 | 8.6 | CVE-2025-20243 |
| Cisco--Cisco Adaptive Security Appliance (ASA) Software | A vulnerability in the Remote Access SSL VPN service for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, remote attacker to create or delete arbitrary files on the underlying operating system. If critical system files are manipulated, new Remote Access SSL VPN sessions could be denied and existing sessions could be dropped, causing a denial of service (DoS) condition. An exploited device requires a manual reboot to recover. This vulnerability is due to insufficient input validation when processing HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP requests to an affected device. A successful exploit could allow the attacker to create or delete files on the underlying operating system, which could cause the Remote Access SSL VPN service to become unresponsive. To exploit this vulnerability, the attacker must be authenticated as a VPN user of the affected device. | 2025-08-14 | 8.5 | CVE-2025-20251 |
| Cisco--Cisco Adaptive Security Appliance (ASA) Software | A vulnerability in the IKEv2 feature of Cisco IOS Software, IOS XE Software, Secure Firewall ASA Software, and Secure FTD Software could allow an unauthenticated, remote attacker to cause the device to reload, resulting in a DoS condition. This vulnerability is due to the improper processing of IKEv2 packets. An attacker could exploit this vulnerability by sending crafted IKEv2 packets to an affected device. A successful exploit could allow the attacker to cause an infinite loop that exhausts resources and could cause the device to reload. | 2025-08-14 | 8.6 | CVE-2025-20253 |
| Cisco--Cisco Adaptive Security Appliance (ASA) Software | A vulnerability in the web services interface of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a buffer overflow on an affected system. This vulnerability is due to insufficient boundary checks for specific data that is provided to the web services interface of an affected system. An attacker could exploit this vulnerability by sending a crafted HTTP request to the affected system. A successful exploit could allow the attacker to cause a buffer overflow condition on the affected system, which could cause the system to reload, resulting in a denial of service (DoS) condition. | 2025-08-14 | 8.6 | CVE-2025-20263 |
| Cisco--Cisco Adaptive Security Appliance (ASA) Software | A vulnerability in the TLS 1.3 implementation for a specific cipher for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software for Cisco Firepower 3100 and 4200 Series devices could allow an authenticated, remote attacker to consume resources that are associated with incoming TLS 1.3 connections, which eventually could cause the device to stop accepting any new SSL/TLS or VPN requests. This vulnerability is due to the implementation of the TLS 1.3 Cipher TLS_CHACHA20_POLY1305_SHA256. An attacker could exploit this vulnerability by sending a large number of TLS 1.3 connections with the specific TLS 1.3 Cipher TLS_CHACHA20_POLY1305_SHA256. A successful exploit could allow the attacker to cause a denial of service (DoS) condition where no new incoming encrypted connections are accepted. The device must be reloaded to clear this condition. Note: These incoming TLS 1.3 connections include both data traffic and user-management traffic. After the device is in the vulnerable state, no new encrypted connections can be accepted. | 2025-08-14 | 7.7 | CVE-2025-20127 |
| Cisco--Cisco Adaptive Security Appliance (ASA) Software | A vulnerability in the Remote Access SSL VPN service for Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow a remote attacker that is authenticated as a VPN user to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition. This vulnerability is due to incomplete error checking when parsing an HTTP header field value. An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted Remote Access SSL VPN service on an affected device. A successful exploit could allow the attacker to cause a DoS condition, which would cause the affected device to reload. | 2025-08-14 | 7.7 | CVE-2025-20244 |
| Cisco--Cisco Firepower Management Center | A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to inject arbitrary shell commands that are executed by the device. This vulnerability is due to a lack of proper handling of user input during the authentication phase. An attacker could exploit this vulnerability by sending crafted input when entering credentials that will be authenticated at the configured RADIUS server. A successful exploit could allow the attacker to execute commands at a high privilege level. Note: For this vulnerability to be exploited, Cisco Secure FMC Software must be configured for RADIUS authentication for the web-based management interface, SSH management, or both. | 2025-08-14 | 10 | CVE-2025-20265 |
| Cisco--Cisco Firepower Management Center | A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an authenticated, remote attacker to inject arbitrary HTML content into a device-generated document. This vulnerability is due to improper validation of user-supplied data. An attacker could exploit this vulnerability by submitting malicious content to an affected device and using the device to generate a document that contains sensitive information. A successful exploit could allow the attacker to alter the standard layout of the device-generated documents, read arbitrary files from the underlying operating system, and conduct server-side request forgery (SSRF) attacks. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Security Analyst (Read Only). | 2025-08-14 | 8.5 | CVE-2025-20148 |
| Cisco--Cisco Firepower Threat Defense Software | A vulnerability in the packet inspection functionality of the Snort 3 Detection Engine of Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to incorrect processing of traffic that is inspected by an affected device. An attacker could exploit this vulnerability by sending crafted traffic through the affected device. A successful exploit could allow the attacker to cause the affected device to enter an infinite loop while inspecting traffic, resulting in a DoS condition. The system watchdog will restart the Snort process automatically. | 2025-08-14 | 8.6 | CVE-2025-20217 |
| Cisco--Cisco Firepower Threat Defense Software | A vulnerability in the RADIUS proxy feature for the IPsec VPN feature of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to improper processing of IPv6 packets. An attacker could exploit this vulnerability by sending IPv6 packets over an IPsec VPN connection to an affected device. A successful exploit could allow the attacker to trigger a reload of the device, resulting in a DoS condition. | 2025-08-14 | 8.6 | CVE-2025-20222 |
| Cisco--IOS | A vulnerability in the Internet Key Exchange Version 2 (IKEv2) feature of Cisco IOS Software, IOS XE Software, Secure Firewall Adaptive Security Appliance (ASA) Software, and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger a memory leak, resulting in a denial of service (DoS) condition. This vulnerability is due to a lack of proper processing of IKEv2 packets. An attacker could exploit this vulnerability by sending crafted IKEv2 packets to an affected device. In the case of Cisco IOS and IOS XE Software, a successful exploit could allow the attacker to cause the device to reload unexpectedly. In the case of Cisco ASA and FTD Software, a successful exploit could allow the attacker to partially exhaust system memory, causing system instability such as being unable to establish new IKEv2 VPN sessions. A manual reboot of the device is required to recover from this condition. | 2025-08-14 | 8.6 | CVE-2025-20239 |
| CleverReach--CleverReach WP | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CleverReach® CleverReach® WP allows SQL Injection. This issue affects CleverReach® WP: from n/a through 1.5.20. | 2025-08-14 | 9.3 | CVE-2025-49059 |
| Cloud Infrastructure Services--Cloud SAML SSO - Single Sign On Login | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Cloud Infrastructure Services Cloud SAML SSO - Single Sign On Login allows PHP Local File Inclusion. This issue affects Cloud SAML SSO - Single Sign On Login: from n/a through 1.0.18. | 2025-08-14 | 7.5 | CVE-2025-49264 |
| code-projects--Job Diary | A vulnerability has been found in code-projects Job Diary 1.0. Affected by this issue is some unknown functionality of the file /user-apply.php. The manipulation of the argument job_title leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-13 | 7.3 | CVE-2025-8921 |
| code-projects--Job Diary | A vulnerability was found in code-projects Job Diary 1.0. This affects an unknown part of the file /admin-inbox.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-13 | 7.3 | CVE-2025-8922 |
| code-projects--Job Diary | A vulnerability was determined in code-projects Job Diary 1.0. This vulnerability affects unknown code of the file /edit-details.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-13 | 7.3 | CVE-2025-8923 |
| code-projects--Online Medicine Guide | A vulnerability was determined in code-projects Online Medicine Guide 1.0. Affected is an unknown function of the file /browsemdcn.php. The manipulation of the argument Search leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 7.3 | CVE-2025-8990 |
| code-projects--Online Medicine Guide | A vulnerability has been found in code-projects Online Medicine Guide 1.0. This vulnerability affects unknown code of the file /addelivery.php. The manipulation of the argument deName leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 7.3 | CVE-2025-9027 |
| code-projects--Online Medicine Guide | A vulnerability was found in code-projects Online Medicine Guide 1.0. This issue affects some unknown processing of the file /adphar.php. The manipulation of the argument phuname leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 7.3 | CVE-2025-9028 |
| cornfeed--WP-jScrollPane | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cornfeed WP-jScrollPane allows Reflected XSS. This issue affects WP-jScrollPane: from n/a through 2.0.3. | 2025-08-14 | 7.1 | CVE-2025-49062 |
| crmperks--Database for Contact Form 7, WPforms, Elementor forms | The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.3 via deserialization of untrusted input in the get_lead_detail function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted. | 2025-08-13 | 9.8 | CVE-2025-7384 |
| D-Link--DIR-825 | A vulnerability was identified in D-Link DIR-825 2.10. Affected by this vulnerability is the function get_ping_app_stat of the file ping_response.cgi of the component httpd. The manipulation of the argument ping_ipaddr leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-08-14 | 7.2 | CVE-2025-8949 |
| D-Link--DIR-860L | A vulnerability was identified in D-Link DIR-860L 2.04.B04. This affects the function ssdpcgi_main of the file htdocs/cgibin of the component Simple Service Discovery Protocol. The manipulation leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-08-15 | 7.3 | CVE-2025-9026 |
| dasinfomedia--School Management System for Wordpress | The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the homework.php file in all versions up to, and including, 93.2.0. This makes it possible for authenticated attackers, with Student-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-08-16 | 8.8 | CVE-2025-6079 |
| dasinfomedia--School Management System for Wordpress | The School Management System for Wordpress plugin for WordPress is vulnerable to SQL Injection via several parameters across multiple AJAX action in all versions up to, and including, 93.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-08-16 | 7.5 | CVE-2024-12612 |
| dasinfomedia--WPGYM - Wordpress Gym Management System | The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 67.7.0 via the 'page' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. The Local File Inclusion exploit can be chained to include various dashboard view files in the plugin. One in particular reported by the researcher can be leveraged to update the password of Super Administrator accounts in Multisite environments making privilege escalation possible. | 2025-08-16 | 8.8 | CVE-2025-3671 |
| dasinfomedia--WPGYM - Wordpress Gym Management System | The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to unauthorized admin account creation in all versions up to, and including, 67.7.0. This is due to the plugin not properly validating a user's capabilities prior to adding users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new users, including admins. | 2025-08-16 | 8.8 | CVE-2025-6080 |
| denoland--std | @std/toml is the Deno Standard Library. Prior to version 1.0.9, an attacker can pollute the prototype chain in Node.js runtime and Browser when parsing untrusted TOML data, thus achieving Prototype Pollution (PP) vulnerability. This is because the library is merging an untrusted object with an empty object, which by default the empty object has the prototype chain. This issue has been patched in version 1.0.9. | 2025-08-14 | 7.3 | CVE-2025-55195 |
| Dylan Kuhn--Geo Mashup | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dylan Kuhn Geo Mashup allows PHP Local File Inclusion. This issue affects Geo Mashup: from n/a through 1.13.16. | 2025-08-14 | 9.8 | CVE-2025-48293 |
| epiphyt--Form Block | Unrestricted Upload of File with Dangerous Type vulnerability in epiphyt Form Block allows Upload a Web Shell to a Web Server. This issue affects Form Block: from n/a through 1.5.5. | 2025-08-14 | 9 | CVE-2025-54693 |
| ExpressTech Systems--Quiz And Survey Master | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ExpressTech Systems Quiz And Survey Master allows SQL Injection. This issue affects Quiz And Survey Master: from n/a through 10.2.4. | 2025-08-14 | 8.5 | CVE-2025-55708 |
| eyecix--JobSearch | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in eyecix JobSearch allows PHP Local File Inclusion. This issue affects JobSearch: from n/a through 2.9.0. | 2025-08-14 | 7.5 | CVE-2025-52806 |
| F5--BIG-IP | When Network Access is configured on a BIG-IP APM virtual server, undisclosed traffic can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2025-08-13 | 7.5 | CVE-2025-46405 |
| F5--BIG-IP | When a BIG-IP LTM Client SSL profile is configured on a virtual server with SSL Forward Proxy enabled and Anonymous Diffie-Hellman (ADH) ciphers enabled, undisclosed requests can cause the Traffic Management Microkernel (TMM) to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2025-08-13 | 7.5 | CVE-2025-52585 |
| F5--BIG-IP Edge Client | A missing file integrity check vulnerability exists on MacOS F5 VPN browser client installer that may allow a local, authenticated attacker with access to the local file system to replace it with a malicious package installer. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2025-08-13 | 7.3 | CVE-2025-48500 |
| F5--F5 Access | F5 Access for Android before version 3.1.2 which uses HTTPS does not verify the remote endpoint identity. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2025-08-13 | 7.4 | CVE-2025-54809 |
| Federico Rota--Authentication and xmlrpc log writer | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Federico Rota Authentication and xmlrpc log writer allows Reflected XSS. This issue affects Authentication and xmlrpc log writer: from n/a through 1.2.2. | 2025-08-14 | 7.1 | CVE-2025-49037 |
| FirebirdSQL--firebird | Firebird is a relational database. Prior to snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609, Firebird is vulnerable if ExtConnPoolSize is not set equal to 0. If connections stored in ExtConnPool are not verified for presence and suitability of the CryptCallback interface is used when created versus what is available could result in a segfault in the server process. Encrypted databases, accessed by execute statement on external, may be accessed later by an attachment missing a key to that database. In a case when execute statement are chained, segfault may happen. Additionally, the segfault may affect unencrypted databases. This issue has been patched in snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609 and point releases 4.0.6 and 5.0.2. A workaround for this issue involves setting ExtConnPoolSize equal to 0 in firebird.conf. | 2025-08-15 | 7.1 | CVE-2025-24975 |
| Fortinet--FortiPAM | An authentication bypass using an alternate path or channel [CWE-288] vulnerability in Fortinet FortiOS version 6.4.0 through 6.4.15 and before 6.2.16, FortiProxy version 7.4.0 through 7.4.2, 7.2.0 through 7.2.8 and before 7.0.15 & FortiPAM before version 1.2.0 allows an unauthenticated attacker to seize control of a managed device via crafted FGFM requests, if the device is managed by a FortiManager, and if the attacker knows that FortiManager's serial number. | 2025-08-12 | 7.9 | CVE-2024-26009 |
| Fortinet--FortiSIEM | An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiSIEM version 7.3.0 through 7.3.1, 7.2.0 through 7.2.5, 7.1.0 through 7.1.7, 7.0.0 through 7.0.3 and before 6.7.9 allows an unauthenticated attacker to execute unauthorized code or commands via crafted CLI requests. | 2025-08-12 | 9.8 | CVE-2025-25256 |
| Fortinet--FortiWeb | A improper handling of parameters in Fortinet FortiWeb versions 7.6.3 and below, versions 7.4.7 and below, versions 7.2.10 and below, and 7.0.10 and below may allow an unauthenticated remote attacker with non-public information pertaining to the device and targeted user to gain admin privileges on the device via a specially crafted request. | 2025-08-12 | 7.7 | CVE-2025-52970 |
| Foxit--Foxit Reader | A memory corruption vulnerability exists in Foxit Reader 2025.1.0.27937 due to the use of an uninitialized pointer. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled. | 2025-08-13 | 8.8 | CVE-2025-32451 |
| gelbphoenix--autocaliweb | Autocaliweb is a web app that offers an interface for browsing, reading, and downloading eBooks using a valid Calibre database. Prior to version 0.8.3, the debug pack generated by Autocaliweb can expose sensitive configuration data, including API keys. This occurs because the to_dict() method, used to serialize configuration for the debug pack, doesn't adequately filter out sensitive fields such as API tokens. Users, unaware of the full contents, might share these debug packs, inadvertently leaking their private API keys. This issue has been patched in version 0.8.3. | 2025-08-12 | 8.3 | CVE-2025-55165 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to achieve account takeover by injecting malicious HTML into work item names. | 2025-08-13 | 8.7 | CVE-2025-6186 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 14.2 before 18.0.6, 18.1 before 18.1.4 and 18.2 before 18.2.2 that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content. | 2025-08-13 | 8.7 | CVE-2025-7734 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 18.2 before 18.2.2 that, under certain conditions, could have allowed authenticated users to achieve stored cross-site scripting by injecting malicious HTML content in scoped label descriptions. | 2025-08-13 | 8.7 | CVE-2025-7739 |
| glboy--WooCommerce OTP Login With Phone Number, OTP Verification | The WooCommerce OTP Login With Phone Number, OTP Verification plugin for WordPress is vulnerable to authentication bypass due to insufficient empty value checking in the lwp_ajax_register function in all versions up to, and including, 1.8.47. This makes it possible for unauthenticated attackers to bypass OTP verification and gain administrative access to any user account with a configured phone number by exploiting improper Firebase API error handling when the Firebase API key is not configured. | 2025-08-15 | 8.1 | CVE-2025-8342 |
| gopiplus--Vertical scroll slideshow gallery v2 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus Vertical scroll slideshow gallery v2 allows Blind SQL Injection. This issue affects Vertical scroll slideshow gallery v2: from n/a through 9.1. | 2025-08-15 | 8.5 | CVE-2025-49897 |
| GravityWP--GravityWP - Merge Tags | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in GravityWP GravityWP - Merge Tags allows PHP Local File Inclusion. This issue affects GravityWP - Merge Tags: from n/a through 1.4.4. | 2025-08-14 | 7.5 | CVE-2025-49271 |
| H3C--M2 NAS | A vulnerability was found in H3C M2 NAS V100R006. Affected by this vulnerability is an unknown functionality of the component Webserver Configuration. The manipulation leads to execution with unnecessary privileges. An attack has to be approached locally. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor explains: "[T]he device only has configuration files and does not actually have boa functionality. It is impossible to access or upload files anonymously to the device through boa services". This vulnerability only affects products that are no longer supported by the maintainer. | 2025-08-13 | 7 | CVE-2025-8907 |
| HashiCorp--Shared library | HashiCorp's go-getter library subdirectory download feature is vulnerable to symlink attacks leading to unauthorized read access beyond the designated directory boundaries. This vulnerability, identified as CVE-2025-8959, is fixed in go-getter 1.7.9. | 2025-08-15 | 7.5 | CVE-2025-8959 |
| hassantafreshi--Easy Form Builder | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in hassantafreshi Easy Form Builder allows Blind SQL Injection. This issue affects Easy Form Builder: from n/a through 3.8.15. | 2025-08-14 | 9.3 | CVE-2025-54678 |
| highwarden--Super Store Finder | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in highwarden Super Store Finder allows SQL Injection. This issue affects Super Store Finder: from n/a through 7.5. | 2025-08-14 | 9.3 | CVE-2025-52720 |
| i3geek--BaiduXZH Submit() | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in i3geek BaiduXZH Submit(百度熊掌å·) allows Reflected XSS. This issue affects BaiduXZH Submit(百度熊掌å·): from n/a through 1.4.6. | 2025-08-14 | 7.1 | CVE-2025-49063 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1, the magnified size calculations in ReadOneMNGIMage (in coders/png.c) are unsafe and can overflow, leading to memory corruption. This issue has been patched in versions 6.9.13-27 and 7.1.2-1. | 2025-08-13 | 8.8 | CVE-2025-55154 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-1, ImageMagick is vulnerable to heap-buffer overflow read around the handling of images with separate alpha channels when performing image magnification in ReadOneMNGIMage. This can likely be used to leak subsequent memory contents into the output image. This issue has been patched in version 7.1.2-1. | 2025-08-13 | 7.6 | CVE-2025-55004 |
| infosoftplugin--WooCommerce Point Of Sale (POS) | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in infosoftplugin WooCommerce Point Of Sale (POS) allows SQL Injection. This issue affects WooCommerce Point Of Sale (POS): from n/a through 1.4. | 2025-08-14 | 8.5 | CVE-2025-52820 |
| INSTAR--2K+ | A vulnerability was identified in INSTAR 2K+ and 4K 3.11.1 Build 1124. This affects the function base64_decode of the component fcgi_server. The manipulation of the argument Authorization leads to buffer overflow. It is possible to initiate the attack remotely. | 2025-08-13 | 9.8 | CVE-2025-8760 |
| INSTAR--2K+ | A vulnerability has been found in INSTAR 2K+ and 4K 3.11.1 Build 1124. This vulnerability affects unknown code of the component Backend IPC Server. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-13 | 7.5 | CVE-2025-8761 |
| Insyde Software--InsydeH2O | UsbCoreDxe has a vulnerability which can be used to write arbitrary memory inside SMRAM and execute arbitrary code at SMM level. | 2025-08-13 | 7.5 | CVE-2025-4276 |
| Insyde Software--InsydeH2O | Tcg2Smm has a vulnerability which can be used to write arbitrary memory inside SMRAM and execute arbitrary code at SMM level. | 2025-08-13 | 7.5 | CVE-2025-4277 |
| Insyde Software--InsydeH2O | A buffer overflow vulnerability exists in the module SetupUtility. An attacker with local privileged access can exploit this vulnerability by executeing arbitrary code. | 2025-08-13 | 7.5 | CVE-2025-4410 |
| iThemes--ServerBuddy by PluginBuddy.com | Cross-Site Request Forgery (CSRF) vulnerability in iThemes ServerBuddy by PluginBuddy.Com allows Object Injection.This issue affects ServerBuddy by PluginBuddy.Com: from n/a through 1.0.5. | 2025-08-16 | 8.8 | CVE-2025-49895 |
| itsourcecode--Online Tour and Travel Management System | A vulnerability was found in itsourcecode Online Tour and Travel Management System 1.0. This issue affects some unknown processing of the file /admin/operations/tax.php. The manipulation of the argument tname leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8966 |
| itsourcecode--Online Tour and Travel Management System | A vulnerability was determined in itsourcecode Online Tour and Travel Management System 1.0. Affected is an unknown function of the file /admin/operations/packages.php. The manipulation of the argument pname leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8967 |
| itsourcecode--Online Tour and Travel Management System | A vulnerability was identified in itsourcecode Online Tour and Travel Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/disapprove_user.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8968 |
| itsourcecode--Online Tour and Travel Management System | A vulnerability has been found in itsourcecode Online Tour and Travel Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/approve_user.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8969 |
| itsourcecode--Online Tour and Travel Management System | A vulnerability was found in itsourcecode Online Tour and Travel Management System 1.0. This affects an unknown part of the file /admin/operations/booking.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8970 |
| itsourcecode--Online Tour and Travel Management System | A vulnerability was determined in itsourcecode Online Tour and Travel Management System 1.0. This vulnerability affects unknown code of the file /admin/operations/travellers.php. The manipulation of the argument val-username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8971 |
| itsourcecode--Online Tour and Travel Management System | A vulnerability was identified in itsourcecode Online Tour and Travel Management System 1.0. This issue affects some unknown processing of the file /admin/page-login.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8972 |
| itsourcecode--Online Tour and Travel Management System | A vulnerability was found in itsourcecode Online Tour and Travel Management System 1.0. This affects an unknown part of the file /admin/operations/payment.php. The manipulation of the argument payment_type leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8981 |
| itsourcecode--Online Tour and Travel Management System | A vulnerability was determined in itsourcecode Online Tour and Travel Management System 1.0. This vulnerability affects unknown code of the file /admin/operations/currency.php. The manipulation of the argument curr_code leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8982 |
| itsourcecode--Online Tour and Travel Management System | A vulnerability was identified in itsourcecode Online Tour and Travel Management System 1.0. This issue affects some unknown processing of the file /admin/operations/expense.php. The manipulation of the argument expense_for leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8983 |
| itsourcecode--Online Tour and Travel Management System | A vulnerability has been found in itsourcecode Online Tour and Travel Management System 1.0. Affected is an unknown function of the file /admin/operations/expense_category.php. The manipulation of the argument expense_name leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8984 |
| itsourcecode--Online Tour and Travel Management System | A vulnerability was found in itsourcecode Online Tour and Travel Management System 1.0. This affects an unknown part of the file /admin/expense_report.php. The manipulation of the argument from_date leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 7.3 | CVE-2025-8993 |
| itsourcecode--Online Tour and Travel Management System | A vulnerability was identified in itsourcecode Online Tour and Travel Management System 1.0. This issue affects some unknown processing of the file /admin/sms_setting.php. The manipulation of the argument uname leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 7.3 | CVE-2025-9008 |
| itsourcecode--Online Tour and Travel Management System | A vulnerability has been found in itsourcecode Online Tour and Travel Management System 1.0. Affected is an unknown function of the file /admin/email_setup.php. The manipulation of the argument Name leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 7.3 | CVE-2025-9009 |
| itsourcecode--Online Tour and Travel Management System | A vulnerability was found in itsourcecode Online Tour and Travel Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/booking_report.php. The manipulation of the argument from_date leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 7.3 | CVE-2025-9010 |
| itsourcecode--Sports Management System | A vulnerability has been found in itsourcecode Sports Management System 1.0. Affected is an unknown function of the file /Admin/match.php. The manipulation of the argument code leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-13 | 7.3 | CVE-2025-8925 |
| Ivanti--Avalanche | SQL injection in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to execute arbitrary SQL queries. In certain conditions, this can also lead to remote code execution | 2025-08-12 | 7.2 | CVE-2025-8296 |
| Ivanti--Avalanche | Incomplete restriction of configuration in Ivanti Avalanche before version 6.4.8.8008 allows a remote authenticated attacker with admin privileges to achieve remote code execution | 2025-08-12 | 7.2 | CVE-2025-8297 |
| Ivanti--Connect Secure | A buffer over-read vulnerability in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 2.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to trigger a denial of service. CWE-125 | 2025-08-12 | 7.5 | CVE-2025-5456 |
| Ivanti--Connect Secure | A heap-based buffer overflow in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote unauthenticated attacker to trigger a denial of service. | 2025-08-12 | 7.5 | CVE-2025-5462 |
| johnh10--Video Blogster Lite | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in johnh10 Video Blogster Lite allows Reflected XSS. This issue affects Video Blogster Lite: from n/a through 1.2. | 2025-08-14 | 7.1 | CVE-2025-47689 |
| josepsitjar--StoryMap | Cross-Site Request Forgery (CSRF) vulnerability in josepsitjar StoryMap allows SQL Injection. This issue affects StoryMap: from n/a through 2.1. | 2025-08-14 | 8.2 | CVE-2025-52797 |
| kamleshyadav--WP Lead Capturing Pages | Missing Authorization vulnerability in kamleshyadav WP Lead Capturing Pages allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Lead Capturing Pages: from n/a through 2.3. | 2025-08-14 | 7.5 | CVE-2025-31425 |
| kanboard--kanboard | Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, an unsafe deserialization vulnerability in the ProjectEventActvityFormatter allows admin users the ability to instantiate arbitrary php objects by modifying the event["data"] field in the project_activities table. A malicious actor can update this field to use a php gadget to write a web shell into the /plugins folder, which then gives remote code execution on the host system. This issue has been patched in version 1.2.47. | 2025-08-12 | 9.1 | CVE-2025-55010 |
| keywordrush--Content Egg | Deserialization of Untrusted Data vulnerability in keywordrush Content Egg allows Object Injection. This issue affects Content Egg: from n/a through 7.0.0. | 2025-08-14 | 7.2 | CVE-2025-47536 |
| Ko Min--WP Voting | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ko Min WP Voting allows Reflected XSS. This issue affects WP Voting: from n/a through 1.8. | 2025-08-14 | 7.1 | CVE-2025-49057 |
| Kubernetes--Image Builder | A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process. Additionally, virtual machine images built using the Nutanix or the OVA provider do not disable these default credentials, and nodes using the resulting images may be accessible via these default credentials. The credentials can be used to gain root access. Kubernetes clusters are only affected if their Windows nodes use VM images created via the Image Builder project with its Nutanix or OVA provider. | 2025-08-17 | 7.5 | CVE-2025-7342 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, the application does not check authentication at endpoint /html/personalizacao_remover.php allowing anonymous attacker (without login) to delete any Image files at endpoint /html/personalizacao_remover.php by defining imagem_0 as image id to delete. This issue has been patched in version 3.4.8. | 2025-08-12 | 7.5 | CVE-2025-55171 |
| LambertGroup--Multimedia Playlist Slider Addon for WPBakery Page Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Multimedia Playlist Slider Addon for WPBakery Page Builder allows Reflected XSS. This issue affects Multimedia Playlist Slider Addon for WPBakery Page Builder: from n/a through 2.1. | 2025-08-14 | 7.1 | CVE-2025-30626 |
| Linksys--RE6250 | A vulnerability has been found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. Affected is the function algDisable of the file /goform/setOpMode. The manipulation of the argument opMode leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-11 | 8.8 | CVE-2025-8822 |
| Linksys--RE6250 | A vulnerability was determined in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. Affected by this issue is the function setRIP of the file /goform/setRIP. The manipulation of the argument RIPmode/RIPpasswd leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-11 | 8.8 | CVE-2025-8824 |
| Linksys--RE6250 | A vulnerability has been found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. This vulnerability affects the function um_rp_autochannel of the file /goform/RP_setBasicAuto. The manipulation of the argument apcli_AuthMode_2G/apcli_AuthMode_5G leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-11 | 8.8 | CVE-2025-8826 |
| Linksys--RE6250 | A vulnerability was found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. This affects the function remoteManagement of the file /goform/remoteManagement. The manipulation of the argument portNumber leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-11 | 8.8 | CVE-2025-8831 |
| Linksys--RE6250 | A vulnerability was determined in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. This vulnerability affects the function setDMZ of the file /goform/setDMZ. The manipulation of the argument DMZIPAddress leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-11 | 8.8 | CVE-2025-8832 |
| Linksys--RE6250 | A vulnerability was identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. This issue affects the function langSwitchBack of the file /goform/langSwitchBack. The manipulation of the argument langSelectionOnly leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-11 | 8.8 | CVE-2025-8833 |
| Liquid Web--GiveWP | Insertion of Sensitive Information Into Sent Data vulnerability in Liquid Web GiveWP allows Retrieve Embedded Sensitive Data.This issue affects GiveWP: from n/a before 4.6.1. | 2025-08-12 | 7.5 | CVE-2025-47444 |
| lisensee--NetInsight Analytics Implementation Plugin | Cross-Site Request Forgery (CSRF) vulnerability in lisensee NetInsight Analytics Implementation Plugin allows Stored XSS. This issue affects NetInsight Analytics Implementation Plugin: from n/a through 1.0.3. | 2025-08-14 | 7.1 | CVE-2025-52765 |
| loword--AL Pack | The AL Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the check_activate_permission() permission callback for the /wp-json/presslearn/v1/activate REST API endpoint in all versions up to, and including, 1.0.2. The callback reads the client-supplied Origin header and, after parsing, allows the request if it matches one of the trusted domains, without ever verifying user authentication, capabilities, or nonce tokens. This makes it possible for unauthenticated attackers to activate premium features by simply spoofing the Origin header. | 2025-08-16 | 7.5 | CVE-2025-7664 |
| Made I.T.--Forms | Unrestricted Upload of File with Dangerous Type vulnerability in Made I.T. Forms allows Upload a Web Shell to a Web Server. This issue affects Forms: from n/a through 2.9.0. | 2025-08-14 | 9.9 | CVE-2025-24775 |
| magepeopleteam--E-cab Taxi Booking Manager for Woocommerce | The Taxi Booking Manager for Woocommerce | E-cab plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.0. This is due to the plugin not properly validating a user's capabilities prior to updating a plugin setting or their identity prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | 2025-08-16 | 9.8 | CVE-2025-8898 |
| MasaCMS--MasaCMS | MASA CMS is an Enterprise Content Management platform based on open source technology. Versions prior to 7.4.6, 7.3.13, and 7.2.8 contain a SQL injection vulnerability in the `processAsyncObject` method that can result in remote code execution. Versions 7.4.6, 7.3.13, and 7.2.8 contain a fix for the issue. | 2025-08-11 | 9.8 | CVE-2024-32640 |
| Mattermost--Mattermost Confluence Plugin | Mattermost Confluence Plugin version <1.5.0 fails to check the authorization of the user to the Mattermost instance which allows attackers to create a channel subscription without proper authorization via API call to the create channel subscription endpoint. | 2025-08-11 | 7.2 | CVE-2025-44004 |
| Mattermost--Mattermost Confluence Plugin | Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to update channel subscription endpoint with an invalid request body. | 2025-08-11 | 7.5 | CVE-2025-52931 |
| Mattermost--Mattermost Confluence Plugin | Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to edit channel subscriptions via API call to the edit channel subscription endpoint. | 2025-08-11 | 7.2 | CVE-2025-54478 |
| Mattermost--Mattermost Confluence Plugin | Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to create channel subscription endpoint with an invalid request body. | 2025-08-11 | 7.5 | CVE-2025-54525 |
| Mechrevo--Control Center GX V2 | A vulnerability was found in Mechrevo Control Center GX V2 5.56.51.48. Affected by this vulnerability is an unknown functionality of the component reg File Handler. The manipulation leads to uncontrolled search path. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 7 | CVE-2025-9000 |
| Mechrevo--Control Center GX V2 | A vulnerability was identified in Mechrevo Control Center GX V2 5.56.51.48. This affects an unknown part of the file C:\Program Files\OEM\机械é©å‘½æŽ§åˆ¶ä¸å¿ƒ\AiStoneService\MyControlCenter\Command of the component Powershell Script Handler. The manipulation leads to uncontrolled search path. Local access is required to approach this attack. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 7 | CVE-2025-9016 |
| Metagauss--ProfileGrid | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid allows Blind SQL Injection. This issue affects ProfileGrid : from n/a through 5.9.5.3. | 2025-08-14 | 8.5 | CVE-2025-49033 |
| Microsoft--Azure File Sync | Improper access control in Azure File Sync allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7.8 | CVE-2025-53729 |
| Microsoft--Azure Stack Hub 2408 | Improper authentication in Azure Stack allows an unauthorized attacker to disclose information over a network. | 2025-08-12 | 7.5 | CVE-2025-53793 |
| Microsoft--DCasv5-series Azure VM | Improper access control in Azure Virtual Machines allows an authorized attacker to perform spoofing locally. | 2025-08-12 | 7.9 | CVE-2025-49707 |
| Microsoft--DCasv5-series Azure VM | Exposure of sensitive information to an unauthorized actor in Azure Virtual Machines allows an authorized attacker to disclose information over a network. | 2025-08-12 | 7.7 | CVE-2025-53781 |
| Microsoft--Microsoft 365 Apps for Enterprise | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2025-08-12 | 8.4 | CVE-2025-53784 |
| Microsoft--Microsoft Exchange Server 2019 Cumulative Update 14 | Exposure of sensitive information to an unauthorized actor in Microsoft Exchange Server allows an unauthorized attacker to disclose information over a network. | 2025-08-12 | 7.5 | CVE-2025-33051 |
| Microsoft--Microsoft Office 2019 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | 2025-08-12 | 8.4 | CVE-2025-53731 |
| Microsoft--Microsoft Office 2019 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | 2025-08-12 | 8.4 | CVE-2025-53740 |
| Microsoft--Microsoft Office 2019 | Use after free in Microsoft Office Visio allows an unauthorized attacker to execute code locally. | 2025-08-12 | 7.8 | CVE-2025-53730 |
| Microsoft--Microsoft Office 2019 | Use after free in Microsoft Office Visio allows an unauthorized attacker to execute code locally. | 2025-08-12 | 7.8 | CVE-2025-53734 |
| Microsoft--Microsoft Office 2019 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2025-08-12 | 7.8 | CVE-2025-53738 |
| Microsoft--Microsoft Office 2019 | Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally. | 2025-08-12 | 7.8 | CVE-2025-53761 |
| Microsoft--Microsoft Office for Android | Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. | 2025-08-12 | 7.8 | CVE-2025-53732 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 2025-08-12 | 8.8 | CVE-2025-49712 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Incorrect conversion between numeric types in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2025-08-12 | 8.4 | CVE-2025-53733 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Server-side request forgery (ssrf) in Microsoft Office SharePoint allows an authorized attacker to elevate privileges over a network. | 2025-08-12 | 7.1 | CVE-2025-53760 |
| Microsoft--Microsoft SQL Server 2017 (GDR) | Improper access control in SQL Server allows an authorized attacker to elevate privileges over a network. | 2025-08-12 | 8.8 | CVE-2025-24999 |
| Microsoft--Microsoft SQL Server 2017 (GDR) | Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network. | 2025-08-12 | 8.8 | CVE-2025-49758 |
| Microsoft--Microsoft SQL Server 2017 (GDR) | Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network. | 2025-08-12 | 8.8 | CVE-2025-49759 |
| Microsoft--Microsoft SQL Server 2022 (GDR) | Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network. | 2025-08-12 | 8.8 | CVE-2025-47954 |
| Microsoft--Microsoft SQL Server 2022 for x64-based Systems (CU 20) | Improper neutralization of special elements used in an sql command ('sql injection') in SQL Server allows an authorized attacker to elevate privileges over a network. | 2025-08-12 | 8.8 | CVE-2025-53727 |
| Microsoft--Microsoft Visual Studio 2022 version 17.14 | Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code locally. | 2025-08-12 | 7.8 | CVE-2025-53773 |
| Microsoft--Office Online Server | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-08-12 | 7.8 | CVE-2025-53735 |
| Microsoft--Office Online Server | Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-08-12 | 7.8 | CVE-2025-53737 |
| Microsoft--Office Online Server | Access of resource using incompatible type ('type confusion') in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-08-12 | 7.8 | CVE-2025-53739 |
| Microsoft--Office Online Server | Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-08-12 | 7.8 | CVE-2025-53741 |
| Microsoft--Office Online Server | Use of uninitialized resource in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-08-12 | 7.8 | CVE-2025-53759 |
| Microsoft--Teams for D365 Remote Assist HoloLens | Heap-based buffer overflow in Microsoft Teams allows an unauthorized attacker to execute code over a network. | 2025-08-12 | 7.5 | CVE-2025-53783 |
| Microsoft--Web Deploy 4.0 | Deserialization of untrusted data in Web Deploy allows an authorized attacker to execute code over a network. | 2025-08-12 | 8.8 | CVE-2025-53772 |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network. | 2025-08-12 | 9.8 | CVE-2025-53766 |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Message Queuing allows an unauthorized attacker to execute code over a network. | 2025-08-12 | 8.1 | CVE-2025-50177 |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code over a network. | 2025-08-12 | 8.8 | CVE-2025-53131 |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to elevate privileges over a network. | 2025-08-12 | 8 | CVE-2025-53132 |
| Microsoft--Windows 10 Version 1809 | Access of resource using incompatible type ('type confusion') in Windows Message Queuing allows an authorized attacker to execute code over a network. | 2025-08-12 | 8.8 | CVE-2025-53143 |
| Microsoft--Windows 10 Version 1809 | Access of resource using incompatible type ('type confusion') in Windows Message Queuing allows an authorized attacker to execute code over a network. | 2025-08-12 | 8.8 | CVE-2025-53144 |
| Microsoft--Windows 10 Version 1809 | Access of resource using incompatible type ('type confusion') in Windows Message Queuing allows an authorized attacker to execute code over a network. | 2025-08-12 | 8.8 | CVE-2025-53145 |
| Microsoft--Windows 10 Version 1809 | Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network. | 2025-08-12 | 8.8 | CVE-2025-53778 |
| Microsoft--Windows 10 Version 1809 | Improper restriction of communication channel to intended endpoints in Windows Hyper-V allows an authorized attacker to execute code locally. | 2025-08-12 | 7.5 | CVE-2025-48807 |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7.8 | CVE-2025-49761 |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7 | CVE-2025-49762 |
| Microsoft--Windows 10 Version 1809 | Use after free in Desktop Windows Manager allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7.8 | CVE-2025-50153 |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network. | 2025-08-12 | 7.5 | CVE-2025-50154 |
| Microsoft--Windows 10 Version 1809 | Access of resource using incompatible type ('type confusion') in Windows Push Notifications allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7.8 | CVE-2025-50155 |
| Microsoft--Windows 10 Version 1809 | Time-of-check time-of-use (toctou) race condition in Windows NTFS allows an unauthorized attacker to disclose information locally. | 2025-08-12 | 7 | CVE-2025-50158 |
| Microsoft--Windows 10 Version 1809 | Use after free in Remote Access Point-to-Point Protocol (PPP) EAP-TLS allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7.3 | CVE-2025-50159 |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7.3 | CVE-2025-50161 |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Hyper-V allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7 | CVE-2025-50167 |
| Microsoft--Windows 10 Version 1809 | Improper handling of insufficient permissions or privileges in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7.8 | CVE-2025-50170 |
| Microsoft--Windows 10 Version 1809 | Weak authentication in Windows Installer allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7.8 | CVE-2025-50173 |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7 | CVE-2025-53134 |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows DirectX allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7 | CVE-2025-53135 |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7 | CVE-2025-53137 |
| Microsoft--Windows 10 Version 1809 | Use after free in Kernel Transaction Manager allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7 | CVE-2025-53140 |
| Microsoft--Windows 10 Version 1809 | Null pointer dereference in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7.8 | CVE-2025-53141 |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7 | CVE-2025-53147 |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Kernel Streaming WOW Thunk Service Driver allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7.8 | CVE-2025-53149 |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Kernel allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7.8 | CVE-2025-53151 |
| Microsoft--Windows 10 Version 1809 | Use after free in Desktop Windows Manager allows an authorized attacker to execute code locally. | 2025-08-12 | 7.8 | CVE-2025-53152 |
| Microsoft--Windows 10 Version 1809 | Null pointer dereference in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7.8 | CVE-2025-53154 |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows Hyper-V allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7.8 | CVE-2025-53155 |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7 | CVE-2025-53718 |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7 | CVE-2025-53721 |
| Microsoft--Windows 10 Version 1809 | Uncontrolled resource consumption in Windows Remote Desktop Services allows an unauthorized attacker to deny service over a network. | 2025-08-12 | 7.5 | CVE-2025-53722 |
| Microsoft--Windows 10 Version 1809 | Numeric truncation error in Windows Hyper-V allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7.8 | CVE-2025-53723 |
| Microsoft--Windows 10 Version 1809 | Access of resource using incompatible type ('type confusion') in Windows Push Notifications allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7.8 | CVE-2025-53724 |
| Microsoft--Windows 10 Version 1809 | Access of resource using incompatible type ('type confusion') in Windows Push Notifications allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7.8 | CVE-2025-53725 |
| Microsoft--Windows 10 Version 1809 | Access of resource using incompatible type ('type confusion') in Windows Push Notifications allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7.8 | CVE-2025-53726 |
| Microsoft--Windows 10 Version 1809 | Missing authentication for critical function in Windows StateRepository API allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7.8 | CVE-2025-53789 |
| Microsoft--Windows 11 version 22H2 | Access of resource using incompatible type ('type confusion') in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7.8 | CVE-2025-50168 |
| Microsoft--Windows 11 version 22H2 | Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7 | CVE-2025-53142 |
| Microsoft--Windows Server 2019 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2025-08-12 | 8.8 | CVE-2025-49757 |
| Microsoft--Windows Server 2019 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network. | 2025-08-12 | 8 | CVE-2025-50160 |
| Microsoft--Windows Server 2019 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network. | 2025-08-12 | 8 | CVE-2025-50162 |
| Microsoft--Windows Server 2019 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2025-08-12 | 8.8 | CVE-2025-50163 |
| Microsoft--Windows Server 2019 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network. | 2025-08-12 | 8 | CVE-2025-50164 |
| Microsoft--Windows Server 2019 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to execute code over a network. | 2025-08-12 | 8 | CVE-2025-53720 |
| Microsoft--Windows Server 2022 | Missing authorization in Remote Desktop Server allows an unauthorized attacker to perform spoofing over a network. | 2025-08-12 | 9.1 | CVE-2025-50171 |
| Microsoft--Windows Server 2022 | Access of resource using incompatible type ('type confusion') in Graphics Kernel allows an authorized attacker to execute code locally. | 2025-08-12 | 7.8 | CVE-2025-50176 |
| Microsoft--Windows Server 2025 (Server Core installation) | Untrusted pointer dereference in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network. | 2025-08-12 | 9.8 | CVE-2025-50165 |
| Microsoft--Windows Server 2025 (Server Core installation) | Concurrent execution using shared resource with improper synchronization ('race condition') in Windows SMB allows an unauthorized attacker to execute code over a network. | 2025-08-12 | 7.5 | CVE-2025-50169 |
| Microsoft--Windows Server 2025 (Server Core installation) | Use after free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7.8 | CVE-2025-53133 |
| Microsoft--Windows Server 2025 (Server Core installation) | Relative path traversal in Windows Kerberos allows an authorized attacker to elevate privileges over a network. | 2025-08-12 | 7.2 | CVE-2025-53779 |
| Microsoft--Windows Subsystem for Linux (WSL2) | Time-of-check time-of-use (toctou) race condition in Windows Subsystem for Linux allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 7 | CVE-2025-53788 |
| mrdenny--Time Sheets | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mrdenny Time Sheets allows Reflected XSS. This issue affects Time Sheets: from n/a through 2.1.3. | 2025-08-14 | 7.1 | CVE-2025-49054 |
| MSoft--MFlash | A vulnerability has been found in the MSoft MFlash application that allows execution of arbitrary code on the server. The issue occurs in the integration configuration functionality that is only available to MFlash administrators. The vulnerability is related to insufficient validation of parameters when setting up security components. This issue affects MFlash v. 8.0 and possibly others. To mitigate apply 8.2-653 hotfix 11.06.2025 and above. | 2025-08-15 | 9.1 | CVE-2025-9060 |
| N/A--Flowise | User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request. | 2025-08-14 | 9.8 | CVE-2025-55346 |
| N/A--Flowise | The Custom MCPs feature is designed to execute OS commands, for instance, using tools like `npx` to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls (RBAC). Furthermore, in Flowise versions before 3.0.1 the default installation operates without authentication unless explicitly configured. This combination allows unauthenticated network attackers to execute unsandboxed OS commands. | 2025-08-14 | 9.8 | CVE-2025-8943 |
| n/a--Intel(R) 700 Series Ethernet | Improper input validation in the Linux kernel-mode driver for some Intel(R) 700 Series Ethernet before version 2.28.5 may allow an authenticated user to potentially enable escalation of privilege. | 2025-08-12 | 7.5 | CVE-2025-21086 |
| n/a--Intel(R) 700 Series Ethernet | Improper input validation in the Linux kernel-mode driver for some Intel(R) 700 Series Ethernet before version 2.28.5 may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 7.8 | CVE-2025-24486 |
| n/a--Intel(R) 700 Series Ethernet | Insufficient control flow management in the Linux kernel-mode driver for some Intel(R) 700 Series Ethernet before version 2.28.5 may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 7.8 | CVE-2025-25273 |
| n/a--Intel(R) 800 Series Ethernet | Improper check for unusual or exceptional conditions in the Linux kernel-mode driver for some Intel(R) 800 Series Ethernet before version 1.17.2 may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 8.2 | CVE-2025-20093 |
| n/a--Intel(R) 800 Series Ethernet | Improper input validation in the Linux kernel-mode driver for some Intel(R) 800 Series Ethernet before version 1.17.2 may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 8.8 | CVE-2025-24325 |
| n/a--Intel(R) 800 Series Ethernet | Integer overflow or wraparound in the Linux kernel-mode driver for some Intel(R) 800 Series Ethernet before version 1.17.2 may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 7.8 | CVE-2025-22836 |
| n/a--Intel(R) 800 Series Ethernet | Insufficient control flow management in the Linux kernel-mode driver for some Intel(R) 800 Series Ethernet before version 1.17.2 may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 7.8 | CVE-2025-22893 |
| n/a--Intel(R) 800 Series Ethernet | Integer overflow or wraparound in the Linux kernel-mode driver for some Intel(R) 800 Series Ethernet before version 1.17.2 may allow an authenticated user to potentially enable denial of service via local access. | 2025-08-12 | 7.3 | CVE-2025-23241 |
| n/a--Intel(R) 800 Series Ethernet | Improper check for unusual or exceptional conditions in the Linux kernel-mode driver for some Intel(R) 800 Series Ethernet before version 1.17.2 may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 7.8 | CVE-2025-24303 |
| n/a--Intel(R) 800 Series Ethernet | Improper input validation in the Linux kernel-mode driver for some Intel(R) 800 Series Ethernet before version 1.17.2 may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 7.8 | CVE-2025-24484 |
| n/a--Intel(R) Connectivity Performance Suite software installers | Time-of-check Time-of-use race condition for some Intel(R) Connectivity Performance Suite software installers before version 40.24.11210 may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 7.8 | CVE-2025-20074 |
| n/a--Intel(R) Converged Security and Management Engine | Time-of-check time-of-use race condition in firmware for some Intel(R) Converged Security and Management Engine may allow a privileged user to potentially enable escalation of privilege via local access. | 2025-08-12 | 7.2 | CVE-2025-20037 |
| n/a--Intel(R) Processors | Improper Isolation or Compartmentalization in the stream cache mechanism for some Intel(R) Processors may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 7.8 | CVE-2025-20109 |
| n/a--Intel(R) PROSet/Wireless WiFi Software for Windows | Improper conditions check for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.110.0.5 may allow an unauthenticated user to potentially enable denial of service via adjacent access. | 2025-08-12 | 7.4 | CVE-2025-20625 |
| n/a--Intel(R) Xeon(R) 6 processor with Intel(R) TDX | Improper handling of overlap between protected memory ranges for some Intel(R) Xeon(R) 6 processor with Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access. | 2025-08-12 | 7.9 | CVE-2025-22889 |
| n/a--Intel(R) Xeon(R) 6 Processors when using Intel(R) SGX or Intel(R) TDX | Improperly implemented security check for standard in the DDRIO configuration for some Intel(R) Xeon(R) 6 Processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access. | 2025-08-12 | 7.2 | CVE-2025-32086 |
| n/a--Intel(R) Xeon(R) 6 processors when using Intel(R) SGX or Intel(R) TDX | Out-of-bounds write in the memory subsystem for some Intel(R) Xeon(R) 6 processors when using Intel(R) SGX or Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access. | 2025-08-12 | 7.2 | CVE-2025-26403 |
| n/a--Intel(R) Xeon(R) 6 Scalable processors | Insufficient granularity of access control in the OOB-MSM for some Intel(R) Xeon(R) 6 Scalable processors may allow a privileged user to potentially enable escalation of privilege via adjacent access. | 2025-08-12 | 7.5 | CVE-2025-22839 |
| n/a--Intel(R) Xeon(R) 6 Scalable processors | Sequence of processor instructions leads to unexpected behavior for some Intel(R) Xeon(R) 6 Scalable processors may allow an authenticated user to potentially enable escalation of privilege via local access | 2025-08-12 | 7.4 | CVE-2025-22840 |
| n/a--Intel(R) Xeon(R) Processor firmware with SGX enabled | Improper buffer restrictions for some Intel(R) Xeon(R) Processor firmware with SGX enabled may allow a privileged user to potentially enable escalation of privilege via local access. | 2025-08-12 | 7.2 | CVE-2025-20053 |
| n/a--Intel(R) Xeon(R) processors | Insufficient control flow management in the Alias Checking Trusted Module (ACTM) firmware for some Intel(R) Xeon(R) processors may allow a privileged user to potentially enable escalation of privilege via local access. | 2025-08-12 | 7.2 | CVE-2025-24305 |
| n/a--PostgreSQL | Untrusted data inclusion in pg_dump in PostgreSQL allows a malicious superuser of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands. pg_dumpall is also affected. pg_restore is affected when used to generate a plain-format dump. This is similar to MySQL CVE-2024-21096. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. | 2025-08-14 | 8.8 | CVE-2025-8714 |
| n/a--PostgreSQL | Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks can achieve SQL injection as a superuser of the restore target server. pg_dumpall, pg_restore, and pg_upgrade are also affected. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. Versions before 11.20 are unaffected. CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it. | 2025-08-14 | 8.8 | CVE-2025-8715 |
| nasa--CryptoLib | CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures (SDLS-EP) to secure communications between a spacecraft running the core Flight System (cFS) and a ground station. A heap buffer overflow vulnerability exists in NASA CryptoLib version 1.4.0 and prior in the IV setup logic for telecommand frames. The problem arises from missing bounds checks when copying the Initialization Vector (IV) into a freshly allocated buffer. An attacker can supply a crafted TC frame that causes the library to write one byte past the end of the heap buffer, leading to heap corruption and undefined behaviour. An attacker supplying a malformed telecommand frame can corrupt heap memory. This leads to undefined behaviour, which could manifest itself as a crash (denial of service) or more severe exploitation. This issue has been patched in version 1.4.0. | 2025-08-11 | 8.6 | CVE-2025-54878 |
| NVIDIA--Megatron-LM | NVIDIA Megatron-LM for all platforms contains a vulnerability in the tools component, where an attacker may exploit a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-08-13 | 7.8 | CVE-2025-23305 |
| NVIDIA--Megatron-LM | NVIDIA Megatron-LM for all platforms contains a vulnerability in the megatron/training/ arguments.py component where an attacker could cause a code injection issue by providing a malicious input. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-08-13 | 7.8 | CVE-2025-23306 |
| NVIDIA--NVIDIA Apex | NVIDIA Apex for all platforms contains a vulnerability in a Python component where an attacker could cause a code injection issue by providing a malicious file. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-08-13 | 7.8 | CVE-2025-23295 |
| NVIDIA--NVIDIA Isaac-GR00T N1 | NVIDIA Isaac-GR00T for all platforms contains a vulnerability in a Python component where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-08-13 | 7.8 | CVE-2025-23296 |
| NVIDIA--NVIDIA Merlin Transformers4Rec | NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability in a python dependency, where an attacker could cause a code injection issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2025-08-13 | 7.8 | CVE-2025-23298 |
| NVIDIA--NVIDIA NeMo Framework | NVIDIA NeMo Framework for all platforms contains a vulnerability where a user could cause a deserialization of untrusted data by remote code execution. A successful exploit of this vulnerability might lead to code execution and data tampering. | 2025-08-13 | 7.8 | CVE-2025-23303 |
| NVIDIA--NVIDIA NeMo Framework | NVIDIA NeMo library for all platforms contains a vulnerability in the model loading component, where an attacker could cause code injection by loading .nemo files with maliciously crafted metadata. A successful exploit of this vulnerability may lead to remote code execution and data tampering. | 2025-08-13 | 7.8 | CVE-2025-23304 |
| NVIDIA--NVIDIA WebDataset | NVIDIA WebDataset for all platforms contains a vulnerability where an attacker could execute arbitrary code with elevated permissions. A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, information disclosure, and denial of service. | 2025-08-13 | 7.8 | CVE-2025-23294 |
| octagonwebstudio--Premium Addons for KingComposer | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in octagonwebstudio Premium Addons for KingComposer allows PHP Local File Inclusion. This issue affects Premium Addons for KingComposer: from n/a through 1.1.1. | 2025-08-14 | 8.1 | CVE-2025-49036 |
| Omnissa--Omnissa Workspace ONE UEM | Omnissa Workspace ONE UEM contains a Secondary Context Path Traversal Vulnerability. A malicious actor may be able to gain access to sensitive information by sending crafted GET requests (read-only) to restricted API endpoints. | 2025-08-11 | 7.5 | CVE-2025-25231 |
| Omnissa--Secure Email Gateway | Server-Side Request Forgery (SSRF) in Omnissa Secure Email Gateway (SEG) in SEG prior to 2.32 running on Windows and SEG prior to 2503 running on UAG allows routing of network traffic such as HTTP requests to internal networks. | 2025-08-11 | 8.6 | CVE-2025-25235 |
| OpenAI--Codex CLI | Using Codex CLI in workspace-write mode inside a malicious context (repo, directory, etc) could lead to arbitrary file overwrite and potentially remote code execution due to symlinks being followed outside the allowed current working directory. | 2025-08-13 | 8.8 | CVE-2025-55345 |
| OpenHarmony--OpenHarmony | in OpenHarmony v5.0.3 and prior versions allow a local attacker arbitrary code execution in tcb through use after free. | 2025-08-11 | 8.4 | CVE-2025-24298 |
| OpenHarmony--OpenHarmony | in OpenHarmony v5.0.3 and prior versions allow a local attacker arbitrary code execution in tcb through race condition. | 2025-08-11 | 8.4 | CVE-2025-25278 |
| OpenHarmony--OpenHarmony | in OpenHarmony v5.0.3 and prior versions allow a local attacker arbitrary code execution in tcb through use after free. | 2025-08-11 | 8.4 | CVE-2025-27128 |
| OpenHarmony--OpenHarmony | in OpenHarmony v5.0.3 and prior versions allow a local attacker arbitrary code execution in tcb through race condition. | 2025-08-11 | 8.4 | CVE-2025-27577 |
| ovatheme--Cube Portfolio | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ovatheme Cube Portfolio allows SQL Injection. This issue affects Cube Portfolio: from n/a through 1.16.8. | 2025-08-14 | 8.5 | CVE-2025-52823 |
| pencidesign--Soledad | The Soledad theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.6.7 via the 'header_layout' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. | 2025-08-16 | 8.8 | CVE-2025-8142 |
| pencidesign--Soledad | The The Soledad theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.6.7. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | 2025-08-16 | 7.3 | CVE-2025-8105 |
| Phoenix Contact--DaUM | A low-privileged local attacker can exploit improper permissions on nssm.exe to escalate their privileges and gain administrative access. | 2025-08-12 | 7.8 | CVE-2025-41686 |
| PHPGurukul--Beauty Parlour Management System | A vulnerability was found in PHPGurukul Beauty Parlour Management System 1.1. Affected by this vulnerability is an unknown functionality of the file /book-appointment.php. The manipulation of the argument Message leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 7.3 | CVE-2025-9024 |
| PHPGurukul--Hospital Management System | A vulnerability was identified in PHPGurukul Hospital Management System 4.0. This affects an unknown part of the file /admin/doctor-specilization.php. The manipulation of the argument doctorspecilization leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8954 |
| PHPGurukul--Hospital Management System | A vulnerability has been found in PHPGurukul Hospital Management System 4.0. This vulnerability affects unknown code of the file /admin/edit-doctor.php. The manipulation of the argument docfees leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8955 |
| PHPGurukul--Online Shopping Portal Project | A vulnerability was determined in PHPGurukul Online Shopping Portal Project 2.0. Affected by this issue is some unknown functionality of the file /shopping/signup.php. The manipulation of the argument emailid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 7.3 | CVE-2025-9011 |
| PHPGurukul--Online Shopping Portal Project | A vulnerability was identified in PHPGurukul Online Shopping Portal Project 2.0. This affects an unknown part of the file shopping/bill-ship-addresses.php. The manipulation of the argument billingpincode leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 7.3 | CVE-2025-9012 |
| PHPGurukul--Online Shopping Portal Project | A vulnerability has been found in PHPGurukul Online Shopping Portal Project 2.0. This vulnerability affects unknown code of the file /shopping/password-recovery.php. The manipulation of the argument emailid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 7.3 | CVE-2025-9013 |
| PHPGurukul--Teachers Record Management System | A vulnerability has been found in PHPGurukul Teachers Record Management System 2.1. Affected is an unknown function of the file /admin/search.php. The manipulation of the argument searchdata leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8951 |
| primersoftware--Primer MyData for Woocommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in primersoftware Primer MyData for Woocommerce allows Reflected XSS. This issue affects Primer MyData for Woocommerce: from n/a through 4.2.5. | 2025-08-14 | 7.1 | CVE-2025-53575 |
| projectworlds--Online Notes Sharing Platform | A vulnerability has been found in projectworlds Online Notes Sharing Platform 1.0. This vulnerability affects unknown code of the file /login.php. The manipulation of the argument User leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8946 |
| projectworlds--Travel Management System | A vulnerability was found in projectworlds Travel Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /addcategory.php. The manipulation of the argument t1 leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 7.3 | CVE-2025-9050 |
| projectworlds--Travel Management System | A vulnerability was determined in projectworlds Travel Management System 1.0. Affected by this issue is some unknown functionality of the file /updatecategory.php. The manipulation of the argument t1 leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 7.3 | CVE-2025-9051 |
| projectworlds--Travel Management System | A vulnerability was identified in projectworlds Travel Management System 1.0. This affects an unknown part of the file /updatepackage.php. The manipulation of the argument s1 leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 7.3 | CVE-2025-9052 |
| projectworlds--Travel Management System | A vulnerability has been found in projectworlds Travel Management System 1.0. This vulnerability affects unknown code of the file /updatesubcategory.php. The manipulation of the argument t1/s1 leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 7.3 | CVE-2025-9053 |
| projectworlds--Visitor Management System | A vulnerability was found in projectworlds Visitor Management System 1.0. This issue affects some unknown processing of the file /query_data.php. The manipulation of the argument dateF/dateP leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8947 |
| projectworlds--Visitor Management System | A vulnerability was determined in projectworlds Visitor Management System 1.0. Affected is an unknown function of the file /front.php. The manipulation of the argument rid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8948 |
| projectworlds--Visitor Management System | A vulnerability has been found in projectworlds Visitor Management System 1.0. Affected is an unknown function of the file /visitor_out.php. The manipulation of the argument rid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 7.3 | CVE-2025-9047 |
| PublishPress--Gutenberg Blocks | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PublishPress Gutenberg Blocks allows PHP Local File Inclusion. This issue affects Gutenberg Blocks: from n/a through 3.3.1. | 2025-08-14 | 7.5 | CVE-2025-48332 |
| railmedia--Order Tip for WooCommerce | The Order Tip for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Improper Input Validation in all versions up to, and including, 1.5.4. This is due to lack of server-side validation on the `data-tip` attribute, which makes it possible for unauthenticated attackers to apply an excessive or even negative tip amount, resulting in unauthorized discount up to free orders depending on the value submitted. | 2025-08-15 | 7.5 | CVE-2025-6025 |
| RealMag777--Google Map Targeting | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RealMag777 Google Map Targeting allows PHP Local File Inclusion. This issue affects Google Map Targeting: from n/a through 1.1.6. | 2025-08-14 | 8.8 | CVE-2025-52732 |
| RealMag777--MDTF | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 MDTF allows SQL Injection. This issue affects MDTF: from n/a through 1.3.3.7. | 2025-08-14 | 9.3 | CVE-2025-54707 |
| Red Hat--Red Hat Enterprise Linux 7 | A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020. | 2025-08-13 | 7.8 | CVE-2025-8941 |
| redqteam--Alike - WordPress Custom Post Comparison | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in redqteam Alike - WordPress Custom Post Comparison allows Reflected XSS. This issue affects Alike - WordPress Custom Post Comparison: from n/a through 3.0.1. | 2025-08-14 | 7.1 | CVE-2025-28975 |
| Rico Macchi--WP Links Page | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rico Macchi WP Links Page allows SQL Injection. This issue affects WP Links Page: from n/a through 4.9.6. | 2025-08-14 | 8.5 | CVE-2025-30998 |
| Risk Yazlm Teknolojileri Ltd. ti.--Reel Sektr Hazine ve Risk Ynetimi Yazlm | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Risk Yazılım Teknolojileri Ltd. Şti. Reel Sektör Hazine ve Risk Yönetimi Yazılımı allows SQL Injection, CAPEC - 7 - Blind SQL Injection.This issue affects Reel Sektör Hazine ve Risk Yönetimi Yazılımı: through 1.0.0.4. | 2025-08-15 | 7.2 | CVE-2025-1929 |
| RomanCode--MapSVG | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RomanCode MapSVG allows SQL Injection. This issue affects MapSVG: from n/a through n/a. | 2025-08-14 | 9.3 | CVE-2025-54669 |
| Ronik@UnlimitedWP--Project Cost Calculator | Missing Authorization vulnerability in Ronik@UnlimitedWP Project Cost Calculator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Project Cost Calculator: from n/a through 1.0.0. | 2025-08-14 | 7.1 | CVE-2025-52775 |
| Russell Jamieson--CaptionPix | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Russell Jamieson CaptionPix allows Reflected XSS. This issue affects CaptionPix: from n/a through 1.8. | 2025-08-14 | 7.1 | CVE-2025-52788 |
| SAP_SE--SAP Business One (SLD) | Due to broken authorization, SAP Business One (SLD) allows an authenticated attacker to gain administrator privileges of a database by invoking the corresponding API.�As a result , it has a high impact on the confidentiality, integrity, and availability of the application. | 2025-08-12 | 8.8 | CVE-2025-42951 |
| SAP_SE--SAP Landscape Transformation (Analysis Platform) | SAP Landscape Transformation (SLT) allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. | 2025-08-12 | 9.9 | CVE-2025-42950 |
| SAP_SE--SAP NetWeaver Application Server ABAP (BIC Document) | SAP NetWeaver Application Server ABAP (BIC Document) allows an authenticated attacker to craft a request that, when submitted to a BIC Document application, could cause a memory corruption error. On successful exploitation, this results in the crash of the target component. Multiple submissions can make the target completely unavailable. A similarly crafted submission can be used to perform an out-of-bounds read operation as well, revealing sensitive information that is loaded in memory at that time. There is no ability to modify any information. | 2025-08-12 | 8.1 | CVE-2025-42976 |
| SAP_SE--SAP S/4HANA (Private Cloud or On-Premise) | SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC. This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks. This vulnerability effectively functions as a backdoor, creating the risk of full system compromise, undermining the confidentiality, integrity and availability of the system. | 2025-08-12 | 9.9 | CVE-2025-42957 |
| scriptsbundle--Exertio | Deserialization of Untrusted Data vulnerability in scriptsbundle Exertio allows Object Injection. This issue affects Exertio: from n/a through 1.3.2. | 2025-08-14 | 9.8 | CVE-2025-54686 |
| setriosoft--BizCalendar Web | The BizCalendar Web plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1.0.50 via the 'bizcalv' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. | 2025-08-15 | 7.5 | CVE-2025-7650 |
| Shabti Kaplan--Frontend Admin by DynamiApps | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shabti Kaplan Frontend Admin by DynamiApps allows Blind SQL Injection. This issue affects Frontend Admin by DynamiApps: from n/a through 3.28.3. | 2025-08-14 | 8.5 | CVE-2025-49267 |
| shen2-- | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shen2 多说社会化评论框 allows Reflected XSS. This issue affects 多说社会化评论框: from n/a through 1.2. | 2025-08-14 | 7.1 | CVE-2025-49056 |
| Siemens--Automation License Manager V6.0 | The affected setup component is vulnerable to DLL hijacking. This could allow an attacker to execute arbitrary code when a legitimate user installs an application that uses the affected setup component. | 2025-08-12 | 7.8 | CVE-2025-30033 |
| Siemens--Mendix SAML (Mendix 10.12 compatible) | A vulnerability has been identified in Mendix SAML (Mendix 10.12 compatible) (All versions < V4.0.3), Mendix SAML (Mendix 10.21 compatible) (All versions < V4.1.2), Mendix SAML (Mendix 9.24 compatible) (All versions < V3.6.21). Affected versions of the module insufficiently enforce signature validation and binding checks. This could allow unauthenticated remote attackers to hijack an account in specific SSO configurations. | 2025-08-14 | 8.7 | CVE-2025-40758 |
| Siemens--RUGGEDCOM ROX MX5000 | A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions), RUGGEDCOM ROX MX5000RE (All versions), RUGGEDCOM ROX RX1400 (All versions), RUGGEDCOM ROX RX1500 (All versions), RUGGEDCOM ROX RX1501 (All versions), RUGGEDCOM ROX RX1510 (All versions), RUGGEDCOM ROX RX1511 (All versions), RUGGEDCOM ROX RX1512 (All versions), RUGGEDCOM ROX RX1524 (All versions), RUGGEDCOM ROX RX1536 (All versions), RUGGEDCOM ROX RX5000 (All versions). Affected devices do not properly limit access through its Built-In-Self-Test (BIST) mode. This could allow an attacker with physical access to the serial interface to bypass authentication and get access to a root shell on the device. | 2025-08-12 | 7.6 | CVE-2025-40761 |
| Siemens--SIMATIC PCS neo V4.1 | A vulnerability has been identified in SIMATIC PCS neo V4.1 (All versions), SIMATIC PCS neo V5.0 (All versions), SIMATIC PCS neo V6.0 (All versions), SIMATIC S7-PLCSIM V17 (All versions), SIMATIC STEP 7 V17 (All versions), SIMATIC STEP 7 V18 (All versions), SIMATIC STEP 7 V19 (All versions < V19 Update 4), SIMATIC STEP 7 V20 (All versions), SIMATIC WinCC V17 (All versions), SIMATIC WinCC V18 (All versions), SIMATIC WinCC V19 (All versions < V19 Update 4), SIMATIC WinCC V20 (All versions), SIMOCODE ES V17 (All versions), SIMOCODE ES V18 (All versions), SIMOCODE ES V19 (All versions), SIMOCODE ES V20 (All versions), SIMOTION SCOUT TIA V5.4 (All versions), SIMOTION SCOUT TIA V5.5 (All versions), SIMOTION SCOUT TIA V5.6 (All versions < V5.6 SP1 HF7), SIMOTION SCOUT TIA V5.7 (All versions), SINAMICS Startdrive V17 (All versions), SINAMICS Startdrive V18 (All versions), SINAMICS Startdrive V19 (All versions), SINAMICS Startdrive V20 (All versions), SIRIUS Safety ES V17 (TIA Portal) (All versions), SIRIUS Safety ES V18 (TIA Portal) (All versions), SIRIUS Safety ES V19 (TIA Portal) (All versions), SIRIUS Safety ES V20 (TIA Portal) (All versions), SIRIUS Soft Starter ES V17 (TIA Portal) (All versions), SIRIUS Soft Starter ES V18 (TIA Portal) (All versions), SIRIUS Soft Starter ES V19 (TIA Portal) (All versions), SIRIUS Soft Starter ES V20 (TIA Portal) (All versions), TIA Portal Cloud V17 (All versions), TIA Portal Cloud V18 (All versions), TIA Portal Cloud V19 (All versions < V5.2.1.1), TIA Portal Cloud V20 (All versions), TIA Portal Test Suite V20 (All versions). Affected products do not properly sanitize Interprocess Communication input received through a Windows Named Pipe accessible to all local users. This could allow an authenticated local attacker to cause a type confusion and execute arbitrary code within the affected application. | 2025-08-12 | 8.2 | CVE-2024-54678 |
| Siemens--SIMATIC RTLS Locating Manager | A vulnerability has been identified in SIMATIC RTLS Locating Manager (All versions < V3.2). Affected products do not properly validate input for a backup script. This could allow an authenticated remote attacker with high privileges in the application to execute arbitrary code with 'NT Authority/SYSTEM' privileges. | 2025-08-12 | 9.1 | CVE-2025-40746 |
| Siemens--SIMATIC S7-PLCSIM V17 | A vulnerability has been identified in SIMATIC S7-PLCSIM V17 (All versions), SIMATIC STEP 7 V17 (All versions), SIMATIC STEP 7 V18 (All versions), SIMATIC STEP 7 V19 (All versions < V19 Update 4), SIMATIC STEP 7 V20 (All versions), SIMATIC WinCC V17 (All versions), SIMATIC WinCC V18 (All versions), SIMATIC WinCC V19 (All versions < V19 Update 4), SIMATIC WinCC V20 (All versions), SIMOCODE ES V17 (All versions), SIMOCODE ES V18 (All versions), SIMOCODE ES V19 (All versions), SIMOCODE ES V20 (All versions), SIMOTION SCOUT TIA V5.4 (All versions), SIMOTION SCOUT TIA V5.5 (All versions), SIMOTION SCOUT TIA V5.6 (All versions < V5.6 SP1 HF7), SIMOTION SCOUT TIA V5.7 (All versions), SINAMICS Startdrive V17 (All versions), SINAMICS Startdrive V18 (All versions), SINAMICS Startdrive V19 (All versions), SINAMICS Startdrive V20 (All versions), SIRIUS Safety ES V17 (TIA Portal) (All versions), SIRIUS Safety ES V18 (TIA Portal) (All versions), SIRIUS Safety ES V19 (TIA Portal) (All versions), SIRIUS Safety ES V20 (TIA Portal) (All versions), SIRIUS Soft Starter ES V17 (TIA Portal) (All versions), SIRIUS Soft Starter ES V18 (TIA Portal) (All versions), SIRIUS Soft Starter ES V19 (TIA Portal) (All versions), SIRIUS Soft Starter ES V20 (TIA Portal) (All versions), TIA Portal Cloud V17 (All versions), TIA Portal Cloud V18 (All versions), TIA Portal Cloud V19 (All versions < V5.2.1.1), TIA Portal Cloud V20 (All versions). Affected products do not properly sanitize stored security properties when parsing project files. This could allow an attacker to cause a type confusion and execute arbitrary code within the affected application. | 2025-08-12 | 7.8 | CVE-2025-40759 |
| Siemens--Simcenter Femap V2406 | A vulnerability has been identified in Simcenter Femap V2406 (All versions < V2406.0003), Simcenter Femap V2412 (All versions < V2412.0002). The affected applications contain an out of bounds write vulnerability when parsing a specially crafted STP file. This could allow an attacker to execute code in the context of the current process.(ZDI-CAN-26692) | 2025-08-12 | 7.8 | CVE-2025-40762 |
| Siemens--Simcenter Femap V2406 | A vulnerability has been identified in Simcenter Femap V2406 (All versions < V2406.0003), Simcenter Femap V2412 (All versions < V2412.0002). The affected applications contains an out of bounds read vulnerability while parsing specially crafted BMP files. This could allow an attacker to execute code in the context of the current process. | 2025-08-12 | 7.8 | CVE-2025-40764 |
| Siemens--SINEC Traffic Analyzer | A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V3.0). The affected application runs docker containers without adequate security controls to enforce isolation. This could allow an attacker to gain elevated access, potentially accessing sensitive host system resources. | 2025-08-12 | 7.8 | CVE-2025-40767 |
| Siemens--SINEC Traffic Analyzer | A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V3.0). The affected application exposes an internal service port to be accessible from outside the system. This could allow an unauthorized attacker to access the application. | 2025-08-12 | 7.3 | CVE-2025-40768 |
| Siemens--SINEC Traffic Analyzer | A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V3.0). The affected application uses a Content Security Policy that allows unsafe script execution methods. This could allow an attacker to execute unauthorized scripts, potentially leading to cross-site scripting attacks. | 2025-08-12 | 7.4 | CVE-2025-40769 |
| Siemens--SINEC Traffic Analyzer | A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions). The affected application uses a monitoring interface that is not operating in a strictly passive mode. This could allow an attacker to interact with the interface, leading to man-in-the-middle attacks. | 2025-08-12 | 7.4 | CVE-2025-40770 |
| Siemens--SINUMERIK 828D PPU.4 | A vulnerability has been identified in SINUMERIK 828D PPU.4 (All versions < V4.95 SP5), SINUMERIK 828D PPU.5 (All versions < V5.25 SP1), SINUMERIK 840D sl (All versions < V4.95 SP5), SINUMERIK MC (All versions < V1.25 SP1), SINUMERIK MC V1.15 (All versions < V1.15 SP5), SINUMERIK ONE (All versions < V6.25 SP1), SINUMERIK ONE V6.15 (All versions < V6.15 SP5). The affected application improperly validates authentication for its VNC access service, allowing access with insufficient password verification. This could allow an attacker to gain unauthorized remote access and potentially compromise system confidentiality, integrity, or availability. | 2025-08-12 | 8.3 | CVE-2025-40743 |
| Siemens--SIPROTEC 4 6MD61 | A vulnerability has been identified in SIPROTEC 4 6MD61 (All versions), SIPROTEC 4 6MD63 (All versions), SIPROTEC 4 6MD66 (All versions), SIPROTEC 4 6MD665 (All versions), SIPROTEC 4 7SA522 (All versions), SIPROTEC 4 7SA6 (All versions < V4.78), SIPROTEC 4 7SD5 (All versions < V4.78), SIPROTEC 4 7SD610 (All versions < V4.78), SIPROTEC 4 7SJ61 (All versions), SIPROTEC 4 7SJ62 (All versions), SIPROTEC 4 7SJ63 (All versions), SIPROTEC 4 7SJ64 (All versions), SIPROTEC 4 7SJ66 (All versions), SIPROTEC 4 7SS52 (All versions), SIPROTEC 4 7ST6 (All versions), SIPROTEC 4 7UM61 (All versions), SIPROTEC 4 7UM62 (All versions), SIPROTEC 4 7UT612 (All versions), SIPROTEC 4 7UT613 (All versions), SIPROTEC 4 7UT63 (All versions), SIPROTEC 4 7VE6 (All versions), SIPROTEC 4 7VK61 (All versions), SIPROTEC 4 7VU683 (All versions), SIPROTEC 4 Compact 7RW80 (All versions), SIPROTEC 4 Compact 7SD80 (All versions), SIPROTEC 4 Compact 7SJ80 (All versions), SIPROTEC 4 Compact 7SJ81 (All versions), SIPROTEC 4 Compact 7SK80 (All versions), SIPROTEC 4 Compact 7SK81 (All versions). Affected devices do not properly handle interrupted operations of file transfer. This could allow an unauthenticated remote attacker to cause a denial of service condition. To restore normal operations, the devices need to be restarted. | 2025-08-12 | 7.5 | CVE-2024-52504 |
| Siemens--SmartClient modules Opcenter QL Home (SC) | A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application does not enforce mandatory authorization on some functionality level at server side. This could allow an authenticated attacker to gain complete access of the application. | 2025-08-12 | 7.1 | CVE-2024-41979 |
| Soflyy--WP Dynamic Links | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Dynamic Links allows Reflected XSS. This issue affects WP Dynamic Links: from n/a through 1.0.1. | 2025-08-14 | 7.1 | CVE-2025-49038 |
| softnwords--SMM API | Missing Authorization vulnerability in softnwords SMM API allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SMM API: from n/a through 6.0.30. | 2025-08-14 | 7.1 | CVE-2025-52785 |
| Sound Strategies--SoundSt SEO Search | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sound Strategies SoundSt SEO Search allows Reflected XSS. This issue affects SoundSt SEO Search: from n/a through 1.2.3. | 2025-08-14 | 7.1 | CVE-2025-49058 |
| SourceCodester--Cashier Queuing System | A vulnerability has been found in SourceCodester Cashier Queuing System 1.0. Affected is an unknown function of the file /Actions.php. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8973 |
| SourceCodester--COVID 19 Testing Management System | A vulnerability was found in SourceCodester COVID 19 Testing Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /login.php. The manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-13 | 7.3 | CVE-2025-8926 |
| SourceCodester--COVID 19 Testing Management System | A vulnerability was determined in SourceCodester COVID 19 Testing Management System 1.0. Affected by this issue is some unknown functionality of the file /check_availability.php. The manipulation of the argument employeeid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8953 |
| SourceCodester--COVID 19 Testing Management System | A vulnerability was found in SourceCodester COVID 19 Testing Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /profile.php. The manipulation of the argument mobilenumber leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 2025-08-14 | 7.3 | CVE-2025-8985 |
| SourceCodester--COVID 19 Testing Management System | A vulnerability was determined in SourceCodester COVID 19 Testing Management System 1.0. Affected by this issue is some unknown functionality of the file /search-report-result.php. The manipulation of the argument serachdata leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8986 |
| SourceCodester--COVID 19 Testing Management System | A vulnerability was identified in SourceCodester COVID 19 Testing Management System 1.0. This affects an unknown part of the file /test-details.php. The manipulation of the argument remark leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8987 |
| SourceCodester--COVID 19 Testing Management System | A vulnerability has been found in SourceCodester COVID 19 Testing Management System 1.0. This vulnerability affects unknown code of the file /bwdates-report-result.php. The manipulation of the argument fromdate leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 7.3 | CVE-2025-8988 |
| SourceCodester--COVID 19 Testing Management System | A vulnerability was found in SourceCodester COVID 19 Testing Management System 1.0. This issue affects some unknown processing of the file /edit-phlebotomist.php. The manipulation of the argument mobilenumber leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 2025-08-14 | 7.3 | CVE-2025-8989 |
| SourceCodester--Online Bank Management System | A vulnerability was determined in SourceCodester Online Bank Management System up to 1.0. This vulnerability affects unknown code of the file /bank/transfer.php. The manipulation of the argument email leads to sql injection. The attack can be initiated remotely. | 2025-08-15 | 7.3 | CVE-2025-9021 |
| SourceCodester--Online Bank Management System | A vulnerability was identified in SourceCodester Online Bank Management System up to 1.0. This issue affects some unknown processing of the file /bank/statements.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely. | 2025-08-15 | 7.3 | CVE-2025-9022 |
| Stirling-Tools--Stirling-PDF | Stirling-PDF is a locally hosted web application that performs various operations on PDF files. Prior to version 1.1.0, when using the /api/v1/convert/html/pdf endpoint to convert HTML to PDF, the backend calls a third-party tool to process it and includes a sanitizer for security sanitization which can be bypassed and result in SSRF. This issue has been patched in version 1.1.0. | 2025-08-11 | 8.6 | CVE-2025-55150 |
| Stirling-Tools--Stirling-PDF | Stirling-PDF is a locally hosted web application that performs various operations on PDF files. Prior to version 1.1.0, the "convert file to pdf" functionality (/api/v1/convert/file/pdf) uses LibreOffice's unoconvert tool for conversion, and SSRF vulnerabilities exist during the conversion process. This issue has been patched in version 1.1.0. | 2025-08-11 | 8.6 | CVE-2025-55151 |
| Stirling-Tools--Stirling-PDF | Stirling-PDF is a locally hosted web application that performs various operations on PDF files. Prior to version 1.1.0, when using the /api/v1/convert/markdown/pdf endpoint to convert Markdown to PDF, the backend calls a third-party tool to process it and includes a sanitizer for security sanitization which can be bypassed and result in SSRF. This issue has been patched in version 1.1.0. | 2025-08-11 | 8.6 | CVE-2025-55161 |
| stmcan--RT-Theme 18 | Extensions | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in stmcan RT-Theme 18 | Extensions allows PHP Local File Inclusion. This issue affects RT-Theme 18 | Extensions: from n/a through 2.4. | 2025-08-14 | 7.5 | CVE-2025-32288 |
| storychief--StoryChief | The StoryChief plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.0.42. This vulnerability occurs through the /wp-json/storychief/webhook REST-API endpoint that does not have sufficient filetype validation. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-08-16 | 9.8 | CVE-2025-7441 |
| Surbowl--dormitory-management-php | A vulnerability was identified in Surbowl dormitory-management-php 1.0. This affects an unknown part of the file login.php. The manipulation of the argument Account leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-08-15 | 7.3 | CVE-2025-9002 |
| Tenda--AC20 | A vulnerability was determined in Tenda AC20 up to 16.03.08.12. Affected is an unknown function of the file /goform/WifiGuestSet. The manipulation of the argument shareSpeed leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 8.8 | CVE-2025-8939 |
| Tenda--AC20 | A vulnerability was identified in Tenda AC20 up to 16.03.08.12. Affected by this vulnerability is the function strcpy of the file /goform/saveParentControlInfo. The manipulation of the argument Time leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 8.8 | CVE-2025-8940 |
| Tenda--AC20 | A vulnerability was identified in Tenda AC20 16.03.08.12. This issue affects the function sub_46A2AC of the file /goform/setMacFilterCfg. The manipulation of the argument deviceList leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 8.8 | CVE-2025-9046 |
| Tenda--AC20 | A vulnerability has been found in Tenda AC20 16.03.08.12. This affects the function set_qosMib_list of the file /goform/SetNetControlList of the component SetNetControlList Endpoint. The manipulation of the argument list leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-16 | 8.8 | CVE-2025-9087 |
| Tenda--AC20 | A vulnerability was found in Tenda AC20 16.03.08.12. This vulnerability affects the function save_virtualser_data of the file /goform/formSetVirtualSer. The manipulation of the argument list leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-16 | 8.8 | CVE-2025-9088 |
| Tenda--AC20 | A vulnerability was determined in Tenda AC20 16.03.08.12. This issue affects the function sub_48E628 of the file /goform/SetIpMacBind. The manipulation of the argument list leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-16 | 8.8 | CVE-2025-9089 |
| Tenda--AC7 | A vulnerability has been found in Tenda AC7 and AC18 15.03.05.19/15.03.06.44. Affected is the function formSetSchedLed of the file /goform/SetLEDCfg. The manipulation of the argument Time leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 8.8 | CVE-2025-9023 |
| Tenda--CH22 | A vulnerability was identified in Tenda CH22 1.0.0.1. Affected by this vulnerability is the function formdelFileName of the file /goform/delFileName. The manipulation leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 8.8 | CVE-2025-9006 |
| Tenda--CH22 | A vulnerability has been found in Tenda CH22 1.0.0.1. Affected by this issue is the function formeditFileName of the file /goform/editFileName. The manipulation leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 8.8 | CVE-2025-9007 |
| Tenda--TX3 | A vulnerability was identified in Tenda TX3 16.03.13.11_multi_TDE01. Affected by this vulnerability is an unknown functionality of the file /goform/fast_setting_wifi_set. The manipulation of the argument ssid leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 8.8 | CVE-2025-8958 |
| thembay--Urna | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna allows PHP Local File Inclusion. This issue affects Urna: from n/a through 2.5.7. | 2025-08-14 | 8.1 | CVE-2025-54689 |
| ThemeAtelier--IDonatePro | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeAtelier IDonatePro allows PHP Local File Inclusion. This issue affects IDonatePro: from n/a through 2.1.9. | 2025-08-14 | 8.1 | CVE-2025-30635 |
| ThemeAtelier--IDonatePro | Missing Authorization vulnerability in ThemeAtelier IDonatePro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects IDonatePro: from n/a through 2.1.9. | 2025-08-14 | 7.5 | CVE-2025-30639 |
| themefunction--WordPress Event Manager, Event Calendar and Booking Plugin | Missing Authorization vulnerability in themefunction WordPress Event Manager, Event Calendar and Booking Plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WordPress Event Manager, Event Calendar and Booking Plugin: from n/a through 4.0.24. | 2025-08-14 | 7.5 | CVE-2025-52731 |
| ThemeMove--Makeaholic | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Makeaholic allows PHP Local File Inclusion. This issue affects Makeaholic: from n/a through 1.8.4. | 2025-08-14 | 8.1 | CVE-2025-54700 |
| ThemeMove--Unicamp | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Unicamp allows PHP Local File Inclusion. This issue affects Unicamp: from n/a through 2.6.3. | 2025-08-14 | 8.1 | CVE-2025-54701 |
| themeStek--Xinterio | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themeStek Xinterio allows PHP Local File Inclusion. This issue affects Xinterio: from n/a through 4.2. | 2025-08-14 | 8.1 | CVE-2025-54690 |
| themeum--Tutor LMS Pro | The Tutor LMS Pro - eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the 'order' parameter used in the get_submitted_assignments() function in all versions up to, and including, 3.7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Tutor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Only the Pro version is affected. | 2025-08-13 | 8.8 | CVE-2025-6184 |
| ThimPress--WP Pipes | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress WP Pipes allows PHP Local File Inclusion. This issue affects WP Pipes: from n/a through 1.4.3. | 2025-08-14 | 8.1 | CVE-2025-28979 |
| tosend.it--Simple Poll | Cross-Site Request Forgery (CSRF) vulnerability in tosend.it Simple Poll allows Stored XSS. This issue affects Simple Poll: from n/a through 1.1.1. | 2025-08-14 | 7.1 | CVE-2025-49044 |
| uicore--UiCore Elements Free Elementor widgets and templates | The UiCore Elements - Free Elementor widgets and templates plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.3.0 via the prepare_template() function due to a missing capability check and insufficient controls on the filename specified. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | 2025-08-12 | 7.5 | CVE-2025-6253 |
| Unity Business Technology Pty Ltd--The E-Commerce ERP | Missing Authorization vulnerability in Unity Business Technology Pty Ltd The E-Commerce ERP allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects The E-Commerce ERP: from n/a through 2.1.1.3. | 2025-08-14 | 7.3 | CVE-2025-52800 |
| ValvePress--Pinterest Automatic Pin | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ValvePress Pinterest Automatic Pin allows SQL Injection. This issue affects Pinterest Automatic Pin: from n/a through n/a. | 2025-08-14 | 8.5 | CVE-2025-39510 |
| vertim--Neon Channel Product Customizer Free | Missing Authorization vulnerability in vertim Neon Channel Product Customizer Free allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Neon Channel Product Customizer Free: from n/a through 2.0. | 2025-08-14 | 7.5 | CVE-2025-54679 |
| VonStroheim--TheBooking | Missing Authorization vulnerability in VonStroheim TheBooking allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects TheBooking: from n/a through 1.4.4. | 2025-08-14 | 7.3 | CVE-2025-52801 |
| WebCodingPlace--Responsive Posts Carousel WordPress Plugin | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebCodingPlace Responsive Posts Carousel WordPress Plugin allows PHP Local File Inclusion. This issue affects Responsive Posts Carousel WordPress Plugin: from n/a through 15.0. | 2025-08-14 | 7.5 | CVE-2025-52728 |
| Webilop--User Language Switch | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Webilop User Language Switch allows Reflected XSS. This issue affects User Language Switch: from n/a through 1.6.10. | 2025-08-14 | 7.1 | CVE-2025-49064 |
| WellChoose--Organization Portal System | Organization Portal System developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server. | 2025-08-13 | 9.8 | CVE-2025-8913 |
| WellChoose--Organization Portal System | Organization Portal System developed by WellChoose has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files. | 2025-08-13 | 7.5 | CVE-2025-8912 |
| WinterChenS--my-site | A vulnerability has been found in WinterChenS my-site up to 1f7525f15934d9d6a278de967f6ec9f1757738d8. This vulnerability affects the function preHandle of the file /admin/ of the component Backend Interface. The manipulation of the argument uri leads to improper authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The code maintainer responded to the issue that "[he] tried it, and using this link automatically redirects to the login page." | 2025-08-11 | 7.3 | CVE-2025-8838 |
| wipeoutmedia--CSS & JavaScript Toolbox | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in wipeoutmedia CSS & JavaScript Toolbox allows PHP Local File Inclusion. This issue affects CSS & JavaScript Toolbox: from n/a through n/a. | 2025-08-14 | 7.5 | CVE-2025-3703 |
| WP Royal Themes--News Magazine X | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Royal Themes News Magazine X allows PHP Local File Inclusion. This issue affects News Magazine X: from n/a through 1.2.37. | 2025-08-14 | 7.5 | CVE-2025-24766 |
| WP Swings--Membership For WooCommerce | Missing Authorization vulnerability in WP Swings Membership For WooCommerce allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Membership For WooCommerce: from n/a through 2.9.0. | 2025-08-14 | 7.5 | CVE-2025-54692 |
| WPFactory--Product XML Feed Manager for WooCommerce | Improper Control of Generation of Code ('Code Injection') vulnerability in WPFactory Product XML Feed Manager for WooCommerce allows Remote Code Inclusion. This issue affects Product XML Feed Manager for WooCommerce: from n/a through 2.9.3. | 2025-08-14 | 9.9 | CVE-2025-49887 |
| youki-dev--youki | Youki is a container runtime written in Rust. Prior to version 0.5.5, if /proc and /sys in the rootfs are symbolic links, they can potentially be exploited to gain access to the host root filesystem. This issue has been patched in version 0.5.5. | 2025-08-14 | 7 | CVE-2025-54867 |
| Zoom Communications Inc--Zoom Clients for Windows | Untrusted search path in certain Zoom Clients for Windows may allow an unauthenticated user to conduct an escalation of privilege via network access | 2025-08-12 | 9.6 | CVE-2025-49457 |
| ZoomIt--FoodMenu | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomIt FoodMenu allows Reflected XSS. This issue affects FoodMenu: from n/a through 1.20. | 2025-08-14 | 7.1 | CVE-2025-29014 |
| ZoomIt--WooCommerce Shop Page Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ZoomIt WooCommerce Shop Page Builder allows Reflected XSS. This issue affects WooCommerce Shop Page Builder: from n/a through 2.27.7. | 2025-08-14 | 7.1 | CVE-2025-28999 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 1000 Projects--Sales Management System | A vulnerability was identified in 1000 Projects Sales Management System 1.0. This issue affects some unknown processing of the file /superstore/admin/sales.php. The manipulation of the argument ssalescat leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 4.3 | CVE-2025-8933 |
| 1000 Projects--Sales Management System | A vulnerability has been found in 1000 Projects Sales Management System 1.0. Affected is an unknown function of the file /sales.php. The manipulation of the argument select2112 leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 4.3 | CVE-2025-8934 |
| 10up--Simple Local Avatars | The Simple Local Avatars plugin for WordPress is vulnerable to unauthorized modification of data in version 2.8.4. This is due to a missing capability check on the migrate_from_wp_user_avatar() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to migrate avatar metadata for all users. | 2025-08-12 | 4.3 | CVE-2025-8482 |
| AA Web Servant--12 Step Meeting List | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA Web Servant 12 Step Meeting List allows Stored XSS. This issue affects 12 Step Meeting List: from n/a through 3.18.3. | 2025-08-14 | 6.5 | CVE-2025-54054 |
| ABB--Aspect | Missing Authentication for Critical Function vulnerability in ABB Aspect.This issue affects Aspect: All versions. | 2025-08-11 | 5.1 | CVE-2025-7677 |
| addix--Simple Responsive Slider | The Simple Responsive Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-12 | 6.4 | CVE-2025-8690 |
| Adobe--Adobe Commerce | Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by a Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability that could result in a security feature bypass. An attacker could exploit this vulnerability by manipulating the timing between the check of a resource's state and its use, allowing unauthorized write access. Exploitation of this issue does not require user interaction. | 2025-08-12 | 5.9 | CVE-2025-49558 |
| Adobe--Adobe Commerce | Adobe Commerce versions 2.4.9-alpha1, 2.4.8-p1, 2.4.7-p6, 2.4.6-p11, 2.4.5-p13, 2.4.4-p14 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a security feature bypass. An attacker could leverage this vulnerability to modify limited data. Exploitation of this issue does not require user interaction. | 2025-08-12 | 5.3 | CVE-2025-49559 |
| Adobe--Adobe Framemaker | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54233 |
| Adobe--Animate | Animate versions 23.0.12, 24.0.9 and earlier are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-49562 |
| Adobe--Dimension | Dimension versions 4.1.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54238 |
| Adobe--Illustrator | Illustrator versions 28.7.8, 29.6.1 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing a disruption in service. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-49567 |
| Adobe--Illustrator | Illustrator versions 28.7.8, 29.6.1 and earlier are affected by a Use After Free vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-49568 |
| Adobe--InDesign Desktop | InDesign Desktop versions 20.4, 19.5.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54214 |
| Adobe--InDesign Desktop | InDesign Desktop versions 20.4, 19.5.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54227 |
| Adobe--InDesign Desktop | InDesign Desktop versions 20.4, 19.5.4 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54228 |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54186 |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54197 |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54198 |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54199 |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54200 |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54201 |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54202 |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54203 |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54204 |
| Adobe--Substance3D - Modeler | Substance3D - Modeler versions 1.22.0 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54235 |
| Adobe--Substance3D - Painter | Substance3D - Painter versions 11.0.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54188 |
| Adobe--Substance3D - Painter | Substance3D - Painter versions 11.0.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54189 |
| Adobe--Substance3D - Painter | Substance3D - Painter versions 11.0.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54190 |
| Adobe--Substance3D - Painter | Substance3D - Painter versions 11.0.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54191 |
| Adobe--Substance3D - Painter | Substance3D - Painter versions 11.0.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54192 |
| Adobe--Substance3D - Painter | Substance3D - Painter versions 11.0.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54193 |
| Adobe--Substance3D - Painter | Substance3D - Painter versions 11.0.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54194 |
| Adobe--Substance3D - Painter | Substance3D - Painter versions 11.0.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54195 |
| Adobe--Substance3D - Sampler | Substance3D - Sampler versions 5.0.3 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-08-12 | 5.5 | CVE-2025-54205 |
| aide--aide | AIDE is an advanced intrusion detection environment. Prior to version 0.19.2, there is an improper output neutralization vulnerability in AIDE. An attacker can craft a malicious filename by including terminal escape sequences to hide the addition or removal of the file from the report and/or tamper with the log output. A local user might exploit this to bypass the AIDE detection of malicious files. Additionally the output of extended attribute key names and symbolic links targets are also not properly neutralized. This issue has been patched in version 0.19.2. A workaround involves configuring AIDE to write the report output to a regular file, redirecting stdout to a regular file, or redirecting the log output written to stderr to a regular file. | 2025-08-14 | 6.2 | CVE-2025-54389 |
| aide--aide | AIDE is an advanced intrusion detection environment. From versions 0.13 to 0.19.1, there is a null pointer dereference vulnerability in AIDE. An attacker can crash the program during report printing or database listing after setting extended file attributes with an empty attribute value or with a key containing a comma. A local user might exploit this to cause a local denial of service. This issue has been patched in version 0.19.2. A workaround involves removing xattrs group from rules matching files on affected file systems. | 2025-08-14 | 6.2 | CVE-2025-54409 |
| alobaidi--Alobaidi Captcha | The Alobaidi Captcha plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-08-15 | 4.4 | CVE-2025-8080 |
| Amazon--ECS | We identified an issue in the Amazon ECS agent where, under certain conditions, an introspection server could be accessed off-host by another instance if the instances are in the same security group or if their security groups allow incoming connections that include the port where the server is hosted. This issue does not affect instances where the option to allow off-host access to the introspection server is set to 'false'. This issue has been addressed in ECS agent version 1.97.1. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. If customers cannot update to the latest AMI, they can modify the Amazon EC2 security groups to restrict incoming access to the introspection server port (51678). | 2025-08-14 | 4.3 | CVE-2025-9039 |
| AMI--AptioV | AMI APTIOV contains a vulnerability in BIOS where a user may cause "Improper Initialization" by local accessing. Successful exploitation of this vulnerability may leave the resource in an unexpected state and potentially impact confidentiality, integrity, and availability. | 2025-08-12 | 4.2 | CVE-2025-22834 |
| anwppro--AnWP Football Leagues | The AnWP Football Leagues plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 0.16.17 via the 'download_csv_players' and 'download_csv_games' functions. This makes it possible for authenticated attackers, with Administrator-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | 2025-08-12 | 4.8 | CVE-2025-8767 |
| artiosmedia--RSS Feed Pro | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in artiosmedia RSS Feed Pro allows Stored XSS. This issue affects RSS Feed Pro: from n/a through 1.1.8. | 2025-08-14 | 5.9 | CVE-2025-53581 |
| ashanjay--EventON Events Calendar | The EventON Lite plugin for WordPress is vulnerable to Information Exposure in all versions less than, or equal to, 2.4.6 via the add_single_eventon and add_eventon shortcodes due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. | 2025-08-15 | 4.3 | CVE-2025-8091 |
| Ashish--AI Tools | Missing Authorization vulnerability in Ashish AI Tools allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AI Tools: from n/a through 4.0.7. | 2025-08-14 | 6.5 | CVE-2025-50029 |
| Astoundify--WP Modal Popup with Cookie Integration | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Astoundify WP Modal Popup with Cookie Integration allows Reflected XSS. This issue affects WP Modal Popup with Cookie Integration: from n/a through 2.4. | 2025-08-14 | 5.9 | CVE-2025-54683 |
| Axis Communications AB--AXIS OS | An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | 2025-08-12 | 6.7 | CVE-2025-30027 |
| Axis Communications AB--AXIS OS | ACAP applications can be executed with elevated privileges, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application. | 2025-08-12 | 6.7 | CVE-2025-3892 |
| Ays Pro--Chartify | Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Chartify allows Cross Site Request Forgery. This issue affects Chartify: from n/a through 3.5.3. | 2025-08-14 | 4.3 | CVE-2025-54673 |
| ays-pro--Poll Maker Versus Polls, Anonymous Polls, Image Polls | The Poll Maker - Versus Polls, Anonymous Polls, Image Polls plugin for WordPress is vulnerable to Basic Information Exposure in all versions up to, and including, 5.8.9 via the 'ays_finish_poll' AJAX action. This makes it possible for unauthenticated attackers to retrieve admin email information which is exposed in the poll response. | 2025-08-16 | 5.3 | CVE-2024-12575 |
| bcupham--Video Expander | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bcupham Video Expander allows Stored XSS. This issue affects Video Expander: from n/a through 1.0. | 2025-08-14 | 6.5 | CVE-2025-52771 |
| biscia7--Hide Text Shortcode | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in biscia7 Hide Text Shortcode allows Stored XSS. This issue affects Hide Text Shortcode: from n/a through 1.1. | 2025-08-14 | 6.5 | CVE-2025-49051 |
| bobbingwide--oik | Cross-Site Request Forgery (CSRF) vulnerability in bobbingwide oik allows Cross Site Request Forgery. This issue affects oik: from n/a through 4.15.2. | 2025-08-14 | 4.3 | CVE-2025-54671 |
| BoldGrid--Post and Page Builder by BoldGrid Visual Drag and Drop Editor | Path Traversal vulnerability in BoldGrid Post and Page Builder by BoldGrid - Visual Drag and Drop Editor allows Path Traversal. This issue affects Post and Page Builder by BoldGrid - Visual Drag and Drop Editor: from n/a through 1.27.8. | 2025-08-14 | 4.2 | CVE-2025-52712 |
| Bosch Rexroth AG--ctrlX OS - Setup | A vulnerability in the Task API endpoint of the ctrlX OS setup mechanism allowed a remote, unauthenticated attacker to access and extract internal application data, including potential debug logs and the version of installed apps. | 2025-08-14 | 5.3 | CVE-2025-48861 |
| bPlugins--B Blocks | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins B Blocks allows DOM-Based XSS. This issue affects B Blocks: from n/a through 2.0.5. | 2025-08-14 | 6.5 | CVE-2025-54708 |
| bplugins--B Slider- Gutenberg Slider Block for WP | The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Sensitive Information Exposure in versions less than, or equal to, 2.0.0 via the get_active_plugins function. This makes it possible for authenticated attackers, with subscriber-level access and above to extract sensitive data including installed plugin information. | 2025-08-15 | 4.3 | CVE-2025-8676 |
| bplugins--B Slider- Gutenberg Slider Block for WP | The B Slider- Gutenberg Slider Block for WP plugin for WordPress is vulnerable to Server-Side Request Forgery in version less than, or equal to, 2.0.0 via the fs_api_request function. This makes it possible for authenticated attackers, with subscriber-level access and above to make web requests to arbitrary locations originating from the web application which can be used to query and modify information from internal services. | 2025-08-15 | 4.3 | CVE-2025-8680 |
| bPlugins--Button Block | Cross-Site Request Forgery (CSRF) vulnerability in bPlugins Button Block allows Cross Site Request Forgery. This issue affects Button Block: from n/a through 1.2.0. | 2025-08-14 | 4.3 | CVE-2025-54694 |
| Brainstorm Force--SureDash | Insertion of Sensitive Information Into Sent Data vulnerability in Brainstorm Force SureDash allows Retrieve Embedded Sensitive Data. This issue affects SureDash: from n/a through 1.1.0. | 2025-08-14 | 6.5 | CVE-2025-54685 |
| Brother Industries, Ltd--HL-L8260CDN | By using the "uscan" protocol provided by the eSCL specification, an attacker can discover the serial number of multi-function printers that implement the Brother-provided firmware. This serial number can, in turn, can be leveraged by the flaw described by CVE-2024-51978 to calculate the default administrator password. This flaw is similar to CVE-2024-51977, with the only difference being the protocol by which an attacker can use to learn the remote device's serial number. The eSCL/uscan vector is typically only exposed on the local network. Any discovery service that implements the eSCL specification can be used to exploit this vulnerability, and one such implementation is the runZero Explorer. Changing the default administrator password will render this vulnerability virtually worthless, since the calculated default administrator password would no longer be the correct password. | 2025-08-12 | 4.3 | CVE-2025-8452 |
| cartpauj--Shortcode Redirect | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cartpauj Shortcode Redirect allows Stored XSS. This issue affects Shortcode Redirect: from n/a through 1.0.02. | 2025-08-14 | 6.5 | CVE-2025-54746 |
| Cisco--Cisco Adaptive Security Appliance (ASA) Software | A vulnerability in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insufficient input validation of commands that are supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input for specific commands. A successful exploit could allow the attacker to execute commands on the underlying operating system as root. | 2025-08-14 | 6 | CVE-2025-20237 |
| Cisco--Cisco Adaptive Security Appliance (ASA) Software | A vulnerability in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insufficient input validation of commands that are supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input for specific commands. A successful exploit could allow the attacker to execute commands on the underlying operating system as root. | 2025-08-14 | 6 | CVE-2025-20238 |
| Cisco--Cisco Adaptive Security Appliance (ASA) Software | A vulnerability in the implementation of access control rules for loopback interfaces in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to send traffic that should have been blocked to a loopback interface. This vulnerability is due to improper enforcement of access control rules for loopback interfaces. An attacker could exploit this vulnerability by sending traffic to a loopback interface on an affected device. A successful exploit could allow the attacker to bypass configured access control rules and send traffic that should have been blocked to a loopback interface on the device. | 2025-08-14 | 5.3 | CVE-2025-20219 |
| Cisco--Cisco Adaptive Security Appliance (ASA) Software | A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger a memory leak, resulting in a denial of service (DoS) condition. This vulnerability is due to improper parsing of IKEv2 packets. An attacker could exploit this vulnerability by sending a continuous stream of crafted IKEv2 packets to an affected device. A successful exploit could allow the attacker to partially exhaust system memory, causing system instability like being unable to establish new IKEv2 VPN sessions. A manual reboot of the device is required to recover from this condition. | 2025-08-14 | 5.8 | CVE-2025-20224 |
| Cisco--Cisco Adaptive Security Appliance (ASA) Software | A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger a memory leak, resulting in a denial of service (DoS) condition. This vulnerability is due to improper parsing of IKEv2 packets. An attacker could exploit this vulnerability by sending a continuous stream of crafted IKEv2 packets to an affected device. A successful exploit could allow the attacker to partially exhaust system memory, causing system instability like being unable to establish new IKEv2 VPN sessions. A manual reboot of the device is required to recover from this condition. | 2025-08-14 | 5.8 | CVE-2025-20252 |
| Cisco--Cisco Adaptive Security Appliance (ASA) Software | A vulnerability in the Internet Key Exchange Version 2 (IKEv2) module of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger a memory leak, resulting in a denial of service (DoS) condition. This vulnerability is due to improper parsing of IKEv2 packets. An attacker could exploit this vulnerability by sending a continuous stream of crafted IKEv2 packets to an affected device. A successful exploit could allow the attacker to partially exhaust system memory, causing system instability like being unable to establish new IKEv2 VPN sessions. A manual reboot of the device is required to recover from this condition. | 2025-08-14 | 5.8 | CVE-2025-20254 |
| Cisco--Cisco Adaptive Security Appliance (ASA) Software | A vulnerability in the DHCP client functionality of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, adjacent attacker to exhaust available memory. This vulnerability is due to improper validation of incoming DHCP packets. An attacker could exploit this vulnerability by repeatedly sending crafted DHCPv4 packets to an affected device. A successful exploit could allow the attacker to exhaust available memory, which would affect availability of services and prevent new processes from starting, resulting in a Denial of Service (DoS) condition that would require a manual reboot. Note: On Cisco Secure FTD Software, this vulnerability does not affect management interfaces. | 2025-08-14 | 4.3 | CVE-2025-20135 |
| Cisco--Cisco Firepower Management Center | A vulnerability in the CLI of Cisco Secure Firewall Management Center (FMC) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system as root. This vulnerability is due to improper input validation for specific CLI commands. An attacker could exploit this vulnerability by injecting operating system commands into a legitimate command. A successful exploit could allow the attacker to escape the restricted command prompt and execute arbitrary commands on the underlying operating system. To successfully exploit this vulnerability, an attacker would need valid Administrator credentials. For more information about vulnerable scenarios, see the Details ["#details"] section of this advisory. | 2025-08-14 | 6 | CVE-2025-20220 |
| Cisco--Cisco Firepower Management Center | A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface. An attacker could exploit this vulnerability by inserting crafted input into various data fields in an affected interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | 2025-08-14 | 6.1 | CVE-2025-20235 |
| Cisco--Cisco Firepower Management Center | A vulnerability in the web-based management interface of Cisco Secure FMC Software could allow an authenticated, low-privileged, remote attacker to access troubleshoot files for a different domain. This vulnerability is due to missing authorization checks. An attacker could exploit this vulnerability by directly accessing a troubleshoot file for a different domain that is managed on the same Cisco Secure FMC instance. A successful exploit could allow the attacker to retrieve a troubleshoot file for a different domain, which could allow the attacker to access sensitive information contained in the troubleshoot file. | 2025-08-14 | 6.5 | CVE-2025-20301 |
| Cisco--Cisco Firepower Management Center | A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an authenticated, remote attacker to retrieve sensitive information from an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending a crafted request to the web-based management interface of an affected device. A successful exploit could allow the attacker to retrieve sensitive information from the affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. | 2025-08-14 | 4.9 | CVE-2025-20218 |
| Cisco--Cisco Firepower Management Center | A vulnerability in the web-based management interface of Cisco Secure FMC Software could allow an authenticated, low-privileged, remote attacker to retrieve a generated report from a different domain. This vulnerability is due to missing authorization checks. An attacker could exploit this vulnerability by directly accessing a generated report file for a different domain that is managed on the same Cisco Secure FMC instance. A successful exploit could allow the attacker to access a previously run report for a different domain, which could allow an attacker to read activity recorded in that domain. | 2025-08-14 | 4.3 | CVE-2025-20302 |
| Cisco--Cisco Firepower Management Center | A vulnerability in the web-based management interface of Cisco Secure Firewall Management Center (FMC) Software could allow an authenticated, remote attacker with Administrator-level privileges to execute arbitrary commands on the underlying operating system. This vulnerability is due to insufficient input validation of certain HTTP request parameters that are sent to the web-based management interface. An attacker could exploit this vulnerability by authenticating to the interface and sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to execute commands as the root user on the affected device. To exploit this vulnerability, an attacker would need Administrator-level credentials. | 2025-08-14 | 4.9 | CVE-2025-20306 |
| Cisco--Cisco Firepower Threat Defense Software | A vulnerability in the Geolocation-Based Remote Access (RA) VPN feature of Cisco Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to bypass configured policies to allow or deny HTTP connections based on a country or region. This vulnerability exists because the URL string is not fully parsed. An attacker could exploit this vulnerability by sending a crafted HTTP connection through the targeted device. A successful exploit could allow the attacker to bypass configured policies and gain access to a network where the connection should have been denied. | 2025-08-14 | 5.8 | CVE-2025-20268 |
| Cisco--IOS | A vulnerability in the Internet Key Exchange Version 2 (IKEv2) feature of Cisco IOS Software, IOS XE Software, Secure Firewall Adaptive Security Appliance (ASA) Software, and Secure Firewall Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to trigger a memory leak, resulting in a denial of service (DoS) condition. This vulnerability is due to a lack of proper processing of IKEv2 packets. An attacker could exploit this vulnerability by sending crafted IKEv2 packets to an affected device. In the case of Cisco IOS and IOS XE Software, a successful exploit could allow the attacker to cause the device to reload unexpectedly. In the case of Cisco ASA and FTD Software, a successful exploit could allow the attacker to partially exhaust system memory, causing system instability such as being unable to establish new IKEv2 VPN sessions. A manual reboot of the device is required to recover from this condition. | 2025-08-14 | 5.8 | CVE-2025-20225 |
| code-projects--eBlog Site | A vulnerability was identified in code-projects eBlog Site 1.0. Affected by this vulnerability is an unknown functionality of the file /native/admin/save-slider.php of the component File Upload Module. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-11 | 6.3 | CVE-2025-8859 |
| code-projects--Hostel Management System | A vulnerability was found in code-projects Hostel Management System 1.0. Affected by this vulnerability is an unknown functionality of the file hostel_manage.exe of the component Login Form. The manipulation of the argument uname leads to stack-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 5.3 | CVE-2025-8962 |
| code-projects--Hostel Management System | A vulnerability was identified in code-projects Hostel Management System 1.0. This affects an unknown part of the file hostel_manage.exe of the component Login. The manipulation leads to improper authentication. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 5.3 | CVE-2025-8964 |
| code-projects--Medical Store Management System | A vulnerability was identified in code-projects Medical Store Management System 1.0. This affects an unknown part of the file UpdateMedicines.java of the component Update Medicines Page. The manipulation of the argument productNameTxt leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-13 | 6.3 | CVE-2025-8928 |
| code-projects--Medical Store Management System | A vulnerability has been found in code-projects Medical Store Management System 1.0. This vulnerability affects unknown code of the file MainPanel.java. The manipulation of the argument searchTxt leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-13 | 6.3 | CVE-2025-8929 |
| code-projects--Medical Store Management System | A vulnerability was found in code-projects Medical Store Management System 1.0. This issue affects some unknown processing of the file UpdateCompany.java of the component Update Company Page. The manipulation of the argument companyNameTxt leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 6.3 | CVE-2025-8930 |
| code-projects--Medical Store Management System | A vulnerability was determined in code-projects Medical Store Management System 1.0. Affected is an unknown function of the file ChangePassword.java. The manipulation of the argument newPassTxt leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 6.3 | CVE-2025-8931 |
| code-projects--Simple Cafe Ordering System | A vulnerability was determined in code-projects Simple Cafe Ordering System 1.0. Affected by this issue is some unknown functionality of the file /portal.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 6.3 | CVE-2025-9025 |
| codeablepress--CodeablePress | Missing Authorization vulnerability in codeablepress CodeablePress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CodeablePress: from n/a through 1.0.0. | 2025-08-14 | 4.3 | CVE-2025-53221 |
| cozmoslabs--User Profile Builder Beautiful User Registration Forms, User Profiles & User Role Editor | The User Profile Builder - Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gdpr_communication_preferences[]' parameter in all versions up to, and including, 3.14.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This is only exploitable when the GDPR Communication Preferences module is enabled and at least one GDPR Communication Preferences field has been added to the edit profile form. | 2025-08-16 | 6.4 | CVE-2025-8896 |
| CreativeMindsSolutions--CM On Demand Search And Replace | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM On Demand Search And Replace allows Stored XSS. This issue affects CM On Demand Search And Replace: from n/a through 1.5.2. | 2025-08-14 | 5.9 | CVE-2025-54727 |
| CreativeMindsSolutions--CM On Demand Search And Replace | Cross-Site Request Forgery (CSRF) vulnerability in CreativeMindsSolutions CM On Demand Search And Replace allows Cross Site Request Forgery. This issue affects CM On Demand Search And Replace: from n/a through 1.5.2. | 2025-08-14 | 4.3 | CVE-2025-54728 |
| CreativeThemes--Blocksy | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeThemes Blocksy allows Stored XSS. This issue affects Blocksy: from n/a through 2.1.6. | 2025-08-14 | 5.9 | CVE-2025-55713 |
| CRM Perks--Connector for Gravity Forms and Google Sheets | Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Connector for Gravity Forms and Google Sheets allows Cross Site Request Forgery. This issue affects Connector for Gravity Forms and Google Sheets: from n/a through 1.2.4. | 2025-08-14 | 5.4 | CVE-2025-54682 |
| CRM Perks--Connector for Gravity Forms and Google Sheets | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks Connector for Gravity Forms and Google Sheets allows Phishing. This issue affects Connector for Gravity Forms and Google Sheets: from n/a through 1.2.4. | 2025-08-14 | 4.7 | CVE-2025-54681 |
| CRM Perks--Integration for Contact Form 7 and Constant Contact | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CRM Perks Integration for Contact Form 7 and Constant Contact allows Stored XSS. This issue affects Integration for Contact Form 7 and Constant Contact: from n/a through 1.1.7. | 2025-08-14 | 5.9 | CVE-2025-54684 |
| Crocoblock--JetElements For Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor allows Stored XSS. This issue affects JetElements For Elementor: from n/a through 2.7.9. | 2025-08-14 | 6.5 | CVE-2025-55714 |
| Crocoblock--JetEngine | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine allows Stored XSS. This issue affects JetEngine: from n/a through 3.7.1.2. | 2025-08-14 | 6.5 | CVE-2025-54688 |
| Crocoblock--JetProductGallery | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetProductGallery allows Stored XSS. This issue affects JetProductGallery: from n/a through 2.2.0.2. | 2025-08-14 | 6.5 | CVE-2025-54749 |
| Crocoblock--JetTabs | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetTabs allows DOM-Based XSS. This issue affects JetTabs: from n/a through 2.2.9.1. | 2025-08-14 | 6.5 | CVE-2025-54687 |
| D-Link--DIR-619L | A vulnerability was determined in D-Link DIR-619L 6.02CN02. Affected is the function FirmwareUpgrade of the component boa. The manipulation leads to insufficient verification of data authenticity. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-08-14 | 6.6 | CVE-2025-8978 |
| D-Link--DIR818L | A vulnerability was found in D-Link DIR‑818L up to 1.05B01. This issue affects the function getenv of the file /htdocs/cgibin of the component ssdpcgi. The manipulation leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 6.3 | CVE-2025-8956 |
| Dariolee--Netease Music | Missing Authorization vulnerability in Dariolee Netease Music allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Netease Music: from n/a through 3.2.1. | 2025-08-14 | 4.3 | CVE-2025-49052 |
| delabon--Woocommerce Blocks Woolook | The Woocommerce Blocks - Woolook plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.7.0 via the via the 'tab' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. Please note that this can also be exploited via CSRF techniques. | 2025-08-16 | 6.6 | CVE-2024-8393 |
| Dell--CloudLink | Dell CloudLink, versions 8.0 through 8.1.1, contains an Improper Restriction of XML External Entity Reference vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Denial of service. | 2025-08-14 | 5.5 | CVE-2025-26484 |
| Dell--Data Lakehouse | Dell Data Lakehouse, versions prior to 1.5.0.0, contains an Execution with Unnecessary Privileges vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Denial of service. | 2025-08-14 | 6.7 | CVE-2025-21110 |
| Dell--OpenManage Enterprise | Dell OpenManage Enterprise, versions 3.10, 4.0, 4.1, and 4.2, contains an Insertion of Sensitive Information into Log File vulnerability in the Backup and Restore. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. | 2025-08-14 | 4.8 | CVE-2025-38745 |
| Dell--SupportAssist for Business PCs | SupportAssist for Business PCs, version(s) 4.5.3 and prior, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to elevation of privileges. | 2025-08-14 | 6.7 | CVE-2025-36612 |
| Dell--SupportAssist for Home PCs | SupportAssist for Home PCs Installer exe version(s) 4.8.2.29006 and prior, contain(s) an Incorrect Privilege Assignment vulnerability in the Installer. A low privileged attacker with local access could potentially exploit this vulnerability, leading to elevation of privileges. | 2025-08-14 | 6.7 | CVE-2025-38738 |
| Dmitry V. (CEO of "UKR Solution")--Barcode Scanner with Inventory & Order Manager | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Dmitry V. (CEO of "UKR Solution") Barcode Scanner with Inventory & Order Manager allows Path Traversal. This issue affects Barcode Scanner with Inventory & Order Manager: from n/a through 1.9.0. | 2025-08-14 | 4.9 | CVE-2025-54715 |
| e-plugins--WP Membership | Missing Authorization vulnerability in e-plugins WP Membership allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Membership: from n/a through 1.6.3. | 2025-08-14 | 5.4 | CVE-2025-54717 |
| earnware--Earnware Connect | The Earnware Connect plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ew_hasrole' shortcode in all versions up to, and including, 1.0.73 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-16 | 6.4 | CVE-2025-7651 |
| ebernstein--Inline Stock Quotes | The Inline Stock Quotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stock shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-12 | 6.4 | CVE-2025-8688 |
| elemntor--Elementor Website Builder More Than Just a Page Builder | The Elementor plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.30.2 via the Import_Images::import() function due to insufficient controls on the filename specified. This makes it possible for authenticated attackers, with administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2025-08-12 | 4.9 | CVE-2025-8081 |
| elinkcontent--elink Embed Content | The elink - Embed Content plugin for WordPress is vulnerable to Malicious Redirect in all versions up to, and including, 1.1.0. This is due to the plugin not restricting URLS that can be supplied through the elink shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to supply an HTML file that can be leverged to redirect users to a malicious domain. | 2025-08-15 | 6.4 | CVE-2025-7507 |
| emarket-design--Project Management, Bug and Issue Tracking Plugin Software Issue Manager | The Software Issue Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'noaccess_msg parameter in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-12 | 6.4 | CVE-2025-8314 |
| emilien--Wp chart generator | The Wp chart generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpchart shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-12 | 6.4 | CVE-2025-8685 |
| evigeo--Gestion de tarifs | The Gestion de tarifs plugin for WordPress is vulnerable to SQL Injection via the 'tarif' and 'intitule' shortcodes in all versions up to, and including, 1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-08-15 | 6.5 | CVE-2025-7662 |
| F5--BIG-IP | An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit (HTTP/2 MadeYouReset Attack). Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2025-08-13 | 5.3 | CVE-2025-54500 |
| FirebirdSQL--firebird | Firebird is a relational database. Prior to versions 3.0.13, 4.0.6, and 5.0.3, there is an XDR message parsing NULL pointer dereference denial-of-service vulnerability in Firebird. This specific flaw exists within the parsing of xdr message from client. It leads to NULL pointer dereference and DoS. This issue has been patched in versions 3.0.13, 4.0.6, and 5.0.3. | 2025-08-15 | 5.3 | CVE-2025-54989 |
| flexostudio--flexo-social-gallery | Cross-Site Request Forgery (CSRF) vulnerability in flexostudio flexo-social-gallery allows Cross Site Request Forgery. This issue affects flexo-social-gallery: from n/a through 1.0006. | 2025-08-14 | 4.3 | CVE-2025-52769 |
| Fortinet--FortiADC | An improper neutralization of special elements used in an OS Command ("OS Command Injection") vulnerability [CWE-78] in Fortinet FortiADC version 7.2.0 and before 7.1.1 allows a remote and authenticated attacker with low privilege to execute unauthorized code via specifically crafted HTTP parameters. | 2025-08-12 | 6.6 | CVE-2025-49813 |
| Fortinet--FortiManager | An Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability [CWE-22] in Fortinet FortiManager version 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.9 and below 7.0.13 & FortiManager Cloud version 7.6.0 through 7.6.1, 7.4.0 through 7.4.5 and before 7.2.9 allows an authenticated remote attacker to overwrite arbitrary files via FGFM crafted requests. | 2025-08-12 | 5.2 | CVE-2024-52964 |
| Fortinet--FortiOS | An incorrect privilege assignment vulnerability [CWE-266] in FortiOS Security Fabric version 7.6.0 through 7.6.2, 7.4.0 through 7.4.7, 7.2 all versions, 7.0 all versions, 6.4 all versions, may allow a remote authenticated attacker with high privileges to escalate their privileges to super-admin via registering the device to a malicious FortiManager. | 2025-08-12 | 6.8 | CVE-2025-53744 |
| Fortinet--FortiOS | An Integer Overflow or Wraparound vulnerability [CWE-190] in FortiOS version 7.6.2 and below, version 7.4.7 and below, version 7.2.10 and below, 7.2 all versions, 6.4 all versions, FortiProxy version 7.6.2 and below, version 7.4.3 and below, 7.2 all versions, 7.0 all versions, 2.0 all versions and FortiPAM version 1.5.0, version 1.4.2 and below, 1.3 all versions, 1.2 all versions, 1.1 all versions, 1.0 all versions SSL-VPN RDP and VNC bookmarks may allow an authenticated user to affect the device SSL-VPN availability via crafted requests. | 2025-08-12 | 4.8 | CVE-2025-25248 |
| Fortinet--FortiPAM | A double free vulnerability [CWE-415] in Fortinet FortiOS version 7.4.0, version 7.2.0 through 7.2.5 and before 7.0.12, FortiProxy version 7.4.0 through 7.4.1, version 7.2.0 through 7.2.7 and before 7.0.13 and FortiPAM version 1.1.0 through 1.1.2 and before 1.0.3 allows a privileged attacker to execute code or commands via crafted HTTP or HTTPs requests. | 2025-08-12 | 6.3 | CVE-2023-45584 |
| Fortinet--FortiRecorder | Multiple relative path traversal vulnerabilities [CWE-23] in Fortinet FortiMail version 7.6.0 through 7.6.1 and before 7.4.3, FortiVoice version 7.0.0 through 7.0.5 and before 7.4.9, FortiRecorder version 7.2.0 through 7.2.1 and before 7.0.4, FortiCamera & FortiNDR version 7.6.0 and before 7.4.6 may allow a privileged attacker to read files from the underlying filesystem via crafted CLI requests. | 2025-08-12 | 4.2 | CVE-2024-40588 |
| Fortinet--FortiSOAR | A relative path traversal vulnerability [CWE-23] in FortiSOAR 7.6.0, 7.5.0 through 7.5.1, 7.4 all versions, 7.3 all versions may allow an authenticated attacker to read arbitrary files via uploading a malicious solution pack. | 2025-08-12 | 6.4 | CVE-2024-48892 |
| Fortinet--FortiSOAR | An Improper neutralization of input during web page generation ('cross-site scripting') vulnerability [CWE-79] in FortiSOAR version 7.6.1 and below, version 7.5.1 and below, 7.4 all versions, 7.3 all versions, 7.2 all versions, 7.0 all versions, 6.4 all versions WEB UI may allow an authenticated remote attacker to perform an XSS attack via stored malicious service requests | 2025-08-12 | 6.2 | CVE-2025-32932 |
| Fortinet--FortiWeb | An improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability [CWE-78] in Fortinet FortiWeb version 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10 and before 7.0.10 allows an authenticated privileged attacker to execute unauthorized code or commands via crafted CLI commands | 2025-08-12 | 6.7 | CVE-2025-27759 |
| Fortinet--FortiWeb | A stack-based buffer overflow vulnerability [CWE-121] in Fortinet FortiWeb CLI version 7.6.0 through 7.6.3 and before 7.4.8 allows a privileged attacker to execute arbitrary code or commands via crafted CLI commands | 2025-08-12 | 6.3 | CVE-2025-32766 |
| Fortinet--FortiWeb | A improper neutralization of special elements used in an os command ('os command injection') vulnerability [CWE-78] in Fortinet FortiWeb CLI version 7.6.0 through 7.6.3 and before 7.4.8 allows a privileged attacker to execute arbitrary code or command via crafted CLI commands. | 2025-08-12 | 6.5 | CVE-2025-47857 |
| FWDesign--Ultimate Video Player | Missing Authorization vulnerability in FWDesign Ultimate Video Player allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ultimate Video Player: from n/a through 10.1. | 2025-08-15 | 5.3 | CVE-2025-49432 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 15.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that under certain conditions could have allowed authenticated users to bypass access controls and download private artifacts by accessing specific API endpoints. | 2025-08-13 | 6.5 | CVE-2024-10219 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 17.7 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that under certain conditions could have allowed authenticated users with specific roles and permissions to delete issues including confidential ones by inviting users with a specific role. | 2025-08-13 | 6.7 | CVE-2024-12303 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 8.14 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed an unauthenticated user to create a denial of service condition by sending specially crafted payloads to specific integration API endpoints. | 2025-08-13 | 6.5 | CVE-2025-1477 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 11.6 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed an authenticated user to cause a denial of service condition by creating specially crafted content that consumes excessive server resources when processed. | 2025-08-13 | 6.5 | CVE-2025-2614 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 13.2 before 18.0.6, 18.1 before 18.1.4, and 18.2 before 18.2.2 that could have allowed authenticated users to create a denial of service condition by sending specially crafted markdown payloads to the Wiki feature. | 2025-08-13 | 6.5 | CVE-2025-2937 |
| GitLab--GitLab | An issue has been discovered in GitLab EE affecting all versions from 18.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that could have allowed authenticated users with specific access to bypass merge request approval policies by manipulating approval rule identifiers. | 2025-08-13 | 6.5 | CVE-2025-8770 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 15.7 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that could have allowed authenticated users with developer access to obtain ID tokens for protected branches under certain circumstances. | 2025-08-13 | 5 | CVE-2025-5819 |
| glenwpcoder--Drag and Drop Multiple File Upload for Contact Form 7 | The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.3.9.0 via the wpcf7_guest_user_id cookie. This makes it possible for unauthenticated attackers to upload and delete files outside of the originally intended directory. The impact of this vulnerability is limited, as file types are validated and only safe ones can be uploaded, while deletion is limited to the plugin's uploads folder. | 2025-08-16 | 5.3 | CVE-2025-8464 |
| GoodLayers--Modernize | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GoodLayers Modernize allows Stored XSS. This issue affects Modernize: from n/a through 3.4.0. | 2025-08-14 | 6.5 | CVE-2025-53342 |
| GoodLayers--Modernize | Missing Authorization vulnerability in GoodLayers Modernize allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Modernize: from n/a through 3.4.0. | 2025-08-14 | 4.3 | CVE-2025-53343 |
| hakeemnala--Build App Online | Cross-Site Request Forgery (CSRF) vulnerability in hakeemnala Build App Online allows Cross Site Request Forgery. This issue affects Build App Online: from n/a through 1.0.23. | 2025-08-14 | 6.5 | CVE-2025-53249 |
| hashthemes--Easy Elementor Addons | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hashthemes Easy Elementor Addons allows DOM-Based XSS. This issue affects Easy Elementor Addons: from n/a through 2.2.6. | 2025-08-14 | 6.5 | CVE-2025-54704 |
| hashthemes--Easy Elementor Addons | Missing Authorization vulnerability in hashthemes Easy Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Easy Elementor Addons: from n/a through 2.2.7. | 2025-08-14 | 4.3 | CVE-2025-54712 |
| HasTech--HT Mega | Missing Authorization vulnerability in HasTech HT Mega allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HT Mega: from n/a through 2.9.0. | 2025-08-14 | 5.4 | CVE-2025-54695 |
| HCL Software--BigFix SaaS Remediate | HCL BigFix SaaS Authentication Service is affected by a sensitive information disclosure. Under certain conditions, error messages disclose sensitive version information about the underlying platform. | 2025-08-15 | 5.3 | CVE-2025-52619 |
| HCL Software--BigFix SaaS Remediate | HCL BigFix SaaS Authentication Service is vulnerable to cache poisoning. The BigFix SaaS's HTTP responses were observed to include the Origin header. Its presence alongside an unvalidated reflection of the Origin header value introduces a potential for cache poisoning. | 2025-08-15 | 5.3 | CVE-2025-52621 |
| HCL Software--BigFix SaaS Remediate | HCL BigFix SaaS Authentication Service is affected by a SQL injection vulnerability. The vulnerability allows potential attackers to manipulate SQL queries. | 2025-08-15 | 4.3 | CVE-2025-52618 |
| HCL Software--BigFix SaaS Remediate | HCL BigFix SaaS Authentication Service is affected by a Cross-Site Scripting (XSS) vulnerability. The image upload functionality inadequately validated the submitted image format. | 2025-08-15 | 4.3 | CVE-2025-52620 |
| HCL Software--Connections Docs | HCL Connections Docs may mishandle validation of certain uploaded documents leading to denial of service due to resource exhaustion. | 2025-08-14 | 4.8 | CVE-2025-31987 |
| helm--helm | Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, when parsing Chart.yaml and index.yaml files, an improper validation of type error can lead to a panic. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring YAML files are formatted as Helm expects prior to processing them with Helm. | 2025-08-13 | 6.5 | CVE-2025-55198 |
| helm--helm | Helm is a package manager for Charts for Kubernetes. Prior to version 3.18.5, it is possible to craft a JSON Schema file in a manner which could cause Helm to use all available memory and have an out of memory (OOM) termination. This issue has been resolved in Helm 3.18.5. A workaround involves ensuring all Helm charts that are being loaded into Helm do not have any reference of $ref pointing to /dev/zero. | 2025-08-13 | 6.5 | CVE-2025-55199 |
| IBM--Storage TS4500 Library | IBM TS4500 1.11.0.0-D00, 1.11.0.1-C00, 1.11.0.2-C00, and 1.10.00-F00 web GUI is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2025-08-15 | 5.4 | CVE-2025-36088 |
| IBM--WebSphere Application Server | IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security for TLS connections. | 2025-08-14 | 5.3 | CVE-2025-33142 |
| IBM--WebSphere Application Server Liberty | IBM WebSphere Application Server Liberty 18.0.0.2 through 25.0.0.8 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources. | 2025-08-14 | 5.3 | CVE-2025-36047 |
| IBM--WebSphere Application Server Liberty | IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.8 could allow a remote attacker to bypass security restrictions caused by a failure to honor JMS messaging configuration | 2025-08-12 | 5.9 | CVE-2025-36124 |
| IBM--WebSphere Application Server Liberty | IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.8 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2025-08-12 | 4.4 | CVE-2025-36000 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 6.9.13-27 and 7.1.2-1, there is undefined behavior (function-type-mismatch) in splay tree cloning callback. This results in a deterministic abort under UBSan (DoS in sanitizer builds), with no crash in a non-sanitized build. This issue has been patched in versions 6.9.13-27 and 7.1.2-1. | 2025-08-13 | 6.1 | CVE-2025-55160 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-1, when preparing to transform from Log to sRGB colorspaces, the logmap construction fails to handle cases where the reference-black or reference-white value is larger than 1024. This leads to corrupting memory beyond the end of the allocated logmap buffer. This issue has been patched in version 7.1.2-1. | 2025-08-13 | 5.5 | CVE-2025-55005 |
| imithemes--Eventer | Improper Control of Generation of Code ('Code Injection') vulnerability in imithemes Eventer allows Code Injection. This issue affects Eventer: from n/a through 3.9.6. | 2025-08-14 | 6.5 | CVE-2025-39483 |
| inpersttion--Inpersttion For Theme | The Inpersttion For Theme plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0 via the theme_section_shortcode() function. This is due to the plugin not restricting what functions can be called. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server which is limited to arbitrary functions without any user supplied parameters. | 2025-08-15 | 6.3 | CVE-2025-8905 |
| inspectlet--Inspectlet – User Session Recording and Heatmaps | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in inspectlet Inspectlet – User Session Recording and Heatmaps allows Stored XSS. This issue affects Inspectlet – User Session Recording and Heatmaps: from n/a through 2.0. | 2025-08-14 | 5.9 | CVE-2025-49048 |
| INSTAR--2K+ | A vulnerability was found in INSTAR 2K+ and 4K 3.11.1 Build 1124. This issue affects some unknown processing of the component UART Interface. The manipulation leads to improper physical access control. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. | 2025-08-13 | 6.8 | CVE-2025-8762 |
| iqonicdesign--Graphina Elementor Charts and Graphs | The Graphina - Elementor Charts and Graphs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple chart widget parameters in version 3.1.3 and below. This is due to insufficient input sanitization and output escaping on user supplied attributes such as chart categories, titles, and tooltip settings. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-15 | 6.4 | CVE-2025-8867 |
| Ivanti--Connect Secure | Improper handling of symbolic links in Ivanti Connect Secure before version 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a local authenticated attacker to read arbitrary files on disk. | 2025-08-12 | 5.5 | CVE-2025-5468 |
| Ivanti--Connect Secure | XEE in Ivanti Connect Secure before 22.7R2.8 or 22.8R2, Ivanti Policy Secure before 22.7R1.5, Ivanti ZTA Gateway before 22.8R2.3-723 and Ivanti Neurons for Secure Access before 22.8R1.4 (Fix deployed on 02-Aug-2025) allows a remote authenticated attacker with admin privileges to trigger a denial of service | 2025-08-12 | 4.9 | CVE-2025-5466 |
| Ivanti--Virtual Application Delivery ControllerCWE-862 | Missing authorization in the admin console of Ivanti Virtual Application Delivery Controller before version 22.9 allows a remote authenticated attacker to take over admin accounts by resetting the password | 2025-08-12 | 6.5 | CVE-2025-8310 |
| janyksteenbeek--LatestCheckins | The LatestCheckins plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1. This is due to missing or incorrect nonce validation on the 'LatestCheckins' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-08-16 | 6.1 | CVE-2025-7683 |
| jason-lau--Add User Meta | The Add User Meta plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on the 'add-user-meta' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-08-15 | 6.1 | CVE-2025-7688 |
| jeecgboot--JimuReport | A vulnerability was determined in jeecgboot JimuReport up to 2.1.1. Affected by this issue is some unknown functionality of the file /drag/onlDragDataSource/testConnection of the component Data Large Screen Template. The manipulation leads to deserialization. The attack may be launched remotely. The vendor response to the GitHub issue report is: "Modified, next version updated". | 2025-08-14 | 6.3 | CVE-2025-8963 |
| Jordy Meow--Photo Engine | Cross-Site Request Forgery (CSRF) vulnerability in Jordy Meow Photo Engine allows Cross Site Request Forgery. This issue affects Photo Engine: from n/a through 6.4.3. | 2025-08-14 | 4.3 | CVE-2025-54672 |
| kadesthemes--WP Airdrop Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kadesthemes WP Airdrop Manager allows Stored XSS. This issue affects WP Airdrop Manager: from n/a through 1.0.5. | 2025-08-14 | 5.9 | CVE-2025-49053 |
| kanboard--kanboard | Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.47, the createTaskFile method in the API does not validate whether the task_id parameter is a valid task id, nor does it check for path traversal. As a result, a malicious actor could write a file anywhere on the system the app user controls. The impact is limited due to the filename being hashed and having no extension. This issue has been patched in version 1.2.47. | 2025-08-12 | 6.4 | CVE-2025-55011 |
| keeross--DigitalOcean Spaces Sync | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in keeross DigitalOcean Spaces Sync allows Stored XSS. This issue affects DigitalOcean Spaces Sync: from n/a through 2.2.1. | 2025-08-14 | 5.9 | CVE-2025-49047 |
| kodeshpa--Simplified | Server-Side Request Forgery (SSRF) vulnerability in kodeshpa Simplified allows Server Side Request Forgery. This issue affects Simplified: from n/a through 1.0.9. | 2025-08-14 | 5.5 | CVE-2025-53241 |
| Laborator--Kalium | Cross-Site Request Forgery (CSRF) vulnerability in Laborator Kalium allows Cross Site Request Forgery. This issue affects Kalium: from n/a through 3.18.3. | 2025-08-14 | 4.3 | CVE-2025-53347 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, a reflected cross-site scripting (XSS) vulnerability was identified in the /html/alterar_senha.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the verificacao and redir_config parameter. This issue has been patched in version 3.4.8. | 2025-08-12 | 6.5 | CVE-2025-55170 |
| LCweb--Global Gallery | Missing Authorization vulnerability in LCweb Global Gallery allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Global Gallery: from n/a through 9.2.3. | 2025-08-14 | 6.5 | CVE-2025-52721 |
| Linksys--RE6250 | A vulnerability was identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. This issue affects the function RP_setBasic of the file /goform/RP_setBasic. The manipulation of the argument bssid leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-11 | 6.3 | CVE-2025-8821 |
| Linksys--RE6250 | A vulnerability was found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. Affected by this vulnerability is the function setDeviceName of the file /goform/setDeviceName. The manipulation of the argument DeviceName leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-11 | 6.3 | CVE-2025-8823 |
| Linksys--RE6250 | A vulnerability was identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. This affects the function RP_setBasicAuto of the file /goform/RP_setBasicAuto. The manipulation of the argument staticIp/staticNetmask leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-11 | 6.3 | CVE-2025-8825 |
| Linksys--RE6250 | A vulnerability was found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. This issue affects the function um_inspect_cross_band of the file /goform/RP_setBasicAuto. The manipulation of the argument staticGateway leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-11 | 6.3 | CVE-2025-8827 |
| Linksys--RE6250 | A vulnerability was determined in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. Affected is the function ipv6cmd of the file /goform/setIpv6. The manipulation of the argument Ipv6PriDns/Ipv6SecDns/Ipv6StaticGateway/LanIpv6Addr/LanPrefixLen/pppoeUser/pppoePass/pppoeIdleTime/pppoeRedialPeriod/Ipv6in4_PrefixLen/LocalIpv6/RemoteIpv4/LanIPv6_Prefix/LanPrefixLen/ipv6to4Relay/ipv6rdRelay/tunrd_PrefixLen/wan_UseLinkLocal/Ipv6StaticIp/Ipv6PrefixLen leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-11 | 6.3 | CVE-2025-8828 |
| Linksys--RE6250 | A vulnerability was identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. Affected by this vulnerability is the function um_red of the file /goform/RP_setBasicAuto. The manipulation of the argument hname leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-11 | 6.3 | CVE-2025-8829 |
| Linksys--RE6250 | A vulnerability has been found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. Affected by this issue is the function sub_3517C of the file /goform/setWan. The manipulation of the argument Hostname leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-11 | 6.3 | CVE-2025-8830 |
| linlinjava--litemall | A vulnerability has been found in linlinjava litemall up to 1.8.0. This vulnerability affects the function create of the file litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminStorageController.java of the component Endpoint. The manipulation of the argument File leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 6.3 | CVE-2025-8965 |
| linlinjava--litemall | A vulnerability was identified in linlinjava litemall up to 1.8.0. Affected by this vulnerability is an unknown functionality of the file /admin/config/express of the component Business Logic Handler. The manipulation of the argument litemall_express_freight_min leads to business logic errors. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 4.3 | CVE-2025-8991 |
| lisensee--NetInsight Analytics Implementation Plugin | Cross-Site Request Forgery (CSRF) vulnerability in lisensee NetInsight Analytics Implementation Plugin allows Cross Site Request Forgery. This issue affects NetInsight Analytics Implementation Plugin: from n/a through 1.0.3. | 2025-08-14 | 4.3 | CVE-2025-52767 |
| litonice13--Master Addons Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations | The Master Addons - Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several widgets in all versions up to, and including, 2.0.8.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-12 | 6.4 | CVE-2025-8874 |
| lmyoaoa--weichuncai(WP) | The weichuncai(WP伪春èœ) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the sm-options.php page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-08-16 | 6.1 | CVE-2025-7686 |
| luuptek--Embed Bokun | The Embed Bokun plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'align' parameter in all versions up to, and including, 0.23 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-16 | 6.4 | CVE-2025-6221 |
| magepeopleteam--WpEvently | Missing Authorization vulnerability in magepeopleteam WpEvently allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpEvently: from n/a through 4.4.6. | 2025-08-14 | 4.3 | CVE-2025-54705 |
| makeplane--plane | Plane is open-source project management software. Prior to version 0.28.0, a stored cross-site scripting (XSS) vulnerability exists in the description_html field of Plane. This flaw allows an attacker to inject malicious JavaScript code that is stored and later executed in other users' browsers. The description_html field is not properly sanitized or escaped. An attacker can submit crafted JavaScript payloads that are saved in the application's database. When another user views the affected content, the injected code executes in their browser, running in the application's context and bypassing standard security protections. Successful exploitation can lead to session hijacking, theft of sensitive information, or forced redirection to malicious sites. The vulnerability can also be chained with CSRF attacks to perform unauthorized actions, or leveraged to distribute malware and exploit additional browser vulnerabilities. This issue has been patched in version 0.28.0. | 2025-08-15 | 5.4 | CVE-2025-55203 |
| masteriyo--Masteriyo - LMS | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in masteriyo Masteriyo - LMS allows Stored XSS. This issue affects Masteriyo - LMS: from n/a through 1.18.3. | 2025-08-14 | 6.5 | CVE-2025-54699 |
| Mattermost--Mattermost Confluence Plugin | Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to edit a subscription for a Confluence space the user does not have access for via edit subscription endpoint. | 2025-08-11 | 6.4 | CVE-2025-48731 |
| Mattermost--Mattermost Confluence Plugin | Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to server webhook endpoint with an invalid request body. | 2025-08-11 | 5.9 | CVE-2025-53514 |
| Mattermost--Mattermost Confluence Plugin | Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the Confluence space which allows attackers to create a subscription for a Confluence space the user does not have access to via the create subscription endpoint. | 2025-08-11 | 5 | CVE-2025-54458 |
| Mattermost--Mattermost Confluence Plugin | Mattermost Confluence Plugin version <1.5.0 fails to handle unexpected request body which allows attackers to crash the plugin via constant hit to server webhook endpoint with an invalid request body. | 2025-08-11 | 5.9 | CVE-2025-54463 |
| Mattermost--Mattermost Confluence Plugin | Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the Get Channel Subscriptions details endpoint. | 2025-08-11 | 4 | CVE-2025-44001 |
| Mattermost--Mattermost Confluence Plugin | Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to create a channel subscription without proper access to the channel via API call to the edit channel subscription endpoint. | 2025-08-11 | 4 | CVE-2025-53910 |
| Mattermost--Mattermost Confluence Plugin | Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to create channel subscription without proper access to the channel via API call to the create channel subscription endpoint. | 2025-08-11 | 4 | CVE-2025-8285 |
| mdempfle--Advanced iFrame | The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'additional' parameter in version less than, or equal to, 2025.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-16 | 5.4 | CVE-2025-8089 |
| Michael Nelson--Print My Blog | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michael Nelson Print My Blog allows Stored XSS. This issue affects Print My Blog: from n/a through 3.27.9. | 2025-08-14 | 6.5 | CVE-2025-54740 |
| Microsoft--Azure Stack Hub | Exposure of private personal information to an unauthorized actor in Azure Stack allows an authorized attacker to disclose information locally. | 2025-08-12 | 4.4 | CVE-2025-53765 |
| Microsoft--Microsoft Dynamics 365 (on-premises) version 9.1 | Exposure of sensitive information to an unauthorized actor in Microsoft Dynamics 365 (on-premises) allows an unauthorized attacker to disclose information over a network. | 2025-08-12 | 6.5 | CVE-2025-53728 |
| Microsoft--Microsoft Dynamics 365 (on-premises) version 9.1 | Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Dynamics 365 (on-premises) allows an unauthorized attacker to perform spoofing over a network. | 2025-08-12 | 5.4 | CVE-2025-49745 |
| Microsoft--Microsoft Edge for Android | The ui performs the wrong action in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network. | 2025-08-12 | 4.3 | CVE-2025-49736 |
| Microsoft--Microsoft Edge for Android | User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network. | 2025-08-12 | 4.3 | CVE-2025-49755 |
| Microsoft--Microsoft Exchange Server 2019 Cumulative Update 14 | Improper input validation in Microsoft Exchange Server allows an authorized attacker to perform tampering over a network. | 2025-08-12 | 6.5 | CVE-2025-25005 |
| Microsoft--Microsoft Exchange Server 2019 Cumulative Update 15 | Improper handling of additional special element in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | 2025-08-12 | 5.3 | CVE-2025-25006 |
| Microsoft--Microsoft Exchange Server Subscription Edition RTM | Improper validation of syntactic correctness of input in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | 2025-08-12 | 5.3 | CVE-2025-25007 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Buffer over-read in Microsoft Office Word allows an unauthorized attacker to disclose information locally. | 2025-08-12 | 6.8 | CVE-2025-53736 |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. | 2025-08-12 | 6.7 | CVE-2025-49743 |
| Microsoft--Windows 10 Version 1809 | Missing synchronization in Windows Hyper-V allows an authorized attacker to deny service over an adjacent network. | 2025-08-12 | 6.8 | CVE-2025-49751 |
| Microsoft--Windows 10 Version 1809 | Integer overflow or wraparound in Windows Distributed Transaction Coordinator allows an authorized attacker to disclose information over a network. | 2025-08-12 | 6.5 | CVE-2025-50166 |
| Microsoft--Windows 10 Version 1809 | Allocation of resources without limits or throttling in Windows DirectX allows an authorized attacker to deny service over a network. | 2025-08-12 | 6.5 | CVE-2025-50172 |
| Microsoft--Windows 10 Version 1809 | Null pointer dereference in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to deny service over a network. | 2025-08-12 | 6.5 | CVE-2025-53716 |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows NT OS Kernel allows an authorized attacker to disclose information locally. | 2025-08-12 | 5.5 | CVE-2025-53136 |
| Microsoft--Windows Security App | External control of file name or path in Windows Security App allows an authorized attacker to perform spoofing locally. | 2025-08-12 | 5.5 | CVE-2025-53769 |
| Microsoft--Windows Server 2019 | Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network. | 2025-08-12 | 5.7 | CVE-2025-50156 |
| Microsoft--Windows Server 2019 | Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network. | 2025-08-12 | 5.7 | CVE-2025-50157 |
| Microsoft--Windows Server 2019 | Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network. | 2025-08-12 | 5.7 | CVE-2025-53138 |
| Microsoft--Windows Server 2019 | Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network. | 2025-08-12 | 5.7 | CVE-2025-53148 |
| Microsoft--Windows Server 2019 | Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network. | 2025-08-12 | 5.7 | CVE-2025-53153 |
| Microsoft--Windows Server 2019 | Use of uninitialized resource in Windows Routing and Remote Access Service (RRAS) allows an authorized attacker to disclose information over a network. | 2025-08-12 | 5.7 | CVE-2025-53719 |
| Microsoft--Windows Server 2025 (Server Core installation) | Exposure of sensitive information to an unauthorized actor in Storage Port Driver allows an authorized attacker to disclose information locally. | 2025-08-12 | 5.5 | CVE-2025-53156 |
| mklacroix--Product Configurator for WooCommerce | Cross-Site Request Forgery (CSRF) vulnerability in mklacroix Product Configurator for WooCommerce allows Cross Site Request Forgery. This issue affects Product Configurator for WooCommerce: from n/a through 1.4.4. | 2025-08-14 | 5.4 | CVE-2025-54674 |
| morehawes--Plugin README Parser | The Plugin README Parser plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'target' parameter in all versions up to, and including, 1.3.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-15 | 6.4 | CVE-2025-8720 |
| moshensky--CF7 Spreadsheets | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in moshensky CF7 Spreadsheets allows Stored XSS. This issue affects CF7 Spreadsheets: from n/a through 2.3.2. | 2025-08-14 | 6.5 | CVE-2025-50040 |
| motov.net--Ebook Store | Cross-Site Request Forgery (CSRF) vulnerability in motov.net Ebook Store allows Cross Site Request Forgery. This issue affects Ebook Store: from n/a through 5.8013. | 2025-08-14 | 4.3 | CVE-2025-54702 |
| mtons--mblog | A vulnerability has been found in mtons mblog up to 3.5.0. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 4.3 | CVE-2025-8992 |
| n/a--AI Playground software | Incorrect default permissions for some AI Playground software before version v2.3.0 alpha may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 6.7 | CVE-2025-27559 |
| n/a--BuzzFeed App | A security vulnerability has been detected in BuzzFeed App 2024.9 on Android. This affects an unknown part of the file AndroidManifest.xml of the component com.buzzfeed.android. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. | 2025-08-17 | 5.3 | CVE-2025-9093 |
| n/a--Clock Jitter Tool software | Uncontrolled search path for some Clock Jitter Tool software before version 6.0.1 may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 6.7 | CVE-2025-20092 |
| n/a--Device Plugins for Kubernetes software maintained by Intel | Improper access control for some Device Plugins for Kubernetes software maintained by Intel before version 0.32.0 may allow a privileged user to potentially enable denial of service via local access. | 2025-08-12 | 4.4 | CVE-2025-24313 |
| n/a--Edge Orchestrator software | Improper neutralization for some Edge Orchestrator software before version 24.11.1 for Intel(R) Tiber(TM) Edge Platform may allow an unauthenticated user to potentially enable information disclosure via adjacent access. | 2025-08-12 | 6.6 | CVE-2025-24921 |
| n/a--Edge Orchestrator software | Improper access control for some Edge Orchestrator software before version 24.11.1 for Intel(R) Tiber(TM) Edge Platform may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access. | 2025-08-12 | 5.8 | CVE-2025-24840 |
| n/a--Edge Orchestrator software | Uncontrolled resource consumption for some Edge Orchestrator software before version 24.11.1 for Intel(R) Tiber(TM) Edge Platform may allow an authenticated user to potentially enable denial of service via adjacent access. | 2025-08-12 | 5.7 | CVE-2025-26472 |
| n/a--Edge Orchestrator software | Improper input validation for some Edge Orchestrator software before version 24.11.1 for Intel(R) Tiber(TM) Edge Platform may allow an authenticated user to potentially enable escalation of privilege via adjacent access. | 2025-08-12 | 5.5 | CVE-2025-27537 |
| N/A--Fedora | The Fedora Secure Boot CA certificate shipped with shim in Fedora was expired which could lead to old or invalid signed boot components being loaded. | 2025-08-15 | 4.1 | CVE-2023-5342 |
| n/a--firmware for the Intel(R) E810 Ethernet | Improper input validation in some firmware for the Intel(R) E810 Ethernet before version 4.6 may allow a privileged user to enable denial of service via local access. | 2025-08-12 | 6 | CVE-2025-24296 |
| n/a--firmware package and LED mode toggle tool for some Intel(R) PCIe Switch software | Improper access control in some firmware package and LED mode toggle tool for some Intel(R) PCIe Switch software before version MR4_1.0b1 may allow a privileged user to potentially enable escalation of privilege via local access. | 2025-08-12 | 6.5 | CVE-2025-24323 |
| n/a--Intel(R) AI for Enterprise Retrieval-augmented Generation software | Uncontrolled search path in some Intel(R) AI for Enterprise Retrieval-augmented Generation software may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 6.7 | CVE-2025-24923 |
| n/a--Intel(R) AMT and Intel(R) Standard Manageability | Out-of-bounds read in firmware for some Intel(R) AMT and Intel(R) Standard Manageability may allow a privileged user to potentially enable information disclosure via network access. | 2025-08-12 | 4.4 | CVE-2025-22392 |
| n/a--Intel(R) Arc(TM) B-Series graphics | Protection mechanism failure in the Intel(R) Graphics Driver for the Intel(R) Arc(TM) B-Series graphics before version 32.0.101.6737 may allow an authenticated user to potentially enable denial of service via local access. | 2025-08-12 | 6.5 | CVE-2025-24835 |
| n/a--Intel(R) CSME and Intel(R) SPS | Observable timing discrepancy in firmware for some Intel(R) CSME and Intel(R) SPS may allow a privileged user to potentially enable information disclosure via local access. | 2025-08-12 | 6 | CVE-2025-20067 |
| n/a--Intel(R) Distribution for Python software installers | Incorrect default permissions for some Intel(R) Distribution for Python software installers before version 2025.1.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 6.7 | CVE-2025-26470 |
| n/a--Intel(R) Driver & Support Assistant Tool software | Uncontrolled search path element for some Intel(R) Driver & Support Assistant Tool software before version 24.6.49.8 may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 6.7 | CVE-2025-21093 |
| n/a--Intel(R) DSA software | Uncontrolled search path for some Intel(R) DSA software before version 25.2.15.9 may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 6.7 | CVE-2025-26404 |
| n/a--Intel(R) Graphics Driver software | Uncontrolled search path for some Intel(R) Graphics Driver software may allow an authenticated user to potentially enable escalation of privilege via local access | 2025-08-12 | 6.7 | CVE-2025-27717 |
| n/a--Intel(R) Graphics Driver software installers | Incorrect default permissions for some Intel(R) Graphics Driver software installers may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 6.7 | CVE-2025-20023 |
| n/a--Intel(R) Graphics Drivers | NULL pointer dereference for some Intel(R) Graphics Drivers may allow an authenticated user to potentially enable denial of service via local access. | 2025-08-12 | 6.5 | CVE-2025-24515 |
| n/a--Intel(R) oneAPI DPC++/C++ Compiler software | Uncontrolled search path for some Intel(R) oneAPI DPC++/C++ Compiler software before version 2025.0.1 may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 6.7 | CVE-2025-20627 |
| n/a--Intel(R) oneAPI DPC++/C++ Compiler software installers | Incorrect default permissions for some Intel(R) oneAPI DPC++/C++ Compiler software installers may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 6.7 | CVE-2025-20087 |
| n/a--Intel(R) oneAPI Toolkit and component software installers | Uncontrolled search path for some Intel(R) oneAPI Toolkit and component software installers may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 6.7 | CVE-2025-20017 |
| n/a--Intel(R) QuickAssist Technology software | Untrusted Pointer Dereference for some Intel(R) QuickAssist Technology software before version 2.5.0 may allow an authenticated user to potentially enable denial of service via local access. | 2025-08-12 | 5.5 | CVE-2025-20090 |
| n/a--Intel(R) Rapid Storage Technology installation software | Improper access control for some Intel(R) Rapid Storage Technology installation software may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 6.7 | CVE-2025-20099 |
| n/a--Intel(R) RealSense(TM) Dynamic Calibrator software | Uncontrolled search path for some Intel(R) RealSense(TM) Dynamic Calibrator software before version 2.14.2.0 may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 6.7 | CVE-2025-22838 |
| n/a--Intel(R) reference server platforms | Missing release of memory after effective lifetime in the UEFI OobRasMmbiHandlerDriver module for some Intel(R) reference server platforms may allow a privileged user to enable denial of service via local access. | 2025-08-12 | 5.3 | CVE-2025-20077 |
| n/a--Intel(R) TDX Module firmware | Improper locking for some Intel(R) TDX Module firmware before version 1.5.13 may allow a privileged user to potentially enable escalation of privilege via local access. | 2025-08-12 | 4.1 | CVE-2025-20044 |
| n/a--Intel(R) TDX module software | Out-of-bounds read in some Intel(R) TDX module software before version TDX_1.5.07.00.774 may allow an authenticated user to potentially enable information disclosure via local access. | 2025-08-12 | 5.6 | CVE-2024-33607 |
| n/a--Intel(R) Trace Analyzer and Collector software | Uncontrolled search path for the Intel(R) Trace Analyzer and Collector software all verions may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 6.7 | CVE-2025-20048 |
| n/a--Intel(R) Xeon(R) processors | Missing reference to active allocated resource for some Intel(R) Xeon(R) processors may allow an authenticated user to potentially enable denial of service via local access. | 2025-08-12 | 6.5 | CVE-2025-21090 |
| n/a--JasPer | A vulnerability was identified in JasPer up to 4.2.5. This affects the function jpc_dec_dump of the file src/libjasper/jpc/jpc_dec.c of the component JPEG2000 File Handler. The manipulation leads to use after free. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The patch is named 8308060d3fbc1da10353ac8a95c8ea60eba9c25a. It is recommended to apply a patch to fix this issue. | 2025-08-11 | 5.3 | CVE-2025-8837 |
| n/a--jshERP | A vulnerability was found in jshERP up to 3.5. This issue affects some unknown processing of the file /jshERP-boot/user/addUser of the component Endpoint. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-11 | 6.3 | CVE-2025-8839 |
| n/a--jshERP | A vulnerability was determined in jshERP up to 3.5. Affected is an unknown function of the file /jshERP-boot/user/deleteBatch of the component Endpoint. The manipulation of the argument ids leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Different than CVE-2025-7947. | 2025-08-11 | 5.4 | CVE-2025-8840 |
| n/a--LemonOS | A vulnerability was determined in LemonOS up to nightly-2024-07-12 on LemonOS. Affected by this issue is the function HTTPGet of the file /Applications/Steal/main.cpp of the component HTTP Client. The manipulation of the argument chunkSize leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 5.3 | CVE-2025-9001 |
| n/a--LibTIFF | A vulnerability was determined in LibTIFF up to 4.5.1. Affected by this issue is the function readSeparateStripsetoBuffer of the file tools/tiffcrop.c of the component tiffcrop. The manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The patch is identified as 8a7a48d7a645992ca83062b3a1873c951661e2b3. It is recommended to apply a patch to fix this issue. | 2025-08-11 | 5.3 | CVE-2025-8851 |
| n/a--ThingsBoard | A vulnerability was detected in ThingsBoard 4.1. This vulnerability affects unknown code of the component Add Gateway Handler. The manipulation leads to improper neutralization of special elements used in a template engine. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor replies, that "[t]he fix will come within upcoming release (v4.2) and will be inherited by maintenance releases of LTS versions (starting 4.0)." | 2025-08-17 | 4.3 | CVE-2025-9094 |
| n/a--TinyCBOR libraries maintained by Intel(R) | Uncontrolled recursion for some TinyCBOR libraries maintained by Intel(R) before version 0.6.1 may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 6.7 | CVE-2025-24302 |
| n/a--TinyCBOR libraries maintained by Intel(R) | Uncontrolled recursion for some TinyCBOR libraries maintained by Intel(R) before version 0.6.1 may allow an authenticated user to potentially enable denial of service via local access. | 2025-08-12 | 4.4 | CVE-2025-20025 |
| NASM--Netwide Assember | A vulnerability has been found in NASM Netwide Assember 2.17rc0. Affected by this issue is the function do_directive of the file preproc.c. The manipulation leads to use after free. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. | 2025-08-11 | 5.3 | CVE-2025-8842 |
| NASM--Netwide Assember | A vulnerability was found in NASM Netwide Assember 2.17rc0. This affects the function macho_no_dead_strip of the file outmacho.c. The manipulation leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. | 2025-08-11 | 5.3 | CVE-2025-8843 |
| NASM--Netwide Assember | A vulnerability was identified in NASM Netwide Assember 2.17rc0. This issue affects the function assemble_file of the file nasm.c. The manipulation leads to stack-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. | 2025-08-11 | 5.3 | CVE-2025-8845 |
| NASM--Netwide Assember | A vulnerability has been found in NASM Netwide Assember 2.17rc0. Affected is the function parse_line of the file parser.c. The manipulation leads to stack-based buffer overflow. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. | 2025-08-11 | 5.3 | CVE-2025-8846 |
| nikelschubert--Easy restaurant menu manager | The Easy restaurant menu manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.2. This is due to missing or incorrect nonce validation on the nsc_eprm_save_menu() function. This makes it possible for unauthenticated attackers to upload a menu file via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-08-13 | 4.3 | CVE-2025-8491 |
| nimeshrmr--WP Private Content Plus | The WP Private Content Plus plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.2 via the 'validate_restrictions' function. This makes it possible for unauthenticated attackers to extract sensitive data including the content of resticted posts on archive and feed pages. | 2025-08-12 | 5.3 | CVE-2025-4390 |
| ninjateam--File Manager Pro Filester | Several WordPress plugins using elFinder versions 2.1.64 and prior are vulnerable to Directory Traversal in various versions. This makes it possible for unauthenticated attackers to delete arbitrary files. Successful exploitation of this vulnerability requires a site owner to explicitly make an instance of the file manager available to users. | 2025-08-13 | 6.5 | CVE-2025-0818 |
| Noor Alam--Magical Posts Display | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Noor Alam Magical Posts Display allows DOM-Based XSS. This issue affects Magical Posts Display: from n/a through 1.2.52. | 2025-08-14 | 6.5 | CVE-2025-54706 |
| NordicMade--Savoy | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in NordicMade Savoy allows Retrieve Embedded Sensitive Data. This issue affects Savoy: from n/a through 3.0.8. | 2025-08-14 | 5.3 | CVE-2025-54736 |
| oceanwp--OceanWP | The OceanWP theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.0.9 to 4.1.1. This is due to missing or incorrect nonce validation on the oceanwp_notice_button_click() function. This makes it possible for unauthenticated attackers to install the Ocean Extra plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-08-13 | 4.3 | CVE-2025-8891 |
| odn--Mosaic Generator | The Mosaic Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'c' parameter in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-12 | 6.4 | CVE-2025-8621 |
| ome--omero-web | OMERO.web provides a web based client and plugin infrastructure. Prior to version 5.29.2, if an error occurred when resetting a user's password using the Forgot Password option in OMERO.web, the error message displayed on the Web page can disclose information about the user. This issue has been patched in version 5.29.2. A workaround involves disabling the Forgot password option in OMERO.web using the omero.web.show_forgot_password configuration property. | 2025-08-13 | 5.3 | CVE-2025-54791 |
| Omnissa--Omnissa Workspace ONE UEM | Omnissa Workspace ONE UEM contains a Server-Side Request Forgery (SSRF) Vulnerability. A malicious actor with user privileges may be able to access restricted internal system information, potentially enabling enumeration of internal network resources. | 2025-08-11 | 5.4 | CVE-2025-25229 |
| PARETO Digital--Embedder for Google Reviews | Missing Authorization vulnerability in PARETO Digital Embedder for Google Reviews allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Embedder for Google Reviews: from n/a through 1.7.3. | 2025-08-14 | 5.3 | CVE-2025-54730 |
| Part-DB--Part-DB-server | Part-DB is an open source inventory management system for electronic components. Prior to version 1.17.3, any authenticated user can upload a profile picture with a misleading file extension (e.g., .jpg.txt), resulting in a persistent 500 Internal Server Error when attempting to view or edit that user's profile. This makes the profile permanently inaccessible via the UI for both users and administrators, constituting a Denial of Service (DoS) within the user management interface. This issue has been patched in version 1.17.3. | 2025-08-13 | 5.7 | CVE-2025-55194 |
| pencidesign--Soledad | The Soledad theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pcsml_smartlists_h' parameter in all versions up to, and including, 8.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-16 | 6.4 | CVE-2025-8143 |
| perteus--Porn Videos Embed | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in perteus Porn Videos Embed allows Stored XSS. This issue affects Porn Videos Embed: from n/a through 0.9.1. | 2025-08-14 | 6.5 | CVE-2025-49061 |
| PHPGurukul--Zoo Management System | A vulnerability has been found in PHPGurukul Zoo Management System 2.1. This vulnerability affects unknown code of the file /admin/add-foreigner-ticket.php. The manipulation of the argument visitorname leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 4.3 | CVE-2025-9017 |
| pl4g4--WP-Database-Optimizer-Tools | Cross-Site Request Forgery (CSRF) vulnerability in pl4g4 WP-Database-Optimizer-Tools allows Cross Site Request Forgery. This issue affects WP-Database-Optimizer-Tools: from n/a through 0.2. | 2025-08-14 | 5.4 | CVE-2025-53219 |
| POSIMYTH--Nexter Blocks | Missing Authorization vulnerability in POSIMYTH Nexter Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Nexter Blocks: from n/a through 4.5.4. | 2025-08-14 | 5.3 | CVE-2025-54739 |
| POSIMYTH--The Plus Addons for Elementor Page Builder Lite | Missing Authorization vulnerability in POSIMYTH The Plus Addons for Elementor Page Builder Lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects The Plus Addons for Elementor Page Builder Lite: from n/a through 6.3.13. | 2025-08-14 | 6.5 | CVE-2025-55712 |
| prabode--GMap Generator | The GMap Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'h' parameter in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-12 | 6.4 | CVE-2025-8568 |
| PressForward--PressForward | Server-Side Request Forgery (SSRF) vulnerability in PressForward PressForward allows Server Side Request Forgery. This issue affects PressForward: from n/a through 5.9.1. | 2025-08-14 | 6.4 | CVE-2025-28987 |
| Prince--Integrate Google Drive | Cross-Site Request Forgery (CSRF) vulnerability in Prince Integrate Google Drive allows Cross Site Request Forgery. This issue affects Integrate Google Drive: from n/a through 1.5.2. | 2025-08-14 | 4.3 | CVE-2025-54703 |
| properfraction--Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content ProfilePress | The The Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content - ProfilePress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 4.16.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | 2025-08-16 | 6.5 | CVE-2025-8878 |
| PX4--PX4-Autopilot | A vulnerability was found in PX4 PX4-Autopilot up to 1.15.4. This issue affects the function MavlinkReceiver::handle_message_serial_control of the file src/modules/mavlink/mavlink_receiver.cpp of the component Mavlink Shell Closing Handler. The manipulation of the argument _mavlink_shell leads to use after free. An attack has to be approached locally. The complexity of an attack is rather high. The exploitation is known to be difficult. The identifier of the patch is 4395d4f00c49b888f030f5b43e2a779f1fa78708. It is recommended to apply a patch to fix this issue. | 2025-08-15 | 4.5 | CVE-2025-9020 |
| RadiusTheme--Classified Listing | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in RadiusTheme Classified Listing allows Code Injection. This issue affects Classified Listing: from n/a through 5.0.0. | 2025-08-14 | 5.4 | CVE-2025-54698 |
| remysharp--Last.fm Recent Album Artwork | The Last.fm Recent Album Artwork plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing or incorrect nonce validation on the 'lastfm_albums_artwork.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-08-16 | 6.1 | CVE-2025-7684 |
| reubenthiessen--Translate This gTranslate Shortcode | The Translate This gTranslate Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'base_lang' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-16 | 6.4 | CVE-2025-8719 |
| risetheme--RT Easy Builder Advanced addons for Elementor | The RT Easy Builder - Advanced addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the social URL parameter in all versions up to, and including, 2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-12 | 6.4 | CVE-2025-8462 |
| Saad Iqbal--myCred | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal myCred allows Stored XSS. This issue affects myCred: from n/a through 2.9.4.3. | 2025-08-14 | 6.5 | CVE-2025-54668 |
| Saad Iqbal--myCred | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Saad Iqbal myCred allows Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions. This issue affects myCred: from n/a through 2.9.4.3. | 2025-08-14 | 5.3 | CVE-2025-54667 |
| SAP_SE--ABAP Platform | Due to a missing authorization check in the ABAP Platform, an authenticated user with elevated privileges could bypass authorization restrictions for common transactions by leveraging the SQL Console. This could enable an attacker to access and read the contents of database tables without proper authorization, leading to a significant compromise of data confidentiality. However, the integrity and availability of the system remain unaffected. | 2025-08-12 | 4.9 | CVE-2025-42949 |
| SAP_SE--SAP GUI for Windows | SAP GUI for Windows may allow the leak of NTML hashes when specific ABAP frontend services are called with UNC paths. For a successful attack, the attacker needs developer authorization in a specific Application Server ABAP to make changes in the code, and the victim needs to execute by using SAP GUI for Windows. This could trigger automatic NTLM authentication, potentially exposing hashed credentials to an attacker. As a result, it has a high impact on the confidentiality. | 2025-08-12 | 4.5 | CVE-2025-42943 |
| SAP_SE--SAP NetWeaver ABAP Platform | Due to a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Platform, an unauthenticated attacker could generate a malicious link and make it publicly accessible. If an authenticated user clicks on this link, the injected input is processed during the website�s page generation, resulting in the creation of malicious content. When this malicious content gets executed, the attacker could gain the ability to access/modify information within the scope of victim�s browser. | 2025-08-12 | 6.1 | CVE-2025-42948 |
| SAP_SE--SAP NetWeaver Application Server ABAP | SAP NetWeaver Application Server ABAP has HTML injection vulnerability. Due to this, an attacker could craft a URL with malicious script as payload and trick a victim with active user session into executing it. Upon successful exploit, this vulnerability could lead to limited access to data or its manipulation. There is no impact on availability. | 2025-08-12 | 6.1 | CVE-2025-42945 |
| SAP_SE--SAP NetWeaver Application Server ABAP (BIC Document) | SAP NetWeaver Application Server ABAP (BIC Document) allows an unauthenticated attacker to craft a URL link which, when accessed on the BIC Document application, embeds a malicious script. When a victim clicks on this link, the script executes in the victim's browser, allowing the attacker to access and/or modify information related to the web client without affecting availability. | 2025-08-12 | 6.1 | CVE-2025-42975 |
| SAP_SE--SAP NetWeaver Application Server for ABAP | SAP NetWeaver Application Server for ABAP has cross-site scripting vulnerability. Due to this, an unauthenticated attacker could craft a URL embedded with malicious script and trick an unauthenticated victim to click on it to execute the script. Upon successful exploitation, the attacker could access and modify limited information within the scope of victim's browser. This vulnerability has no impact on availability of the application. | 2025-08-12 | 6.1 | CVE-2025-42942 |
| SAP_SE--SAP NetWeaver Application Server for ABAP | The SAP NetWeaver Application Server for ABAP does not enable an administrator to assign distinguished authorizations for different user roles, this issue allows authenticated users to access restricted objects in the barcode interface, leading to privilege escalation. This results in a low impact on the confidentiality and integrity of the application, there is no impact on availability. | 2025-08-12 | 5.4 | CVE-2025-42936 |
| SAP_SE--SAP NetWeaver AS for ABAP and ABAP Platform(Internet Communication Manager) | The SAP NetWeaver Application Server ABAP and ABAP Platform Internet Communication Manager (ICM) permits authorized users with admin privileges and local access to log files to read sensitive information, resulting in information disclosure. This leads to high impact on the confidentiality of the application, with no impact on integrity or availability. | 2025-08-12 | 4.1 | CVE-2025-42935 |
| SAP_SE--SAP S/4HANA (Bank Communication Management) | Due to directory traversal vulnerability in SAP S/4HANA (Bank Communication Management), an attacker with high privileges and access to a specific transaction and method in Bank Communication Management could gain unauthorized access to sensitive operating system files. This could allow the attacker to potentially read or delete these files hence causing a high impact on confidentiality and low impact on integrity. There is no impact on availability of the system. | 2025-08-12 | 6.9 | CVE-2025-42946 |
| SAP_SE--SAP S/4HANA (Supplier invoice) | SAP S/4HANA Supplier invoice is vulnerable to CRLF Injection. An attacker with user-level privileges can bypass the allowlist and insert untrusted sites into the 'Trusted Sites' configuration by injecting line feed (LF) characters into application inputs. This vulnerability has a low impact on the application's integrity and no impact on confidentiality or availability. | 2025-08-12 | 4.3 | CVE-2025-42934 |
| Shahjada--WPDM Premium Packages | Cross-Site Request Forgery (CSRF) vulnerability in Shahjada WPDM - Premium Packages allows Cross Site Request Forgery. This issue affects WPDM - Premium Packages: from n/a through 6.0.2. | 2025-08-14 | 4.3 | CVE-2025-54732 |
| Shanghai Lingdang Information Technology--Lingdang CRM | A vulnerability was determined in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.5.4. Affected by this issue is some unknown functionality of the file crm/WeiXinApp/yunzhijia/event.php. The manipulation of the argument openid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 8.6.5 is able to address this issue. It is recommended to upgrade the affected component. The vendor explains: "All SQL injection vectors were patched via parameterized queries and input sanitization in v8.6.5+." | 2025-08-13 | 6.3 | CVE-2025-8908 |
| Siemens--POWER METER SICAM Q100 | A vulnerability has been identified in POWER METER SICAM Q100 (7KG9501-0AA01-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA01-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q200 family (All versions >= V2.70 < V2.80). Affected devices store the password for the SMTP account as plain text. This could allow an authenticated local attacker to extract it and use the configured SMTP service for arbitrary purposes. | 2025-08-12 | 6.2 | CVE-2025-40752 |
| Siemens--POWER METER SICAM Q100 | A vulnerability has been identified in POWER METER SICAM Q100 (7KG9501-0AA01-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA01-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-0AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q100 (7KG9501-0AA31-2AA1) (All versions >= V2.60 < V2.62), POWER METER SICAM Q200 family (All versions >= V2.70 < V2.80). Affected devices export the password for the SMTP account as plain text in the Configuration File. This could allow an authenticated local attacker to extract it and use the configured SMTP service for arbitrary purposes. | 2025-08-12 | 6.2 | CVE-2025-40753 |
| Siemens--RUGGEDCOM ROX MX5000 | A vulnerability has been identified in RUGGEDCOM ROX MX5000 (All versions), RUGGEDCOM ROX MX5000RE (All versions), RUGGEDCOM ROX RX1400 (All versions), RUGGEDCOM ROX RX1500 (All versions), RUGGEDCOM ROX RX1501 (All versions), RUGGEDCOM ROX RX1510 (All versions), RUGGEDCOM ROX RX1511 (All versions), RUGGEDCOM ROX RX1512 (All versions), RUGGEDCOM ROX RX1524 (All versions), RUGGEDCOM ROX RX1536 (All versions), RUGGEDCOM ROX RX5000 (All versions). The affected devices do not properly enforce the restriction of files that can be uploaded from the web interface. This could allow an authenticated remote attacker with high privileges in the web interface to upload arbitrary files. | 2025-08-12 | 4.1 | CVE-2025-33023 |
| Siemens--SIMATIC RTLS Locating Manager | A vulnerability has been identified in SIMATIC RTLS Locating Manager (All versions < V3.3). Affected devices do not properly validate input sent to its listening port on the local loopback interface. This could allow an unauthenticated local attacker to cause a denial of service condition. | 2025-08-12 | 6.2 | CVE-2025-30034 |
| Siemens--SIMATIC RTLS Locating Manager | A vulnerability has been identified in SIMATIC RTLS Locating Manager (All versions < V3.3). Affected SIMATIC RTLS Locating Manager Report Clients do not properly protect credentials that are used to authenticate to the server. This could allow an authenticated local attacker to extract the credentials and use them to escalate their access rights from the Manager to the Systemadministrator role. | 2025-08-12 | 6.3 | CVE-2025-40751 |
| Siemens--SIMOTION SCOUT TIA V5.4 | A vulnerability has been identified in SIMOTION SCOUT TIA V5.4 (All versions), SIMOTION SCOUT TIA V5.5 (All versions), SIMOTION SCOUT TIA V5.6 (All versions < V5.6 SP1 HF7), SIMOTION SCOUT TIA V5.7 (All versions < V5.7 SP1 HF1), SIMOTION SCOUT V5.4 (All versions), SIMOTION SCOUT V5.5 (All versions), SIMOTION SCOUT V5.6 (All versions < V5.6 SP1 HF7), SIMOTION SCOUT V5.7 (All versions < V5.7 SP1 HF1), SINAMICS STARTER V5.5 (All versions), SINAMICS STARTER V5.6 (All versions), SINAMICS STARTER V5.7 (All versions). The affected application contains a XML External Entity Injection (XXE) vulnerability while parsing specially crafted XML files. This could allow an attacker to read arbitrary files in the system. | 2025-08-12 | 5.5 | CVE-2025-40584 |
| Siemens--SINEC Traffic Analyzer | A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V3.0). The affected application runs docker containers without adequate resource and security limitations. This could allow an attacker to perform a denial-of-service (DoS) attack. | 2025-08-12 | 5.5 | CVE-2025-40766 |
| Siemens--SmartClient modules Opcenter QL Home (SC) | A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application support insecure TLS 1.0 and 1.1 protocol. An attacker could achieve a man-in-the-middle attack and compromise confidentiality and integrity of data. | 2025-08-12 | 6.4 | CVE-2024-41986 |
| Siemens--SmartClient modules Opcenter QL Home (SC) | A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application does not have adequate encryption of sensitive information. This could allow an authenticated attacker to gain access of sensitive information. | 2025-08-12 | 4.8 | CVE-2024-41982 |
| SolarWinds--Database Performance Analyzer | SolarWinds Database Performance Analyzer was found to contain a hard-coded cryptographic key. If exploited, this vulnerability could lead to a machine-in-the-middle (MITM) attack against users. This vulnerability requires additional software not installed by default, local access to the server and administrator level privileges on the host. | 2025-08-12 | 5.6 | CVE-2025-26398 |
| Sparkle Themes--Blogger Buzz | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sparkle Themes Blogger Buzz allows Stored XSS. This issue affects Blogger Buzz: from n/a through 1.2.6. | 2025-08-14 | 6.5 | CVE-2025-54680 |
| stefanoai--Advanced Google Universal Analytics | Missing Authorization vulnerability in stefanoai Advanced Google Universal Analytics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Advanced Google Universal Analytics: from n/a through 1.0.3. | 2025-08-14 | 6.5 | CVE-2025-28962 |
| Steve Burge--TaxoPress | Insertion of Sensitive Information Into Sent Data vulnerability in Steve Burge TaxoPress allows Retrieve Embedded Sensitive Data. This issue affects TaxoPress: from n/a through 3.37.2. | 2025-08-14 | 4.3 | CVE-2025-55710 |
| Stylemix--Motors | Authorization Bypass Through User-Controlled Key vulnerability in Stylemix Motors allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Motors: from n/a through 1.4.80. | 2025-08-14 | 5.3 | CVE-2025-54691 |
| surbma--Surbma | Recent Comments Shortcode | The Surbma | Recent Comments Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'recent-comments' shortcode in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-16 | 6.4 | CVE-2025-7649 |
| syedamirhussain91--DB Backup | Missing Authorization vulnerability in syedamirhussain91 DB Backup allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects DB Backup: from n/a through 6.0. | 2025-08-14 | 6.5 | CVE-2025-50031 |
| techlabpro1--Radius Blocks WordPress Gutenberg Blocks | The Radius Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'subHeadingTagName' parameter in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-15 | 6.4 | CVE-2025-5844 |
| Tenda--AC15 | A vulnerability was identified in Tenda AC15 15.13.07.13. Affected by this vulnerability is the function check_fw_type/split_fireware/check_fw of the component Firmware Update Handler. The manipulation leads to insufficient verification of data authenticity. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 6.6 | CVE-2025-8979 |
| Tenda--AC20 | A vulnerability was identified in Tenda AC20 16.03.08.12. Affected is the function websFormDefine of the file /goform/telnet of the component Telnet Service. The manipulation leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-17 | 6.3 | CVE-2025-9090 |
| Tenda--G1 | A vulnerability has been found in Tenda G1 16.01.7.8(3660). Affected by this issue is the function check_upload_file of the component Firmware Update Handler. The manipulation leads to insufficient verification of data authenticity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 6.6 | CVE-2025-8980 |
| ThanhD--Supermalink | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThanhD Supermalink allows DOM-Based XSS. This issue affects Supermalink: from n/a through 1.1. | 2025-08-14 | 6.5 | CVE-2025-49433 |
| Theerawat Patthawee--Intl DateTime Calendar | The Intl DateTime Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'date' parameter in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-16 | 6.4 | CVE-2025-8293 |
| themefunction--WordPress Event Manager, Event Calendar and Booking Plugin | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themefunction WordPress Event Manager, Event Calendar and Booking Plugin allows Stored XSS. This issue affects WordPress Event Manager, Event Calendar and Booking Plugin: from n/a through 4.0.24. | 2025-08-14 | 6.5 | CVE-2025-52730 |
| Themovation--Stratus | Missing Authorization vulnerability in Themovation Stratus allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Stratus: from n/a through 4.2.5. | 2025-08-14 | 4.3 | CVE-2025-53341 |
| TianoCore--EDK2 | EDK2 contains a vulnerability in BIOS where a user may cause an Integer Overflow or Wraparound by network means. A successful exploitation of this vulnerability may lead to denial of service. | 2025-08-12 | 6.3 | CVE-2024-38805 |
| timothyja--Linux Promotional Plugin | The Linux Promotional Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the 'inux-promotional-plugin.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-08-16 | 6.1 | CVE-2025-7668 |
| TOTOLINK--N350R | A vulnerability has been found in TOTOLINK N350R 1.2.3-B20130826. This vulnerability affects unknown code of the file /boafrm/formSysCmd. The manipulation leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 6.3 | CVE-2025-8937 |
| TOTOLINK--N350R | A vulnerability was found in TOTOLINK N350R 1.2.3-B20130826. This issue affects the function formSysTel of the file /boafrm/formSysTel of the component Telnet Service. The manipulation of the argument TelEnabled leads to backdoor. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 6.3 | CVE-2025-8938 |
| vcita--Online Booking & Scheduling Calendar for WordPress by vcita | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita allows Stored XSS. This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through 4.5.3. | 2025-08-14 | 6.5 | CVE-2025-54676 |
| VeronaLabs--WP Statistics | Missing Authorization vulnerability in VeronaLabs WP Statistics allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Statistics: from n/a through 14.15. | 2025-08-14 | 4.3 | CVE-2025-55716 |
| VillaTheme--Thank You Page Customizer for WooCommerce Increase Your Sales | Missing Authorization vulnerability in VillaTheme Thank You Page Customizer for WooCommerce - Increase Your Sales allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Thank You Page Customizer for WooCommerce - Increase Your Sales: from n/a through 1.1.7. | 2025-08-14 | 6.5 | CVE-2025-30993 |
| Visual Composer--Visual Composer Website Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Visual Composer Visual Composer Website Builder allows Stored XSS. This issue affects Visual Composer Website Builder: from n/a through n/a. | 2025-08-14 | 6.5 | CVE-2025-55709 |
| Webba Appointment Booking--Webba Booking | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Webba Appointment Booking Webba Booking allows Stored XSS. This issue affects Webba Booking: from n/a through 6.0.5. | 2025-08-14 | 5.9 | CVE-2025-54729 |
| WellChoose--Organization Portal System | Organization Portal System developed by WellChoose has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files. | 2025-08-13 | 6.5 | CVE-2025-8909 |
| WellChoose--Organization Portal System | Organization Portal System developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks. | 2025-08-13 | 6.1 | CVE-2025-8910 |
| WellChoose--Organization Portal System | Organization Portal System developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks. | 2025-08-13 | 6.1 | CVE-2025-8911 |
| WellChoose--Organization Portal System | Organization Portal System developed by WellChoose has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2025-08-13 | 6.5 | CVE-2025-8914 |
| Wetail--WooCommerce Fortnox Integration | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wetail WooCommerce Fortnox Integration allows Stored XSS. This issue affects WooCommerce Fortnox Integration: from n/a through 4.5.6. | 2025-08-14 | 6.5 | CVE-2025-47610 |
| WordLift--WordLift | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WordLift WordLift allows Stored XSS. This issue affects WordLift: from n/a through 3.54.5. | 2025-08-14 | 6.5 | CVE-2025-53582 |
| worstguy--WP LOL Rotation | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in worstguy WP LOL Rotation allows Stored XSS. This issue affects WP LOL Rotation: from n/a through 1.0. | 2025-08-14 | 6.5 | CVE-2025-49437 |
| WP Table Builder--WP Table Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Table Builder WP Table Builder allows Stored XSS. This issue affects WP Table Builder: from n/a through 2.0.12. | 2025-08-14 | 6.5 | CVE-2025-55711 |
| wpbakery--Templatera | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpbakery Templatera allows DOM-Based XSS. This issue affects Templatera: from n/a through 2.3.0. | 2025-08-14 | 6.5 | CVE-2025-54747 |
| WPBits--WPBITS Addons For Elementor Page Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPBits WPBITS Addons For Elementor Page Builder allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through 1.5. | 2025-08-14 | 6.5 | CVE-2024-37945 |
| wpdevteam--BetterDocs Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers | The BetterDocs - Advanced AI-Driven Documentation, FAQ & Knowledge Base Tool for Elementor & Gutenberg with Encyclopedia, AI Support, Instant Answers plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_response function in all versions up to and including 4.1.1. This makes it possible for unauthenticated attackers to retrieve passwords for password-protected documents as well as the metadata of private and draft documents. | 2025-08-16 | 5.3 | CVE-2025-7499 |
| wpdevteam--Essential Addons for Elementor Popular Elementor Templates & Widgets | The Essential Addons for Elementor - Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to DOM-Based Stored Cross-Site Scripting via the 'data-gallery-items' parameter in all versions up to, and including, 6.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-15 | 6.4 | CVE-2025-8451 |
| WpEstate--WP Rentals | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WpEstate WP Rentals allows Stored XSS. This issue affects WP Rentals: from n/a through 3.13.1. | 2025-08-14 | 6.5 | CVE-2025-53330 |
| WPFunnels--WPFunnels | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFunnels WPFunnels allows Stored XSS. This issue affects WPFunnels: from n/a through 3.5.26. | 2025-08-14 | 6.5 | CVE-2025-54696 |
| wptb--WP Table Builder WordPress Table Plugin | The WP Table Builder - WordPress Table Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wptb shortcode in all versions up to, and including, 2.0.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-15 | 6.4 | CVE-2025-8604 |
| WuKongOpenSource--WukongCRM | A vulnerability was identified in WuKongOpenSource WukongCRM 11.0. This affects an unknown part of the file /adminFile/upload of the component API Response Handler. The manipulation leads to information exposure through error message. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-11 | 4.3 | CVE-2025-8852 |
| Xolluteon--Dropshix | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Xolluteon Dropshix allows DOM-Based XSS.This issue affects Dropshix: from n/a through 4.0.14. | 2025-08-15 | 5.9 | CVE-2025-49898 |
| yeashir--Anber Elementor Addon | Anber Elementor Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $anber_item['button_link']['url']' parameter in all versions up to, and including, 1.0.1 to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-16 | 6.4 | CVE-2025-7439 |
| yeashir--Anber Elementor Addon | The Anber Elementor Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the $item['button_link']['url'] parameter in all versions up to, and including, 1.0.1 to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-16 | 6.4 | CVE-2025-7440 |
| YITHEMES--YITH WooCommerce Popup | Cross-Site Request Forgery (CSRF) vulnerability in YITHEMES YITH WooCommerce Popup allows Cross Site Request Forgery. This issue affects YITH WooCommerce Popup: from n/a through 1.48.0. | 2025-08-14 | 4.3 | CVE-2025-54675 |
| zlt2000--microservices-platform | A vulnerability was identified in zlt2000 microservices-platform up to 6.0.0. Affected by this vulnerability is the function Upload of the file zlt-business/file-center/src/main/java/com/central/file/controller/FileController.java. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-11 | 6.3 | CVE-2025-8841 |
| Zoom Communications Inc--Zoom Clients for Windows | Race condition in the installer for certain Zoom Clients for Windows may allow an unauthenticated user to impact application integrity via local access. | 2025-08-12 | 6.2 | CVE-2025-49456 |
| ZTE--F50 | There is an unauthorized access vulnerability in ZTE F50. Due to improper permission control of the Web module interface, an unauthorized attacker can obtain sensitive information through the interface | 2025-08-15 | 5.7 | CVE-2025-26709 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| backstage--backstage | @backstage/plugin-scaffolder-backend is the backend for the default Backstage software templates. Prior to version 2.1.1, duplicate logging of the input values in the fetch:template action in the Scaffolder meant that some of the secrets were not properly redacted. If ${{ secrets.x }} is not passed through to fetch:template there is no impact. This issue has been resolved in 2.1.1 of the scaffolder-backend plugin. A workaround for this issue involves Template Authors removing the use of ${{ secrets }} being used as an argument to fetch:template. | 2025-08-15 | 2.6 | CVE-2025-55285 |
| Buttercup--buttercup-browser-extension | A vulnerability was found in Buttercup buttercup-browser-extension up to 0.14.2. Affected by this vulnerability is an unknown functionality. The manipulation leads to improper access controls. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.1 is able to address this issue. The identifier of the patch is 89. It is recommended to upgrade the affected component. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-08-15 | 3.1 | CVE-2017-20199 |
| D-Link--DIR-818LW | A vulnerability has been found in D-Link DIR-818LW 1.04. This vulnerability affects unknown code of the file /bsc_lan.php of the component DHCP Reserved Address Handler. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-08-15 | 3.5 | CVE-2025-9003 |
| Dell--PowerEdge | Dell PowerEdge Platform version(s) 14G AMD BIOS v1.25.0 and prior, contain(s) an Access of Memory Location After End of Buffer vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. | 2025-08-14 | 3.8 | CVE-2025-36581 |
| Dell--SupportAssist for Home PCs | SupportAssist for Home PCs versions 4.6.3 and prior and SupportAssist for Business PCs versions 4.5.3 and prior, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to unauthorized access. | 2025-08-14 | 2.8 | CVE-2025-36613 |
| ExpressGateway--express-gateway | A flaw has been found in ExpressGateway express-gateway up to 1.16.10. This issue affects some unknown processing in the library lib/rest/routes/users.js of the component REST Endpoint. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-17 | 3.5 | CVE-2025-9095 |
| ExpressGateway--express-gateway | A vulnerability has been found in ExpressGateway express-gateway up to 1.16.10. Affected is an unknown function in the library lib/rest/routes/apps.js of the component REST Endpoint. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-17 | 3.5 | CVE-2025-9096 |
| F5--NGINX Plus | NGINX Open Source and NGINX Plus have a vulnerability in the ngx_mail_smtp_module that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happens during the NGINX SMTP authentication process and requires the attacker to make preparations against the target system to extract the leaked data. The issue affects NGINX only if (1) it is built with the ngx_mail_smtp_module, (2) the smtp_auth directive is configured with method "none," and (3) the authentication server returns the "Auth-Wait" response header. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2025-08-13 | 3.7 | CVE-2025-53859 |
| GitLab--GitLab | An improper access control in Gitlab EE affecting all versions from 12.0 prior to 18.0.6, 18.1 prior to 18.1.4, and 18.2 prior to 18.2.2 that under certain conditions could have allowed users to view assigned issues from restricted groups by bypassing IP restrictions. | 2025-08-13 | 3.1 | CVE-2025-2498 |
| givanz--Vvveb | A vulnerability was identified in givanz Vvveb up to 1.0.5. This affects an unknown part of the file admin/template/content/edit.tpl. The manipulation of the argument slug leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.6 is able to address this issue. The patch is named 84c11d69df8452dc378feecd17e2a62ac10dac66. It is recommended to upgrade the affected component. | 2025-08-14 | 3.5 | CVE-2025-8975 |
| givanz--Vvveb | A vulnerability has been found in givanz Vvveb up to 1.0.5. This vulnerability affects unknown code of the file /vadmin123/index.php?module=content/post&type=post of the component Endpoint. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.6 is able to address this issue. It is recommended to upgrade the affected component. | 2025-08-14 | 3.5 | CVE-2025-8976 |
| HCL Software--Connections | HCL Connections contains a broken access control vulnerability that may allow unauthorized user to update data in certain scenarios. | 2025-08-15 | 3.7 | CVE-2025-31961 |
| JCG--Link-net LW-N915R | A vulnerability has been found in JCG Link-net LW-N915R 17s.20.001.908. Affected is an unknown function of the file /wireless/basic.asp of the component Wireless Basic Settings Page. The manipulation of the argument Network Name leads to cross site scripting. It is possible to launch the attack remotely. | 2025-08-11 | 2.4 | CVE-2025-8834 |
| linlinjava--litemall | A vulnerability was determined in linlinjava litemall up to 1.8.0. Affected by this issue is some unknown functionality of the file litemall-wx-api/src/main/java/org/linlinjava/litemall/wx/util/JwtHelper.java of the component JSON Web Token Handler. The manipulation of the argument SECRET with the input X-Litemall-Token leads to hard-coded credentials. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 3.7 | CVE-2025-8974 |
| Mattermost--Mattermost Confluence Plugin | Mattermost Confluence Plugin version <1.5.0 fails to enforce authentication of the user to the Mattermost instance which allows unauthenticated attackers to access subscription details without via API call to GET subscription endpoint. | 2025-08-11 | 3.7 | CVE-2025-49221 |
| Mattermost--Mattermost Confluence Plugin | Mattermost Confluence Plugin version <1.5.0 fails to check the access of the user to the channel which allows attackers to get channel subscription details without proper access to the channel via API call to the GET autocomplete/GetChannelSubscriptions endpoint. | 2025-08-11 | 3.7 | CVE-2025-53857 |
| mtons--mblog | A vulnerability was determined in mtons mblog up to 3.5.0. Affected by this issue is some unknown functionality of the file /email/send_code of the component Verification Code Handler. The manipulation of the argument email leads to improper restriction of excessive authentication attempts. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | 2025-08-13 | 3.7 | CVE-2025-8927 |
| mtons--mblog | A vulnerability was found in mtons mblog up to 3.5.0. This issue affects some unknown processing of the file /settings/password. The manipulation leads to improper restriction of excessive authentication attempts. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 3.7 | CVE-2025-9004 |
| mtons--mblog | A vulnerability was determined in mtons mblog up to 3.5.0. Affected is an unknown function of the file /register. The manipulation leads to information exposure through error message. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. | 2025-08-15 | 3.7 | CVE-2025-9005 |
| n/a--Edge Orchestrator software | Protection mechanism failure for some Edge Orchestrator software before version 24.11.1 for Intel(R) Tiber(TM) Edge Platform may allow an authenticated user to potentially enable denial of service via adjacent access. | 2025-08-12 | 3.5 | CVE-2025-24523 |
| n/a--Edge Orchestrator software | Uncontrolled resource consumption for some Edge Orchestrator software before version 24.11.1 for Intel(R) Tiber(TM) Edge Platform may allow an authenticated user to potentially enable denial of service via adjacent access. | 2025-08-12 | 3.5 | CVE-2025-27250 |
| n/a--Edge Orchestrator software | Uncontrolled resource consumption for some Edge Orchestrator software before version 24.11.1 for Intel(R) Tiber(TM) Edge Platform may allow an unauthenticated user to potentially enable denial of service via local access. | 2025-08-12 | 2.9 | CVE-2025-27576 |
| n/a--Edge Orchestrator software | Exposure of sensitive information to an unauthorized actor for some Edge Orchestrator software before version 24.11.1 for Intel(R) Tiber(TM) Edge Platform may allow an authenticated user to potentially enable denial of service via adjacent access. | 2025-08-12 | 2.6 | CVE-2025-27707 |
| n/a--Intel(R) 700 Series Ethernet | Uncontrolled resource consumption in the Linux kernel-mode driver for some Intel(R) 700 Series Ethernet before version 2.28.5 may allow an authenticated user to potentially enable denial of service. | 2025-08-12 | 3.3 | CVE-2025-26697 |
| n/a--Intel(R) 700 Series Ethernet | Uncontrolled resource consumption in the Linux kernel-mode driver for some Intel(R) 700 Series Ethernet before version 2.28.5 may allow an authenticated user to potentially enable denial of service. | 2025-08-12 | 3.8 | CVE-2025-26863 |
| n/a--Intel(R) 800 Series Ethernet | Integer overflow or wraparound in the Linux kernel-mode driver for some Intel(R) 800 Series Ethernet before version 1.17.2 may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 2.8 | CVE-2025-24324 |
| n/a--Intel(R) I350 Series Ethernet | Improper initialization in the Linux kernel-mode driver for some Intel(R) I350 Series Ethernet before version 5.19.2 may allow an authenticated user to potentially enable Information disclosure via data exposure. | 2025-08-12 | 3.3 | CVE-2025-24511 |
| n/a--Intel(R) Local Manageability Service software | Insertion of sensitive information into log file for some Intel(R) Local Manageability Service software before version 2514.7.16.0 may allow an authenticated user to potentially enable information disclosure via local access. | 2025-08-12 | 3.3 | CVE-2025-24520 |
| n/a--Intel(R) SGX SDK | Improper input validation in the Intel Edger8r Tool for some Intel(R) SGX SDK may allow an authenticated user to potentially enable escalation of privilege via local access. | 2025-08-12 | 3.9 | CVE-2025-32004 |
| n/a--Intel(R) TDX | Predictable Seed in Pseudo-Random Number Generator (PRNG) in the firmware for some Intel(R) TDX may allow an authenticated user to potentially enable information disclosure via local access. | 2025-08-12 | 3.3 | CVE-2025-20613 |
| n/a--Intel(R) TDX | Improper synchronization in the firmware for some Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access. | 2025-08-12 | 2.3 | CVE-2025-22853 |
| n/a--Intel(R) TDX | Improper buffer restrictions in the firmware for some Intel(R) TDX may allow a privileged user to potentially enable escalation of privilege via local access. | 2025-08-12 | 1.9 | CVE-2025-21096 |
| n/a--JasPer | A vulnerability was found in JasPer up to 4.2.5. Affected by this vulnerability is the function jas_image_chclrspc of the file src/libjasper/base/jas_image.c of the component Image Color Space Conversion Handler. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The identifier of the patch is bb7d62bd0a2a8e0e1fdb4d603f3305f955158c52. It is recommended to apply a patch to fix this issue. | 2025-08-11 | 3.3 | CVE-2025-8835 |
| n/a--JasPer | A vulnerability was determined in JasPer up to 4.2.5. Affected by this issue is the function jpc_floorlog2 of the file src/libjasper/jpc/jpc_enc.c of the component JPEG2000 Encoder. The manipulation leads to reachable assertion. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The patch is identified as 79185d32d7a444abae441935b20ae4676b3513d4. It is recommended to apply a patch to fix this issue. | 2025-08-11 | 3.3 | CVE-2025-8836 |
| n/a--LibTIFF | A vulnerability was identified in LibTIFF 4.7.0. This issue affects the function May of the file tiffcrop.c of the component tiffcrop. The manipulation leads to memory corruption. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. | 2025-08-14 | 3.3 | CVE-2025-8961 |
| n/a--PostgreSQL | PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. Separately, statistics allow a user to read sampled data that a row security policy intended to hide. PostgreSQL maintains statistics for tables by sampling data available in columns; this data is consulted during the query planning process. Prior to this release, a user could craft a leaky operator that bypassed view access control lists (ACLs) and bypassed row security policies in partitioning or table inheritance hierarchies. Reachable statistics data notably included histograms and most-common-values lists. CVE-2017-7484 and CVE-2019-10130 intended to close this class of vulnerability, but this gap remained. Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected. | 2025-08-14 | 3.1 | CVE-2025-8713 |
| n/a--tcpreplay | A vulnerability has been found in tcpreplay 4.5.1. This vulnerability affects the function mask_cidr6 of the file cidr.c of the component tcpprep. The manipulation leads to heap-based buffer overflow. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The researcher is able to reproduce this with the latest official release 4.5.1 and the current master branch. The code maintainer cannot reproduce this for 4.5.2-beta1. In his reply the maintainer explains that "[i]n that case, this is a duplicate that was fixed in 4.5.2." | 2025-08-15 | 3.1 | CVE-2025-9019 |
| NASM--Netwide Assember | A vulnerability was determined in NASM Netwide Assember 2.17rc0. This vulnerability affects the function parse_smacro_template of the file preproc.c. The manipulation leads to null pointer dereference. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. | 2025-08-11 | 3.3 | CVE-2025-8844 |
| OpenHarmony--OpenHarmony | in OpenHarmony v5.0.3 and prior versions allow a local attacker case DOS through missing release of memory. | 2025-08-11 | 3.3 | CVE-2025-24844 |
| OpenHarmony--OpenHarmony | in OpenHarmony v5.0.3 and prior versions allow a local attacker case DOS through missing release of memory. | 2025-08-11 | 3.3 | CVE-2025-24925 |
| OpenHarmony--OpenHarmony | in OpenHarmony v5.0.3 and prior versions allow a local attacker case DOS through improper input. | 2025-08-11 | 3.3 | CVE-2025-25212 |
| OpenHarmony--OpenHarmony | in OpenHarmony v5.0.3 and prior versions allow a local attacker case DOS through NULL pointer dereference. | 2025-08-11 | 3.3 | CVE-2025-26690 |
| OpenHarmony--OpenHarmony | in OpenHarmony v5.0.3 and prior versions allow a local attacker cause DOS through type confusion. | 2025-08-11 | 3.3 | CVE-2025-27536 |
| OpenHarmony--OpenHarmony | in OpenHarmony v5.0.3 and prior versions allow a local attacker case DOS through missing release of memory. | 2025-08-11 | 3.3 | CVE-2025-27562 |
| Portabilis--i-Diario | A vulnerability was determined in Portabilis i-Diario up to 1.6. Affected is an unknown function of the file /objetivos-de-aprendizagem-e-habilidades of the component History Page. The manipulation of the argument código/objetivo habilidade leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-13 | 2.4 | CVE-2025-8919 |
| Portabilis--i-Diario | A vulnerability was identified in Portabilis i-Diario 1.6. Affected by this vulnerability is an unknown functionality of the file /dicionario-de-termos-bncc of the component Dicionário de Termos BNCC Page. The manipulation of the argument Planos de ensino leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-13 | 2.4 | CVE-2025-8920 |
| Portabilis--i-Educar | A vulnerability was found in Portabilis i-Educar up to 2.10. This issue affects some unknown processing of the file /intranet/educar_instituicao_cad.php of the component Editar Page. The manipulation of the argument neighborhood name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-13 | 2.4 | CVE-2025-8918 |
| quttera--Quttera Web Malware Scanner | The Quttera Web Malware Scanner plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.5.1.41 via the 'RunExternalScan' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-08-15 | 3.8 | CVE-2025-8013 |
| SAP_SE--SAP Cloud Connector | Due to a missing authorization check in SAP Cloud Connector, an attacker on an adjacent network with low privileges could send a crafted request to the endpoint responsible for testing LDAP connections. A successful exploit could lead to reduced performance, hence a low-impact on availability of the service. Confidentiality and integrity of the data are not affected. | 2025-08-12 | 3.5 | CVE-2025-42955 |
| SAP_SE--SAP Fiori (Launchpad) | SAP Fiori (Launchpad) is vulnerable to Reverse Tabnabbing vulnerability due to inadequate external navigation protections for its link (<a>) elements. An attacker with administrative user privileges could exploit this by leveraging compromised or malicious pages. While administrative access is necessary for certain configurations, the attacker does not need the administrative privileges to execute the attack. This could result in unintended manipulation of user sessions or exposure of sensitive information. The issue impacts the confidentiality and integrity of the system, but the availability remains unaffected. | 2025-08-12 | 3.5 | CVE-2025-42941 |
| Siemens--SIPROTEC 5 6MD84 (CP300) | A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions < V10.0), SIPROTEC 5 6MD85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 6MD86 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 6MD89 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 6MU85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7KE85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SA82 (CP150) (All versions < V10.0), SIPROTEC 5 7SA86 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SA87 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SD82 (CP150) (All versions < V10.0), SIPROTEC 5 7SD86 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SD87 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SJ81 (CP150) (All versions < V10.0), SIPROTEC 5 7SJ82 (CP150) (All versions < V10.0), SIPROTEC 5 7SJ85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SJ86 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SK82 (CP150) (All versions < V10.0), SIPROTEC 5 7SK85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SL82 (CP150) (All versions < V10.0), SIPROTEC 5 7SL86 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SL87 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7SS85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7ST85 (CP300) (All versions < V10.0), SIPROTEC 5 7ST86 (CP300) (All versions < V10.0), SIPROTEC 5 7SX82 (CP150) (All versions < V10.0), SIPROTEC 5 7SX85 (CP300) (All versions < V10.0), SIPROTEC 5 7SY82 (CP150) (All versions < V10.0), SIPROTEC 5 7UM85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7UT82 (CP150) (All versions < V10.0), SIPROTEC 5 7UT85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7UT86 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7UT87 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7VE85 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7VK87 (CP300) (All versions >= V7.80 < V10.0), SIPROTEC 5 7VU85 (CP300) (All versions < V10.0), SIPROTEC 5 Compact 7SX800 (CP050) (All versions < V10.0). Affected devices do not properly limit the bandwidth for incoming network packets over their local USB port. This could allow an attacker with physical access to send specially crafted packets with high bandwidth to the affected devices thus forcing them to exhaust their memory and stop responding to any network traffic via the local USB port. Affected devices reset themselves automatically after a successful attack. The protection function is not affected of this vulnerability. | 2025-08-12 | 2.4 | CVE-2025-40570 |
| Siemens--SmartClient modules Opcenter QL Home (SC) | A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application do not encrypt the communication in LDAP interface by default. This could allow an authenticated attacker to gain unauthorized access to sensitive information. | 2025-08-12 | 3.1 | CVE-2024-41980 |
| Siemens--SmartClient modules Opcenter QL Home (SC) | A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application displays SQL statement in the error messages encountered during the generation of reports using Cockpit tool. | 2025-08-12 | 3.5 | CVE-2024-41983 |
| Siemens--SmartClient modules Opcenter QL Home (SC) | A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application improperly handles error while accessing an inaccessible resource leading to exposing the system applications. | 2025-08-12 | 2.6 | CVE-2024-41984 |
| Siemens--SmartClient modules Opcenter QL Home (SC) | A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application does not expire the session without logout. This could allow an attacker to get unauthorized access if the session is left idle. | 2025-08-12 | 2.6 | CVE-2024-41985 |
| Tenda--AC20 | A security flaw has been discovered in Tenda AC20 16.03.08.12. Affected by this vulnerability is an unknown functionality of the file /etc_ro/shadow. The manipulation leads to hard-coded credentials. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | 2025-08-17 | 2.5 | CVE-2025-9091 |
| yangzongzhuan--RuoYi | A vulnerability was found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is the function Edit of the file /system/notice/edit. The manipulation of the argument noticeTitle/noticeContent leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-11 | 3.5 | CVE-2025-8847 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| Akcess-Net--Lepszy BIP | Lepszy BIP is vulnerable to Reflected Cross-Site Scripting (XSS). Improper input validation in index.php form in one of the parameters allows arbitrary JavaScript to be executed on victim's browser when specially crafted URL is opened. The vendor was contacted early about this disclosure but did not respond in any way. Potentially all versions are vulnerable. | 2025-08-14 | not yet calculated | CVE-2025-7761 |
| Amazon--EMR | Amazon EMR Secret Agent creates a keytab file containing Kerberos credentials. This file is stored in the /tmp/ directory. A user with access to this directory and another account can potentially decrypt the keys and escalate to higher privileges. Users are advised to upgrade to Amazon EMR version 7.5 or higher. For Amazon EMR releases between 6.10 and 7.4, we strongly recommend that you run the bootstrap script and RPM files with the fix provided in the location below. | 2025-08-13 | not yet calculated | CVE-2025-8904 |
| AMI--AptioV | APTIOV contains a vulnerability in BIOS where a skilled user may cause "Race Condition" by local access. A successful exploitation of this vulnerability may lead to resource exhaustion and impact Confidentiality, Integrity, and Availability. | 2025-08-12 | not yet calculated | CVE-2025-22830 |
| anthropics--claude-code | Claude Code is an agentic coding tool. Prior to version 1.0.4, it's possible to bypass the Claude Code confirmation prompts to read a file and then send file contents over the network without user confirmation due to an overly broad allowlist of safe commands. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. Users on standard Claude Code auto-update received this fix automatically after release. Current users of Claude Code are unaffected, as versions prior to 1.0.24 are deprecated and have been forced to update. | 2025-08-16 | not yet calculated | CVE-2025-55284 |
| Apache Software Foundation--Apache bRPC | Unlimited memory allocation in redis protocol parser in Apache bRPC (all versions < 1.14.1) on all platforms allows attackers to crash the service via network. Root Cause: In the bRPC Redis protocol parser code, memory for arrays or strings of corresponding sizes is allocated based on the integers read from the network. If the integer read from the network is too large, it may cause a bad alloc error and lead to the program crashing. Attackers can exploit this feature by sending special data packets to the bRPC service to carry out a denial-of-service attack on it. The bRPC 1.14.0 version tried to fix this issue by limited the memory allocation size, however, the limitation checking code is not well implemented that may cause integer overflow and evade such limitation. So the 1.14.0 version is also vulnerable, although the integer range that affect version 1.14.0 is different from that affect version < 1.14.0. Affected scenarios: Using bRPC as a Redis server to provide network services to untrusted clients, or using bRPC as a Redis client to call untrusted Redis services. How to Fix: we provide two methods, you can choose one of them: 1. Upgrade bRPC to version 1.14.1. 2. Apply this patch ( https://github.com/apache/brpc/pull/3050 ) manually. No matter you choose which method, you should note that the patch limits the maximum length of memory allocated for each time in the bRPC Redis parser. The default limit is 64M. If some of you redis request or response have a size larger than 64M, you might encounter error after upgrade. For such case, you can modify the gflag redis_max_allocation_size to set a larger limit. | 2025-08-14 | not yet calculated | CVE-2025-54472 |
| Apache Software Foundation--Apache OFBiz | Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin. This issue affects Apache OFBiz: before 24.09.02 only when the scrum plugin is used. Even unauthenticated attackers can exploit this vulnerability. Users are recommended to upgrade to version 24.09.02, which fixes the issue. | 2025-08-15 | not yet calculated | CVE-2025-54466 |
| Apache Software Foundation--Apache Superset | A stored Cross-Site Scripting (XSS) vulnerability exists in Apache Superset's chart visualization. An authenticated user with permissions to edit charts can inject a malicious payload into a column's label. The payload is not properly sanitized and gets executed in the victim's browser when they hover over the chart, potentially leading to session hijacking or the execution of arbitrary commands on behalf of the user. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to version 5.0.0, which fixes the issue. | 2025-08-14 | not yet calculated | CVE-2025-55672 |
| Apache Software Foundation--Apache Superset | When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user. This issue affects Apache Superset: before 4.1.3. Users are recommended to upgrade to version 4.1.3, which fixes the issue. | 2025-08-14 | not yet calculated | CVE-2025-55673 |
| Apache Software Foundation--Apache Superset | A bypass of the DISALLOWED_SQL_FUNCTIONS security feature in Apache Superset allows for the execution of blocked SQL functions. An attacker can use a special inline block to circumvent the denylist. This allows a user with SQL Lab access to execute functions that were intended to be disabled, leading to the disclosure of sensitive database information like the software version. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to version 5.0.0, which fixes the issue. | 2025-08-14 | not yet calculated | CVE-2025-55674 |
| Apache Software Foundation--Apache Superset | Apache Superset contains an improper access control vulnerability in its /explore endpoint. A missing authorization check allows an authenticated user to discover metadata about datasources they do not have permission to access. By iterating through the datasource_id in the URL, an attacker can enumerate and confirm the existence and names of protected datasources, leading to sensitive information disclosure. This issue affects Apache Superset: before 5.0.0. Users are recommended to upgrade to version 5.0.0, which fixes the issue. | 2025-08-14 | not yet calculated | CVE-2025-55675 |
| Apache Software Foundation--Apache Tomcat | Improper Resource Shutdown or Release vulnerability in Apache Tomcat made Tomcat vulnerable to the made you reset attack. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.9, from 10.1.0-M1 through 10.1.43 and from 9.0.0.M1 through 9.0.107. Older, EOL versions may also be affected. Users are recommended to upgrade to one of versions 11.0.10, 10.1.44 or 9.0.108 which fix the issue. | 2025-08-13 | not yet calculated | CVE-2025-48989 |
| Apache Software Foundation--Apache Tomcat | Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. | 2025-08-13 | not yet calculated | CVE-2025-55668 |
| Apple--Apple Music Classical for Android | This issue was addressed with improved checks. This issue is fixed in Apple Music Classical 2.3 for Android. An app may be able to unexpectedly leak a user's credentials. | 2025-08-15 | not yet calculated | CVE-2025-43201 |
| Auxilium--RateMyPet | Auxilium RateMyPet contains an unauthenticated arbitrary file upload vulnerability in upload_banners.php. The banner upload feature fails to validate file types or enforce authentication, allowing remote attackers to upload malicious PHP files. These files are stored in a web-accessible /banners/ directory and can be executed directly, resulting in remote code execution. | 2025-08-11 | not yet calculated | CVE-2012-10038 |
| Axis Communications AB--AXIS Camera Station Pro | During an internal security assessment, a Server-Side Request Forgery (SSRF) vulnerability that allowed an authenticated attacker to access internal resources on the server was discovered. | 2025-08-12 | not yet calculated | CVE-2025-7622 |
| Broadcom--Symantec PGP Encryption | Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed. | 2025-08-11 | not yet calculated | CVE-2025-8660 |
| Broadcom--Symantec PGP Encryption | A stored Cross-Site Scripting vulnerability (XSS) occurs when the server does not properly validate or encode the data entered by the user. | 2025-08-11 | not yet calculated | CVE-2025-8661 |
| bulletphysics--bullet3 | Stack-based buffer overflow in LoadOFF in bulletphysics bullet3 before 3.26 on all platforms allows remote attackers to execute arbitrary code via a crafted OFF file with an overlong initial token processed by the VHACD test utility or invoked indirectly through PyBullet's vhacd function. | 2025-08-11 | not yet calculated | CVE-2025-8854 |
| Bunkerity--Bunker Web | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Bunkerity Bunker Web on Linux allows Phishing.This issue affects Bunker Web: 1.6.2. | 2025-08-15 | not yet calculated | CVE-2025-8066 |
| CherryHQ--cherry-studio | Cherry Studio is a desktop client that supports for multiple LLM providers. From versions 1.2.5 to 1.5.1, Cherry Studio is vulnerable to OS Command Injection during a connection with a malicious MCP server in HTTP Streamable mode. Attackers can setup a malicious MCP server with compatible OAuth authorization server endpoints and trick victims into connecting it, leading to OS command injection in vulnerable clients. This issue has been patched in version 1.5.2. | 2025-08-13 | not yet calculated | CVE-2025-54074 |
| CodeFuse--ModelCache | ModelCache for LLM through v0.2.0 was discovered to contain an deserialization vulnerability via the component /manager/data_manager.py. This vulnerability allows attackers to execute arbitrary code via supplying crafted data. | 2025-08-11 | not yet calculated | CVE-2025-45146 |
| ComSndFTP--FTP Server | ComSndFTP FTP Server version 1.3.7 Beta contains a format string vulnerability in its handling of the USER command. By sending a specially crafted username containing format specifiers, a remote attacker can overwrite a hardcoded function pointer in memory (specifically WSACleanup from Ws2_32.dll). This allows the attacker to redirect execution flow and bypass DEP protections using a ROP chain, ultimately leading to arbitrary code execution. The vulnerability is exploitable without authentication and affects default configurations. | 2025-08-13 | not yet calculated | CVE-2012-10055 |
| CycloneDX--Sunshine | CycloneDX Sunshine v0.9 is vulnerable to CSV Formula Injection via a crafted JSON file | 2025-08-13 | not yet calculated | CVE-2025-52386 |
| Cytel Inc.--Studio | Cytel Studio version 9.0 and earlier is vulnerable to a stack-based buffer overflow triggered by parsing a malformed .CY3 file. The vulnerability occurs when the application copies user-controlled strings into a fixed-size stack buffer (256 bytes) without proper bounds checking. Exploitation allows arbitrary code execution when the crafted file is opened. | 2025-08-13 | not yet calculated | CVE-2011-10015 |
| Danphe Health--Hospital Management System EMR | An issue was discovered in /Code/Websites/DanpheEMR/Controllers/Settings/SecuritySettingsController.cs in Danphe Health Hospital Management System EMR 3.2 allowing attackers to reset any account password. | 2025-08-13 | not yet calculated | CVE-2025-50594 |
| darylldoyle--svg-sanitizer | savg-sanitizer is a PHP SVG/XML sanitizer. Prior to version 0.22.0, the sanitization logic in the cleanXlinkHrefs method only searches for lower-case attribute name, which allows to by-pass the isHrefSafeValue check. As a result this allows cross-site scripting or linking to external domains. This issue has been patched in version 0.22.0. | 2025-08-12 | not yet calculated | CVE-2025-55166 |
| dj-extensions.com--DJ-Classifieds component for Joomla | A SQLi vulnerability in DJ-Classifieds component 3.9.2-3.10.1 for Joomla was discovered. The issue allows privileged users to execute arbitrary SQL commands. | 2025-08-15 | not yet calculated | CVE-2025-54474 |
| DogukanUrker--flaskBlog | flaskBlog is a blog app built with Flask. In versions 2.8.1 and prior, improper sanitization of postContent when submitting POST requests to /createpost leads to arbitrary JavaScript execution (XSS) on all pages the post is reflected on including /, /post/[ID], /admin/posts, and /user/[ID] of the user that made the post. At time of publication, there are no public patches available. | 2025-08-14 | not yet calculated | CVE-2025-53631 |
| Dolibarr Project--ERP/CRM | Dolibarr ERP/CRM versions <= 3.1.1 and <= 3.2.0 contain a post-authenticated OS command injection vulnerability in its database backup feature. The export.php script fails to sanitize the sql_compat parameter, allowing authenticated users to inject arbitrary system commands, resulting in remote code execution on the server. | 2025-08-13 | not yet calculated | CVE-2012-10059 |
| Drupal--AI SEO Link Advisor | Server-Side Request Forgery (SSRF) vulnerability in Drupal AI SEO Link Advisor allows Server Side Request Forgery.This issue affects AI SEO Link Advisor: from 0.0.0 before 1.0.6. | 2025-08-15 | not yet calculated | CVE-2025-8675 |
| Drupal--Authenticator Login | Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.This issue affects Authenticator Login: from 0.0.0 before 2.1.4. | 2025-08-15 | not yet calculated | CVE-2025-8995 |
| Drupal--Config Pages | Missing Authorization vulnerability in Drupal Config Pages allows Forceful Browsing.This issue affects Config Pages: from 0.0.0 before 2.18.0. | 2025-08-15 | not yet calculated | CVE-2025-8361 |
| Drupal--COOKiES Consent Management | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal COOKiES Consent Management allows Cross-Site Scripting (XSS).This issue affects COOKiES Consent Management: from 0.0.0 before 1.2.16. | 2025-08-15 | not yet calculated | CVE-2025-8092 |
| Drupal--GoogleTag Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal GoogleTag Manager allows Cross-Site Scripting (XSS).This issue affects GoogleTag Manager: from 0.0.0 before 1.10.0. | 2025-08-15 | not yet calculated | CVE-2025-8362 |
| Drupal--Layout Builder Advanced Permissions | Missing Authorization vulnerability in Drupal Layout Builder Advanced Permissions allows Forceful Browsing.This issue affects Layout Builder Advanced Permissions: from 0.0.0 before 2.2.0. | 2025-08-15 | not yet calculated | CVE-2025-8996 |
| Espec--Espec North America Web controller | In ESPEC North America Web Controller 3 before 3.3.4, /api/v4/auth/ with any invalid authentication request results in exposing a JWT secret. This allows for elevated permissions to the UI. | 2025-08-14 | not yet calculated | CVE-2025-27845 |
| Espec--Espec North America Web controller | In ESPEC North America Web Controller 3 before 3.3.8, an attacker with physical access can gain elevated privileges because GRUB and the BIOS are unprotected. | 2025-08-14 | not yet calculated | CVE-2025-27846 |
| Espec--Espec North America Web controller | In ESPEC North America Web Controller 3 before 3.3.8, /api/v4/auth/ users session privileges are not revoked on logout. | 2025-08-14 | not yet calculated | CVE-2025-27847 |
| ETHER--Catalyst::Authentication::Credential::HTTP | Catalyst::Authentication::Credential::HTTP versions 1.018 and earlier for Perl generate nonces using the Perl Data::UUID library. * Data::UUID does not use a strong cryptographic source for generating UUIDs. * Data::UUID returns v3 UUIDs, which are generated from known information and are unsuitable for security, as per RFC 9562. * The nonces should be generated from a strong cryptographic source, as per RFC 7616. | 2025-08-11 | not yet calculated | CVE-2025-40920 |
| external-secrets--external-secrets | External Secrets Operator is a Kubernetes operator that integrates external secret management systems. From version 0.15.0 to before 0.19.2, a vulnerability was discovered where the List() calls for Kubernetes Secret and SecretStore resources performed by the PushSecret controller did not apply a namespace selector. This flaw allowed an attacker to use label selectors to list and read secrets/secret-stores across the cluster, bypassing intended namespace restrictions. An attacker with the ability to create or update PushSecret resources and control SecretStore configurations could exploit this vulnerability to exfiltrate sensitive data from arbitrary namespaces. This could lead to full disclosure of Kubernetes secrets, including credentials, tokens, and other sensitive information stored in the cluster. This vulnerability has been patched in version 0.19.2. A workaround for this issue includes auditing and restricting RBAC permissions so that only trusted service accounts can create or update PushSecret and SecretStore resources. | 2025-08-13 | not yet calculated | CVE-2025-55196 |
| GIMP--GIMP | MacOS version of GIMP bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle. An attacker with local user access can invoke this interpreter with arbitrary commands or scripts, leveraging the application's previously granted TCC permissions to access user's files in privacy-protected folders without triggering user prompts. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of GIMP, potentially disguising attacker's malicious intent. This issue has been fixed in 3.1.4.2 version of GIMP. | 2025-08-11 | not yet calculated | CVE-2025-8672 |
| Google--Chrome | Heap buffer overflow in libaom in Google Chrome prior to 139.0.7258.127 allowed a remote attacker to potentially exploit heap corruption via a curated set of gestures. (Chromium security severity: High) | 2025-08-13 | not yet calculated | CVE-2025-8879 |
| Google--Chrome | Race in V8 in Google Chrome prior to 139.0.7258.127 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | 2025-08-13 | not yet calculated | CVE-2025-8880 |
| Google--Chrome | Inappropriate implementation in File Picker in Google Chrome prior to 139.0.7258.127 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | 2025-08-13 | not yet calculated | CVE-2025-8881 |
| Google--Chrome | Use after free in Aura in Google Chrome prior to 139.0.7258.127 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 2025-08-13 | not yet calculated | CVE-2025-8882 |
| Google--Chrome | Out of bounds write in ANGLE in Google Chrome prior to 139.0.7258.127 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High) | 2025-08-13 | not yet calculated | CVE-2025-8901 |
| Google--Keras | A safe mode bypass vulnerability in the `Model.load_model` method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by convincing a user to load a specially crafted `.keras` model archive. | 2025-08-11 | not yet calculated | CVE-2025-8747 |
| helmetjs--content-security-policy-parser | content-security-policy-parser parses content security policy directives. A prototype pollution vulnerability exists in versions 0.5.0 and earlier, wherein if a policy name is called __proto__, one can override the Object prototype. This issue has been patched in version 0.6.0. A workaround involves disabling prototype method in NodeJS, neutralizing all possible prototype pollution attacks. Provide either --disable-proto=delete (recommended) or --disable-proto=throw as an argument to node to enable this feature. | 2025-08-12 | not yet calculated | CVE-2025-55164 |
| HP Inc.--Certain HP PC Products | A potential security vulnerability has been identified in the System BIOS for some HP PC products which may allow escalation of privilege, arbitrary code execution, denial of service, or information disclosure via a physical attack that requires specialized equipment and knowledge. HP is releasing firmware mitigation for the potential vulnerability. | 2025-08-13 | not yet calculated | CVE-2024-5477 |
| HP, Inc.--HP Hotkey Support Software | A potential security vulnerability has been identified in the HPAudioAnalytics service included in the HP Hotkey Support software, which might allow escalation of privilege. HP is releasing software updates to mitigate the potential vulnerability. | 2025-08-15 | not yet calculated | CVE-2025-43490 |
| Hyland Software--OnBase | Hyland OnBase versions prior to 17.0.2.87 (other versions may be affected) are vulnerable to unauthenticated remote code execution via insecure deserialization on the .NET Remoting TCP channel. The service registers a listener on port 6031 with the URI endpoint TimerServer, implemented in Hyland.Core.Timers.dll. This endpoint deserializes untrusted input using the .NET BinaryFormatter, allowing attackers to execute arbitrary code under the context of NT AUTHORITY\SYSTEM. | 2025-08-13 | not yet calculated | CVE-2025-34153 |
| joomsky.com--JS Jobs component for Joomla | A SQL injection vulnerability in the JS Jobs plugin versions 1.3.2-1.4.4 for Joomla allows low-privilege users to execute arbitrary SQL commands. | 2025-08-15 | not yet calculated | CVE-2025-54475 |
| JurajNyiri--HomeAssistant-Tapo-Control | HomeAssistant-Tapo-Control offers Control for Tapo cameras as a Home Assistant component. Prior to commit 2a3b80f, there is a code injection vulnerability in the GitHub Actions workflow .github/workflows/issues.yml. It does not affect users of the Home Assistant integration itself - it only impacts the GitHub Actions environment for this repository. The vulnerable workflow directly inserted user-controlled content from the issue body (github.event.issue.body) into a Bash conditional without proper sanitization. A malicious GitHub user could craft an issue body that executes arbitrary commands on the GitHub Actions runner in a privileged context whenever an issue is opened. The potential impact is limited to the repository's CI/CD environment, which could allow access to repository contents or GitHub Actions secrets. This issue has been patched via commit 2a3b80f. Workarounds involve disabling the affected workflow (issues.yml), replacing the unsafe Bash comparison with a safe quoted grep (or a pure GitHub Actions expression check), or ensuring minimal permissions in workflows (permissions: block) to reduce possible impact. | 2025-08-14 | not yet calculated | CVE-2025-55192 |
| KuWFi--4G AC900 LTE router | The KuWFi 4G AC900 LTE router 1.0.13 is vulnerable to command injection on the HTTP API endpoints /goform/formMultiApnSetting and /goform/atCmd. An authenticated attacker can execute arbitrary OS commands with root privileges via shell metacharacters in parameters such as pincode and cmds. Exploitation can lead to full system compromise, including enabling remote access (e.g., enabling telnet). | 2025-08-14 | not yet calculated | CVE-2024-53945 |
| KuWFi--4G AC900 LTE router | The KuWFi 4G LTE AC900 router 1.0.13 is vulnerable to Cross-Site Request Forgery (CSRF) on its web management interface. This vulnerability allows an attacker to trick an authenticated admin user into performing unauthorized actions, such as exploiting a command injection vulnerability in /goform/formMultiApnSetting. Successful exploitation can also lead to unauthorized configuration changes. | 2025-08-14 | not yet calculated | CVE-2024-53946 |
| KuWFi--4G CPF908-CP5 LTE Router | KuWFi CPF908-CP5 WEB5.0_LCD_20210125 devices have multiple unauthenticated access control vulnerabilities within goform/goform_set_cmd_process and goform/goform_get_cmd_process. These allow an unauthenticated attacker to retrieve sensitive information (including the device admin username and password), modify critical device settings, and send arbitrary SMS messages. | 2025-08-14 | not yet calculated | CVE-2025-43983 |
| KuWFi--5G01-X55 | KuWFi 5G01-X55 FL2020_V0.0.12 devices expose an unauthenticated API endpoint (ajax_get.cgi), allowing remote attackers to retrieve sensitive configuration data, including admin credentials. | 2025-08-13 | not yet calculated | CVE-2025-43988 |
| KuWFi--GC111 | An issue was discovered on KuWFi GC111 devices (Hardware Version: CPE-LM321_V3.2, Software Version: GC111-GL-LM321_V3.0_20191211). They are vulnerable to unauthenticated /goform/goform_set_cmd_process requests. A crafted POST request, using the SSID parameter, allows remote attackers to execute arbitrary OS commands with root privileges. | 2025-08-14 | not yet calculated | CVE-2025-43984 |
| KuWFi--GC111 | An issue was discovered on KuWFi GC111 GC111-GL-LM321_V3.0_20191211 devices. The TELNET service is enabled by default and exposed over the WAN interface without authentication. | 2025-08-13 | not yet calculated | CVE-2025-43986 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, a SQL Injection vulnerability was identified in the /html/funcionario/dependente_remover.php endpoint, specifically in the id_dependente parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This issue has been patched in version 3.4.8. | 2025-08-12 | not yet calculated | CVE-2025-55167 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, a SQL Injection vulnerability was identified in the /html/saude/aplicar_medicamento.php endpoint, specifically in the id_fichamedica parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. This issue has been patched in version 3.4.8. | 2025-08-12 | not yet calculated | CVE-2025-55168 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Prior to version 3.4.8, a path traversal vulnerability was discovered in the WeGIA application, html/socio/sistema/download_remessa.php endpoint. This vulnerability could allow an attacker to gain unauthorized access to local files in the server and sensitive information stored in config.php. config.php contains information that could allow direct access to the database. This issue has been patched in version 3.4.8. | 2025-08-12 | not yet calculated | CVE-2025-55169 |
| Lattice Semiconductor--ispVM System | Lattice Semiconductor ispVM System v18.0.2 contains a buffer overflow vulnerability in its handling of .xcf project files. When parsing the version attribute of the ispXCF XML tag, the application fails to properly validate input length, allowing a specially crafted file to overwrite memory on the stack. This can result in arbitrary code execution under the context of the user who opens the file. The vulnerability is triggered locally by opening a malicious .xcf file and does not require elevated privileges. | 2025-08-13 | not yet calculated | CVE-2012-10057 |
| Legion of the Bouncy Castle Inc.--Bouncy Castle for Java | Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcprov, bc-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/core/src/main/java/org/bouncycastle/asn1/ASN1ObjectIdentifier.Java. This issue affects Bouncy Castle for Java: from BC 1.0 through 1.77, from BC-FJA 1.0.0 through 1.0.2.5, from BC-FJA 2.0.0 through 2.0.0. | 2025-08-12 | not yet calculated | CVE-2025-8885 |
| Legion of the Bouncy Castle Inc.--Bouncy Castle for Java | Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertP... https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.java , https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathRevi... https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.java . This issue affects Bouncy Castle for Java: from BC 1.44 through 1.78, from BCPKIX FIPS 1.0.0 through 1.0.7, from BCPKIX FIPS 2.0.0 through 2.0.7. | 2025-08-13 | not yet calculated | CVE-2025-8916 |
| Legion of the Bouncy Castle Inc.--Bouncy Castle for Java - BC-FJA 2.1.0 | Uncontrolled Resource Consumption vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0 bc-fips (API modules) allows Excessive Allocation. This vulnerability is associated with program files org.Bouncycastle.Crypto.Fips.NativeLoader. This issue affects Bouncy Castle for Java - BC-FJA 2.1.0: from BC-FJA 2.1.0 through 2.1.0. | 2025-08-16 | not yet calculated | CVE-2025-9092 |
| Liferay--Portal | A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.10, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.1 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a remote authenticated attacker to inject JavaScript code in the "first display label" field in the configuration of a custom sort widget. This malicious payload is then reflected and executed by clay button taglib when refreshing the page. | 2025-08-12 | not yet calculated | CVE-2025-43734 |
| Liferay--Portal | A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the google_gadget. | 2025-08-12 | not yet calculated | CVE-2025-43735 |
| Liferay--Portal | A Denial Of Service via File Upload (DOS) vulnerability in the Liferay Portal 7.4.3.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.8, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.0 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.16 and 7.4 GA through update 92 allows a user to upload more than 300kb profile picture into the user profile. This size more than the noted max 300kb size. This extra amount of data can make Liferay slower. | 2025-08-12 | not yet calculated | CVE-2025-43736 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: call rcu_barrier() in ksmbd_server_exit() racy issue is triggered the bug by racing between closing a connection and rmmod. In ksmbd, rcu_barrier() is not called at module unload time, so nothing prevents ksmbd from getting unloaded while it still has RCU callbacks pending. It leads to trigger unintended execution of kernel code locally and use to defeat protections such as Kernel Lockdown | 2025-08-16 | not yet calculated | CVE-2023-32246 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: not allow guest user on multichannel This patch return STATUS_NOT_SUPPORTED if binding session is guest. | 2025-08-16 | not yet calculated | CVE-2023-32249 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out-of-bound read in smb2_write ksmbd_smb2_check_message doesn't validate hdr->NextCommand. If ->NextCommand is bigger than Offset + Length of smb2 write, It will allow oversized smb2 write length. It will cause OOB read in smb2_write. | 2025-08-16 | not yet calculated | CVE-2023-3865 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate session id and tree id in the compound request This patch validate session id and tree id in compound request. If first operation in the compound is SMB2 ECHO request, ksmbd bypass session and tree validation. So work->sess and work->tcon could be NULL. If secound request in the compound access work->sess or tcon, It cause NULL pointer dereferecing error. | 2025-08-16 | not yet calculated | CVE-2023-3866 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out of bounds read in smb2_sess_setup ksmbd does not consider the case of that smb2 session setup is in compound request. If this is the second payload of the compound, OOB read issue occurs while processing the first payload in the smb2_sess_setup(). | 2025-08-16 | not yet calculated | CVE-2023-3867 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix wrong next length validation of ea buffer in smb2_set_ea() There are multiple smb2_ea_info buffers in FILE_FULL_EA_INFORMATION request from client. ksmbd find next smb2_ea_info using ->NextEntryOffset of current smb2_ea_info. ksmbd need to validate buffer length Before accessing the next ea. ksmbd should check buffer length using buf_len, not next variable. next is the start offset of current ea that got from previous ea. | 2025-08-16 | not yet calculated | CVE-2023-4130 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate command request size In commit 2b9b8f3b68ed ("ksmbd: validate command payload size"), except for SMB2_OPLOCK_BREAK_HE command, the request size of other commands is not checked, it's not expected. Fix it by add check for request size of other commands. | 2025-08-16 | not yet calculated | CVE-2023-4515 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns What we want is to verify there is that clone won't expose something hidden by a mount we wouldn't be able to undo. "Wouldn't be able to undo" may be a result of MNT_LOCKED on a child, but it may also come from lacking admin rights in the userns of the namespace mount belongs to. clone_private_mnt() checks the former, but not the latter. There's a number of rather confusing CAP_SYS_ADMIN checks in various userns during the mount, especially with the new mount API; they serve different purposes and in case of clone_private_mnt() they usually, but not always end up covering the missing check mentioned above. | 2025-08-11 | not yet calculated | CVE-2025-38499 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: xfrm: interface: fix use-after-free after changing collect_md xfrm interface collect_md property on xfrm interfaces can only be set on device creation, thus xfrmi_changelink() should fail when called on such interfaces. The check to enforce this was done only in the case where the xi was returned from xfrmi_locate() which doesn't look for the collect_md interface, and thus the validation was never reached. Calling changelink would thus errornously place the special interface xi in the xfrmi_net->xfrmi hash, but since it also exists in the xfrmi_net->collect_md_xfrmi pointer it would lead to a double free when the net namespace was taken down [1]. Change the check to use the xi from netdev_priv which is available earlier in the function to prevent changes in xfrm collect_md interfaces. [1] resulting oops: [ 8.516540] kernel BUG at net/core/dev.c:12029! [ 8.516552] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 8.516559] CPU: 0 UID: 0 PID: 12 Comm: kworker/u80:0 Not tainted 6.15.0-virtme #5 PREEMPT(voluntary) [ 8.516565] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 8.516569] Workqueue: netns cleanup_net [ 8.516579] RIP: 0010:unregister_netdevice_many_notify+0x101/0xab0 [ 8.516590] Code: 90 0f 0b 90 48 8b b0 78 01 00 00 48 8b 90 80 01 00 00 48 89 56 08 48 89 32 4c 89 80 78 01 00 00 48 89 b8 80 01 00 00 eb ac 90 <0f> 0b 48 8b 45 00 4c 8d a0 88 fe ff ff 48 39 c5 74 5c 41 80 bc 24 [ 8.516593] RSP: 0018:ffffa93b8006bd30 EFLAGS: 00010206 [ 8.516598] RAX: ffff98fe4226e000 RBX: ffffa93b8006bd58 RCX: ffffa93b8006bc60 [ 8.516601] RDX: 0000000000000004 RSI: 0000000000000000 RDI: dead000000000122 [ 8.516603] RBP: ffffa93b8006bdd8 R08: dead000000000100 R09: ffff98fe4133c100 [ 8.516605] R10: 0000000000000000 R11: 00000000000003d2 R12: ffffa93b8006be00 [ 8.516608] R13: ffffffff96c1a510 R14: ffffffff96c1a510 R15: ffffa93b8006be00 [ 8.516615] FS: 0000000000000000(0000) GS:ffff98fee73b7000(0000) knlGS:0000000000000000 [ 8.516619] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 8.516622] CR2: 00007fcd2abd0700 CR3: 000000003aa40000 CR4: 0000000000752ef0 [ 8.516625] PKRU: 55555554 [ 8.516627] Call Trace: [ 8.516632] <TASK> [ 8.516635] ? rtnl_is_locked+0x15/0x20 [ 8.516641] ? unregister_netdevice_queue+0x29/0xf0 [ 8.516650] ops_undo_list+0x1f2/0x220 [ 8.516659] cleanup_net+0x1ad/0x2e0 [ 8.516664] process_one_work+0x160/0x380 [ 8.516673] worker_thread+0x2aa/0x3c0 [ 8.516679] ? __pfx_worker_thread+0x10/0x10 [ 8.516686] kthread+0xfb/0x200 [ 8.516690] ? __pfx_kthread+0x10/0x10 [ 8.516693] ? __pfx_kthread+0x10/0x10 [ 8.516697] ret_from_fork+0x82/0xf0 [ 8.516705] ? __pfx_kthread+0x10/0x10 [ 8.516709] ret_from_fork_asm+0x1a/0x30 [ 8.516718] </TASK> | 2025-08-12 | not yet calculated | CVE-2025-38500 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: limit repeated connections from clients with the same IP Repeated connections from clients with the same IP address may exhaust the max connections and prevent other normal client connections. This patch limit repeated connections from clients with the same IP. | 2025-08-16 | not yet calculated | CVE-2025-38501 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix oob access in cgroup local storage Lonial reported that an out-of-bounds access in cgroup local storage can be crafted via tail calls. Given two programs each utilizing a cgroup local storage with a different value size, and one program doing a tail call into the other. The verifier will validate each of the indivial programs just fine. However, in the runtime context the bpf_cg_run_ctx holds an bpf_prog_array_item which contains the BPF program as well as any cgroup local storage flavor the program uses. Helpers such as bpf_get_local_storage() pick this up from the runtime context: ctx = container_of(current->bpf_ctx, struct bpf_cg_run_ctx, run_ctx); storage = ctx->prog_item->cgroup_storage[stype]; if (stype == BPF_CGROUP_STORAGE_SHARED) ptr = &READ_ONCE(storage->buf)->data[0]; else ptr = this_cpu_ptr(storage->percpu_buf); For the second program which was called from the originally attached one, this means bpf_get_local_storage() will pick up the former program's map, not its own. With mismatching sizes, this can result in an unintended out-of-bounds access. To fix this issue, we need to extend bpf_map_owner with an array of storage_cookie[] to match on i) the exact maps from the original program if the second program was using bpf_get_local_storage(), or ii) allow the tail call combination if the second program was not using any of the cgroup local storage maps. | 2025-08-16 | not yet calculated | CVE-2025-38502 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix assertion when building free space tree When building the free space tree with the block group tree feature enabled, we can hit an assertion failure like this: BTRFS info (device loop0 state M): rebuilding free space tree assertion failed: ret == 0, in fs/btrfs/free-space-tree.c:1102 ------------[ cut here ]------------ kernel BUG at fs/btrfs/free-space-tree.c:1102! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP Modules linked in: CPU: 1 UID: 0 PID: 6592 Comm: syz-executor322 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 lr : populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 sp : ffff8000a4ce7600 x29: ffff8000a4ce76e0 x28: ffff0000c9bc6000 x27: ffff0000ddfff3d8 x26: ffff0000ddfff378 x25: dfff800000000000 x24: 0000000000000001 x23: ffff8000a4ce7660 x22: ffff70001499cecc x21: ffff0000e1d8c160 x20: ffff0000e1cb7800 x19: ffff0000e1d8c0b0 x18: 00000000ffffffff x17: ffff800092f39000 x16: ffff80008ad27e48 x15: ffff700011e740c0 x14: 1ffff00011e740c0 x13: 0000000000000004 x12: ffffffffffffffff x11: ffff700011e740c0 x10: 0000000000ff0100 x9 : 94ef24f55d2dbc00 x8 : 94ef24f55d2dbc00 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff8000a4ce6f98 x4 : ffff80008f415ba0 x3 : ffff800080548ef0 x2 : 0000000000000000 x1 : 0000000100000000 x0 : 000000000000003e Call trace: populate_free_space_tree+0x514/0x518 fs/btrfs/free-space-tree.c:1102 (P) btrfs_rebuild_free_space_tree+0x14c/0x54c fs/btrfs/free-space-tree.c:1337 btrfs_start_pre_rw_mount+0xa78/0xe10 fs/btrfs/disk-io.c:3074 btrfs_remount_rw fs/btrfs/super.c:1319 [inline] btrfs_reconfigure+0x828/0x2418 fs/btrfs/super.c:1543 reconfigure_super+0x1d4/0x6f0 fs/super.c:1083 do_remount fs/namespace.c:3365 [inline] path_mount+0xb34/0xde0 fs/namespace.c:4200 do_mount fs/namespace.c:4221 [inline] __do_sys_mount fs/namespace.c:4432 [inline] __se_sys_mount fs/namespace.c:4409 [inline] __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4409 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Code: f0047182 91178042 528089c3 9771d47b (d4210000) ---[ end trace 0000000000000000 ]--- This happens because we are processing an empty block group, which has no extents allocated from it, there are no items for this block group, including the block group item since block group items are stored in a dedicated tree when using the block group tree feature. It also means this is the block group with the highest start offset, so there are no higher keys in the extent root, hence btrfs_search_slot_for_read() returns 1 (no higher key found). Fix this by asserting 'ret' is 0 only if the block group tree feature is not enabled, in which case we should find a block group item for the block group since it's stored in the extent root and block group item keys are greater than extent item keys (the value for BTRFS_BLOCK_GROUP_ITEM_KEY is 192 and for BTRFS_EXTENT_ITEM_KEY and BTRFS_METADATA_ITEM_KEY the values are 168 and 169 respectively). In case 'ret' is 1, we just need to add a record to the free space tree which spans the whole block group, and we can achieve this by making 'ret == 0' as the while loop's condition. | 2025-08-16 | not yet calculated | CVE-2025-38503 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/zcrx: fix pp destruction warnings With multiple page pools and in some other cases we can have allocated niovs on page pool destruction. Remove a misplaced warning checking that all niovs are returned to zcrx on io_pp_zc_destroy(). It was reported before but apparently got lost. | 2025-08-16 | not yet calculated | CVE-2025-38504 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: discard erroneous disassoc frames on STA interface When operating in concurrent STA/AP mode with host MLME enabled, the firmware incorrectly sends disassociation frames to the STA interface when clients disconnect from the AP interface. This causes kernel warnings as the STA interface processes disconnect events that don't apply to it: [ 1303.240540] WARNING: CPU: 0 PID: 513 at net/wireless/mlme.c:141 cfg80211_process_disassoc+0x78/0xec [cfg80211] [ 1303.250861] Modules linked in: 8021q garp stp mrp llc rfcomm bnep btnxpuart nls_iso8859_1 nls_cp437 onboard_us [ 1303.327651] CPU: 0 UID: 0 PID: 513 Comm: kworker/u9:2 Not tainted 6.16.0-rc1+ #3 PREEMPT [ 1303.335937] Hardware name: Toradex Verdin AM62 WB on Verdin Development Board (DT) [ 1303.343588] Workqueue: MWIFIEX_RX_WORK_QUEUE mwifiex_rx_work_queue [mwifiex] [ 1303.350856] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1303.357904] pc : cfg80211_process_disassoc+0x78/0xec [cfg80211] [ 1303.364065] lr : cfg80211_process_disassoc+0x70/0xec [cfg80211] [ 1303.370221] sp : ffff800083053be0 [ 1303.373590] x29: ffff800083053be0 x28: 0000000000000000 x27: 0000000000000000 [ 1303.380855] x26: 0000000000000000 x25: 00000000ffffffff x24: ffff000002c5b8ae [ 1303.388120] x23: ffff000002c5b884 x22: 0000000000000001 x21: 0000000000000008 [ 1303.395382] x20: ffff000002c5b8ae x19: ffff0000064dd408 x18: 0000000000000006 [ 1303.402646] x17: 3a36333a61623a30 x16: 32206d6f72662063 x15: ffff800080bfe048 [ 1303.409910] x14: ffff000003625300 x13: 0000000000000001 x12: 0000000000000000 [ 1303.417173] x11: 0000000000000002 x10: ffff000003958600 x9 : ffff000003625300 [ 1303.424434] x8 : ffff00003fd9ef40 x7 : ffff0000039fc280 x6 : 0000000000000002 [ 1303.431695] x5 : ffff0000038976d4 x4 : 0000000000000000 x3 : 0000000000003186 [ 1303.438956] x2 : 000000004836ba20 x1 : 0000000000006986 x0 : 00000000d00479de [ 1303.446221] Call trace: [ 1303.448722] cfg80211_process_disassoc+0x78/0xec [cfg80211] (P) [ 1303.454894] cfg80211_rx_mlme_mgmt+0x64/0xf8 [cfg80211] [ 1303.460362] mwifiex_process_mgmt_packet+0x1ec/0x460 [mwifiex] [ 1303.466380] mwifiex_process_sta_rx_packet+0x1bc/0x2a0 [mwifiex] [ 1303.472573] mwifiex_handle_rx_packet+0xb4/0x13c [mwifiex] [ 1303.478243] mwifiex_rx_work_queue+0x158/0x198 [mwifiex] [ 1303.483734] process_one_work+0x14c/0x28c [ 1303.487845] worker_thread+0x2cc/0x3d4 [ 1303.491680] kthread+0x12c/0x208 [ 1303.495014] ret_from_fork+0x10/0x20 Add validation in the STA receive path to verify that disassoc/deauth frames originate from the connected AP. Frames that fail this check are discarded early, preventing them from reaching the MLME layer and triggering WARN_ON(). This filtering logic is similar with that used in the ieee80211_rx_mgmt_disassoc() function in mac80211, which drops disassoc frames that don't match the current BSSID (!ether_addr_equal(mgmt->bssid, sdata->vif.cfg.ap_addr)), ensuring only relevant frames are processed. Tested on: - 8997 with FW 16.68.1.p197 | 2025-08-16 | not yet calculated | CVE-2025-38505 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: Allow CPU to reschedule while setting per-page memory attributes When running an SEV-SNP guest with a sufficiently large amount of memory (1TB+), the host can experience CPU soft lockups when running an operation in kvm_vm_set_mem_attributes() to set memory attributes on the whole range of guest memory. watchdog: BUG: soft lockup - CPU#8 stuck for 26s! [qemu-kvm:6372] CPU: 8 UID: 0 PID: 6372 Comm: qemu-kvm Kdump: loaded Not tainted 6.15.0-rc7.20250520.el9uek.rc1.x86_64 #1 PREEMPT(voluntary) Hardware name: Oracle Corporation ORACLE SERVER E4-2c/Asm,MB Tray,2U,E4-2c, BIOS 78016600 11/13/2024 RIP: 0010:xas_create+0x78/0x1f0 Code: 00 00 00 41 80 fc 01 0f 84 82 00 00 00 ba 06 00 00 00 bd 06 00 00 00 49 8b 45 08 4d 8d 65 08 41 39 d6 73 20 83 ed 06 48 85 c0 <74> 67 48 89 c2 83 e2 03 48 83 fa 02 75 0c 48 3d 00 10 00 00 0f 87 RSP: 0018:ffffad890a34b940 EFLAGS: 00000286 RAX: ffff96f30b261daa RBX: ffffad890a34b9c8 RCX: 0000000000000000 RDX: 000000000000001e RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000018 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffad890a356868 R13: ffffad890a356860 R14: 0000000000000000 R15: ffffad890a356868 FS: 00007f5578a2a400(0000) GS:ffff97ed317e1000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f015c70fb18 CR3: 00000001109fd006 CR4: 0000000000f70ef0 PKRU: 55555554 Call Trace: <TASK> xas_store+0x58/0x630 __xa_store+0xa5/0x130 xa_store+0x2c/0x50 kvm_vm_set_mem_attributes+0x343/0x710 [kvm] kvm_vm_ioctl+0x796/0xab0 [kvm] __x64_sys_ioctl+0xa3/0xd0 do_syscall_64+0x8c/0x7a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f5578d031bb Code: ff ff ff 85 c0 79 9b 49 c7 c4 ff ff ff ff 5b 5d 4c 89 e0 41 5c c3 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 2d 4c 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007ffe0a742b88 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 000000004020aed2 RCX: 00007f5578d031bb RDX: 00007ffe0a742c80 RSI: 000000004020aed2 RDI: 000000000000000b RBP: 0000010000000000 R08: 0000010000000000 R09: 0000017680000000 R10: 0000000000000080 R11: 0000000000000246 R12: 00005575e5f95120 R13: 00007ffe0a742c80 R14: 0000000000000008 R15: 00005575e5f961e0 While looping through the range of memory setting the attributes, call cond_resched() to give the scheduler a chance to run a higher priority task on the runqueue if necessary and avoid staying in kernel mode long enough to trigger the lockup. | 2025-08-16 | not yet calculated | CVE-2025-38506 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: nintendo: avoid bluetooth suspend/resume stalls Ensure we don't stall or panic the kernel when using bluetooth-connected controllers. This was reported as an issue on android devices using kernel 6.6 due to the resume hook which had been added for usb joycons. First, set a new state value to JOYCON_CTLR_STATE_SUSPENDED in a newly-added nintendo_hid_suspend. This makes sure we will not stall out the kernel waiting for input reports during led classdev suspend. The stalls could happen if connectivity is unreliable or lost to the controller prior to suspend. Second, since we lose connectivity during suspend, do not try joycon_init() for bluetooth controllers in the nintendo_hid_resume path. Tested via multiple suspend/resume flows when using the controller both in USB and bluetooth modes. | 2025-08-16 | not yet calculated | CVE-2025-38507 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/sev: Use TSC_FACTOR for Secure TSC frequency calculation When using Secure TSC, the GUEST_TSC_FREQ MSR reports a frequency based on the nominal P0 frequency, which deviates slightly (typically ~0.2%) from the actual mean TSC frequency due to clocking parameters. Over extended VM uptime, this discrepancy accumulates, causing clock skew between the hypervisor and a SEV-SNP VM, leading to early timer interrupts as perceived by the guest. The guest kernel relies on the reported nominal frequency for TSC-based timekeeping, while the actual frequency set during SNP_LAUNCH_START may differ. This mismatch results in inaccurate time calculations, causing the guest to perceive hrtimers as firing earlier than expected. Utilize the TSC_FACTOR from the SEV firmware's secrets page (see "Secrets Page Format" in the SNP Firmware ABI Specification) to calculate the mean TSC frequency, ensuring accurate timekeeping and mitigating clock skew in SEV-SNP VMs. Use early_ioremap_encrypted() to map the secrets page as ioremap_encrypted() uses kmalloc() which is not available during early TSC initialization and causes a panic. [ bp: Drop the silly dummy var: https://lore.kernel.org/r/20250630192726.GBaGLlHl84xIopx4Pt@fat_crate.local ] | 2025-08-16 | not yet calculated | CVE-2025-38508 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: reject VHT opmode for unsupported channel widths VHT operating mode notifications are not defined for channel widths below 20 MHz. In particular, 5 MHz and 10 MHz are not valid under the VHT specification and must be rejected. Without this check, malformed notifications using these widths may reach ieee80211_chan_width_to_rx_bw(), leading to a WARN_ON due to invalid input. This issue was reported by syzbot. Reject these unsupported widths early in sta_link_apply_parameters() when opmode_notif is used. The accepted set includes 20, 40, 80, 160, and 80+80 MHz, which are valid for VHT. While 320 MHz is not defined for VHT, it is allowed to avoid rejecting HE or EHT clients that may still send a VHT opmode notification. | 2025-08-16 | not yet calculated | CVE-2025-38509 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kasan: remove kasan_find_vm_area() to prevent possible deadlock find_vm_area() couldn't be called in atomic_context. If find_vm_area() is called to reports vm area information, kasan can trigger deadlock like: CPU0 CPU1 vmalloc(); alloc_vmap_area(); spin_lock(&vn->busy.lock) spin_lock_bh(&some_lock); <interrupt occurs> <in softirq> spin_lock(&some_lock); <access invalid address> kasan_report(); print_report(); print_address_description(); kasan_find_vm_area(); find_vm_area(); spin_lock(&vn->busy.lock) // deadlock! To prevent possible deadlock while kasan reports, remove kasan_find_vm_area(). | 2025-08-16 | not yet calculated | CVE-2025-38510 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/pf: Clear all LMTT pages on alloc Our LMEM buffer objects are not cleared by default on alloc and during VF provisioning we only setup LMTT PTEs for the actually provisioned LMEM range. But beyond that valid range we might leave some stale data that could either point to some other VFs allocations or even to the PF pages. Explicitly clear all new LMTT page to avoid the risk that a malicious VF would try to exploit that gap. While around add asserts to catch any undesired PTE overwrites and low-level debug traces to track LMTT PT life-cycle. (cherry picked from commit 3fae6918a3e27cce20ded2551f863fb05d4bef8d) | 2025-08-16 | not yet calculated | CVE-2025-38511 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: prevent A-MSDU attacks in mesh networks This patch is a mitigation to prevent the A-MSDU spoofing vulnerability for mesh networks. The initial update to the IEEE 802.11 standard, in response to the FragAttacks, missed this case (CVE-2025-27558). It can be considered a variant of CVE-2020-24588 but for mesh networks. This patch tries to detect if a standard MSDU was turned into an A-MSDU by an adversary. This is done by parsing a received A-MSDU as a standard MSDU, calculating the length of the Mesh Control header, and seeing if the 6 bytes after this header equal the start of an rfc1042 header. If equal, this is a strong indication of an ongoing attack attempt. This defense was tested with mac80211_hwsim against a mesh network that uses an empty Mesh Address Extension field, i.e., when four addresses are used, and when using a 12-byte Mesh Address Extension field, i.e., when six addresses are used. Functionality of normal MSDUs and A-MSDUs was also tested, and confirmed working, when using both an empty and 12-byte Mesh Address Extension field. It was also tested with mac80211_hwsim that A-MSDU attacks in non-mesh networks keep being detected and prevented. Note that the vulnerability being patched, and the defense being implemented, was also discussed in the following paper and in the following IEEE 802.11 presentation: https://papers.mathyvanhoef.com/wisec2025.pdf https://mentor.ieee.org/802.11/dcn/25/11-25-0949-00-000m-a-msdu-mesh-spoof-protection.docx | 2025-08-16 | not yet calculated | CVE-2025-38512 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() There is a potential NULL pointer dereference in zd_mac_tx_to_dev(). For example, the following is possible: T0 T1 zd_mac_tx_to_dev() /* len == skb_queue_len(q) */ while (len > ZD_MAC_MAX_ACK_WAITERS) { filter_ack() spin_lock_irqsave(&q->lock, flags); /* position == skb_queue_len(q) */ for (i=1; i<position; i++) skb = __skb_dequeue(q) if (mac->type == NL80211_IFTYPE_AP) skb = __skb_dequeue(q); spin_unlock_irqrestore(&q->lock, flags); skb_dequeue() -> NULL Since there is a small gap between checking skb queue length and skb being unconditionally dequeued in zd_mac_tx_to_dev(), skb_dequeue() can return NULL. Then the pointer is passed to zd_mac_tx_status() where it is dereferenced. In order to avoid potential NULL pointer dereference due to situations like above, check if skb is not NULL before passing it to zd_mac_tx_status(). Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2025-08-16 | not yet calculated | CVE-2025-38513 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix oops due to non-existence of prealloc backlog struct If an AF_RXRPC service socket is opened and bound, but calls are preallocated, then rxrpc_alloc_incoming_call() will oops because the rxrpc_backlog struct doesn't get allocated until the first preallocation is made. Fix this by returning NULL from rxrpc_alloc_incoming_call() if there is no backlog struct. This will cause the incoming call to be aborted. | 2025-08-16 | not yet calculated | CVE-2025-38514 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/sched: Increment job count before swapping tail spsc queue A small race exists between spsc_queue_push and the run-job worker, in which spsc_queue_push may return not-first while the run-job worker has already idled due to the job count being zero. If this race occurs, job scheduling stops, leading to hangs while waiting on the job's DMA fences. Seal this race by incrementing the job count before appending to the SPSC queue. This race was observed on a drm-tip 6.16-rc1 build with the Xe driver in an SVM test case. | 2025-08-16 | not yet calculated | CVE-2025-38515 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: qcom: msm: mark certain pins as invalid for interrupts On some platforms, the UFS-reset pin has no interrupt logic in TLMM but is nevertheless registered as a GPIO in the kernel. This enables the user-space to trigger a BUG() in the pinctrl-msm driver by running, for example: `gpiomon -c 0 113` on RB2. The exact culprit is requesting pins whose intr_detection_width setting is not 1 or 2 for interrupts. This hits a BUG() in msm_gpio_irq_set_type(). Potentially crashing the kernel due to an invalid request from user-space is not optimal, so let's go through the pins and mark those that would fail the check as invalid for the irq chip as we should not even register them as available irqs. This function can be extended if we determine that there are more corner-cases like this. | 2025-08-16 | not yet calculated | CVE-2025-38516 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: lib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users() alloc_tag_top_users() attempts to lock alloc_tag_cttype->mod_lock even when the alloc_tag_cttype is not allocated because: 1) alloc tagging is disabled because mem profiling is disabled (!alloc_tag_cttype) 2) alloc tagging is enabled, but not yet initialized (!alloc_tag_cttype) 3) alloc tagging is enabled, but failed initialization (!alloc_tag_cttype or IS_ERR(alloc_tag_cttype)) In all cases, alloc_tag_cttype is not allocated, and therefore alloc_tag_top_users() should not attempt to acquire the semaphore. This leads to a crash on memory allocation failure by attempting to acquire a non-existent semaphore: Oops: general protection fault, probably for non-canonical address 0xdffffc000000001b: 0000 [#3] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x00000000000000d8-0x00000000000000df] CPU: 2 UID: 0 PID: 1 Comm: systemd Tainted: G D 6.16.0-rc2 #1 VOLUNTARY Tainted: [D]=DIE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:down_read_trylock+0xaa/0x3b0 Code: d0 7c 08 84 d2 0f 85 a0 02 00 00 8b 0d df 31 dd 04 85 c9 75 29 48 b8 00 00 00 00 00 fc ff df 48 8d 6b 68 48 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 88 02 00 00 48 3b 5b 68 0f 85 53 01 00 00 65 ff RSP: 0000:ffff8881002ce9b8 EFLAGS: 00010016 RAX: dffffc0000000000 RBX: 0000000000000070 RCX: 0000000000000000 RDX: 000000000000001b RSI: 000000000000000a RDI: 0000000000000070 RBP: 00000000000000d8 R08: 0000000000000001 R09: ffffed107dde49d1 R10: ffff8883eef24e8b R11: ffff8881002cec20 R12: 1ffff11020059d37 R13: 00000000003fff7b R14: ffff8881002cec20 R15: dffffc0000000000 FS: 00007f963f21d940(0000) GS:ffff888458ca6000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f963f5edf71 CR3: 000000010672c000 CR4: 0000000000350ef0 Call Trace: <TASK> codetag_trylock_module_list+0xd/0x20 alloc_tag_top_users+0x369/0x4b0 __show_mem+0x1cd/0x6e0 warn_alloc+0x2b1/0x390 __alloc_frozen_pages_noprof+0x12b9/0x21a0 alloc_pages_mpol+0x135/0x3e0 alloc_slab_page+0x82/0xe0 new_slab+0x212/0x240 ___slab_alloc+0x82a/0xe00 </TASK> As David Wang points out, this issue became easier to trigger after commit 780138b12381 ("alloc_tag: check mem_profiling_support in alloc_tag_init"). Before the commit, the issue occurred only when it failed to allocate and initialize alloc_tag_cttype or if a memory allocation fails before alloc_tag_init() is called. After the commit, it can be easily triggered when memory profiling is compiled but disabled at boot. To properly determine whether alloc_tag_init() has been called and its data structures initialized, verify that alloc_tag_cttype is a valid pointer before acquiring the semaphore. If the variable is NULL or an error value, it has not been properly initialized. In such a case, just skip and do not attempt to acquire the semaphore. [harry.yoo@oracle.com: v3] | 2025-08-16 | not yet calculated | CVE-2025-38517 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Disable INVLPGB on Zen2 AMD Cyan Skillfish (Family 17h, Model 47h, Stepping 0h) has an issue that causes system oopses and panics when performing TLB flush using INVLPGB. However, the problem is that that machine has misconfigured CPUID and should not report the INVLPGB bit in the first place. So zap the kernel's representation of the flag so that nothing gets confused. [ bp: Massage. ] | 2025-08-16 | not yet calculated | CVE-2025-38518 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon: fix divide by zero in damon_get_intervals_score() The current implementation allows having zero size regions with no special reasons, but damon_get_intervals_score() gets crashed by divide by zero when the region size is zero. [ 29.403950] Oops: divide error: 0000 [#1] SMP NOPTI This patch fixes the bug, but does not disallow zero size regions to keep the backward compatibility since disallowing zero size regions might be a breaking change for some users. In addition, the same crash can happen when intervals_goal.access_bp is zero so this should be fixed in stable trees as well. | 2025-08-16 | not yet calculated | CVE-2025-38519 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Don't call mmput from MMU notifier callback If the process is exiting, the mmput inside mmu notifier callback from compactd or fork or numa balancing could release the last reference of mm struct to call exit_mmap and free_pgtable, this triggers deadlock with below backtrace. The deadlock will leak kfd process as mmu notifier release is not called and cause VRAM leaking. The fix is to take mm reference mmget_non_zero when adding prange to the deferred list to pair with mmput in deferred list work. If prange split and add into pchild list, the pchild work_item.mm is not used, so remove the mm parameter from svm_range_unmap_split and svm_range_add_child. The backtrace of hung task: INFO: task python:348105 blocked for more than 64512 seconds. Call Trace: __schedule+0x1c3/0x550 schedule+0x46/0xb0 rwsem_down_write_slowpath+0x24b/0x4c0 unlink_anon_vmas+0xb1/0x1c0 free_pgtables+0xa9/0x130 exit_mmap+0xbc/0x1a0 mmput+0x5a/0x140 svm_range_cpu_invalidate_pagetables+0x2b/0x40 [amdgpu] mn_itree_invalidate+0x72/0xc0 __mmu_notifier_invalidate_range_start+0x48/0x60 try_to_unmap_one+0x10fa/0x1400 rmap_walk_anon+0x196/0x460 try_to_unmap+0xbb/0x210 migrate_page_unmap+0x54d/0x7e0 migrate_pages_batch+0x1c3/0xae0 migrate_pages_sync+0x98/0x240 migrate_pages+0x25c/0x520 compact_zone+0x29d/0x590 compact_zone_order+0xb6/0xf0 try_to_compact_pages+0xbe/0x220 __alloc_pages_direct_compact+0x96/0x1a0 __alloc_pages_slowpath+0x410/0x930 __alloc_pages_nodemask+0x3a9/0x3e0 do_huge_pmd_anonymous_page+0xd7/0x3e0 __handle_mm_fault+0x5e3/0x5f0 handle_mm_fault+0xf7/0x2e0 hmm_vma_fault.isra.0+0x4d/0xa0 walk_pmd_range.isra.0+0xa8/0x310 walk_pud_range+0x167/0x240 walk_pgd_range+0x55/0x100 __walk_page_range+0x87/0x90 walk_page_range+0xf6/0x160 hmm_range_fault+0x4f/0x90 amdgpu_hmm_range_get_pages+0x123/0x230 [amdgpu] amdgpu_ttm_tt_get_user_pages+0xb1/0x150 [amdgpu] init_user_pages+0xb1/0x2a0 [amdgpu] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x543/0x7d0 [amdgpu] kfd_ioctl_alloc_memory_of_gpu+0x24c/0x4e0 [amdgpu] kfd_ioctl+0x29d/0x500 [amdgpu] (cherry picked from commit a29e067bd38946f752b0ef855f3dfff87e77bec7) | 2025-08-16 | not yet calculated | CVE-2025-38520 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Fix kernel crash when hard resetting the GPU The GPU hard reset sequence calls pm_runtime_force_suspend() and pm_runtime_force_resume(), which according to their documentation should only be used during system-wide PM transitions to sleep states. The main issue though is that depending on some internal runtime PM state as seen by pm_runtime_force_suspend() (whether the usage count is <= 1), pm_runtime_force_resume() might not resume the device unless needed. If that happens, the runtime PM resume callback pvr_power_device_resume() is not called, the GPU clocks are not re-enabled, and the kernel crashes on the next attempt to access GPU registers as part of the power-on sequence. Replace calls to pm_runtime_force_suspend() and pm_runtime_force_resume() with direct calls to the driver's runtime PM callbacks, pvr_power_device_suspend() and pvr_power_device_resume(), to ensure clocks are re-enabled and avoid the kernel crash. | 2025-08-16 | not yet calculated | CVE-2025-38521 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched/ext: Prevent update_locked_rq() calls with NULL rq Avoid invoking update_locked_rq() when the runqueue (rq) pointer is NULL in the SCX_CALL_OP and SCX_CALL_OP_RET macros. Previously, calling update_locked_rq(NULL) with preemption enabled could trigger the following warning: BUG: using __this_cpu_write() in preemptible [00000000] This happens because __this_cpu_write() is unsafe to use in preemptible context. rq is NULL when an ops invoked from an unlocked context. In such cases, we don't need to store any rq, since the value should already be NULL (unlocked). Ensure that update_locked_rq() is only called when rq is non-NULL, preventing calling __this_cpu_write() on preemptible context. | 2025-08-16 | not yet calculated | CVE-2025-38522 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: Fix the smbd_response slab to allow usercopy The handling of received data in the smbdirect client code involves using copy_to_iter() to copy data from the smbd_reponse struct's packet trailer to a folioq buffer provided by netfslib that encapsulates a chunk of pagecache. If, however, CONFIG_HARDENED_USERCOPY=y, this will result in the checks then performed in copy_to_iter() oopsing with something like the following: CIFS: Attempting to mount //172.31.9.1/test CIFS: VFS: RDMA transport established usercopy: Kernel memory exposure attempt detected from SLUB object 'smbd_response_0000000091e24ea1' (offset 81, size 63)! ------------[ cut here ]------------ kernel BUG at mm/usercopy.c:102! ... RIP: 0010:usercopy_abort+0x6c/0x80 ... Call Trace: <TASK> __check_heap_object+0xe3/0x120 __check_object_size+0x4dc/0x6d0 smbd_recv+0x77f/0xfe0 [cifs] cifs_readv_from_socket+0x276/0x8f0 [cifs] cifs_read_from_socket+0xcd/0x120 [cifs] cifs_demultiplex_thread+0x7e9/0x2d50 [cifs] kthread+0x396/0x830 ret_from_fork+0x2b8/0x3b0 ret_from_fork_asm+0x1a/0x30 The problem is that the smbd_response slab's packet field isn't marked as being permitted for usercopy. Fix this by passing parameters to kmem_slab_create() to indicate that copy_to_iter() is permitted from the packet region of the smbd_response slab objects, less the header space. | 2025-08-16 | not yet calculated | CVE-2025-38523 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recv-recv race of completed call If a call receives an event (such as incoming data), the call gets placed on the socket's queue and a thread in recvmsg can be awakened to go and process it. Once the thread has picked up the call off of the queue, further events will cause it to be requeued, and once the socket lock is dropped (recvmsg uses call->user_mutex to allow the socket to be used in parallel), a second thread can come in and its recvmsg can pop the call off the socket queue again. In such a case, the first thread will be receiving stuff from the call and the second thread will be blocked on call->user_mutex. The first thread can, at this point, process both the event that it picked call for and the event that the second thread picked the call for and may see the call terminate - in which case the call will be "released", decoupling the call from the user call ID assigned to it (RXRPC_USER_CALL_ID in the control message). The first thread will return okay, but then the second thread will wake up holding the user_mutex and, if it sees that the call has been released by the first thread, it will BUG thusly: kernel BUG at net/rxrpc/recvmsg.c:474! Fix this by just dequeuing the call and ignoring it if it is seen to be already released. We can't tell userspace about it anyway as the user call ID has become stale. | 2025-08-16 | not yet calculated | CVE-2025-38524 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix irq-disabled in local_bh_enable() The rxrpc_assess_MTU_size() function calls down into the IP layer to find out the MTU size for a route. When accepting an incoming call, this is called from rxrpc_new_incoming_call() which holds interrupts disabled across the code that calls down to it. Unfortunately, the IP layer uses local_bh_enable() which, config dependent, throws a warning if IRQs are enabled: WARNING: CPU: 1 PID: 5544 at kernel/softirq.c:387 __local_bh_enable_ip+0x43/0xd0 ... RIP: 0010:__local_bh_enable_ip+0x43/0xd0 ... Call Trace: <TASK> rt_cache_route+0x7e/0xa0 rt_set_nexthop.isra.0+0x3b3/0x3f0 __mkroute_output+0x43a/0x460 ip_route_output_key_hash+0xf7/0x140 ip_route_output_flow+0x1b/0x90 rxrpc_assess_MTU_size.isra.0+0x2a0/0x590 rxrpc_new_incoming_peer+0x46/0x120 rxrpc_alloc_incoming_call+0x1b1/0x400 rxrpc_new_incoming_call+0x1da/0x5e0 rxrpc_input_packet+0x827/0x900 rxrpc_io_thread+0x403/0xb60 kthread+0x2f7/0x310 ret_from_fork+0x2a/0x230 ret_from_fork_asm+0x1a/0x30 ... hardirqs last enabled at (23): _raw_spin_unlock_irq+0x24/0x50 hardirqs last disabled at (24): _raw_read_lock_irq+0x17/0x70 softirqs last enabled at (0): copy_process+0xc61/0x2730 softirqs last disabled at (25): rt_add_uncached_list+0x3c/0x90 Fix this by moving the call to rxrpc_assess_MTU_size() out of rxrpc_init_peer() and further up the stack where it can be done without interrupts disabled. It shouldn't be a problem for rxrpc_new_incoming_call() to do it after the locks are dropped as pmtud is going to be performed by the I/O thread - and we're in the I/O thread at this point. | 2025-08-16 | not yet calculated | CVE-2025-38525 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ice: add NULL check in eswitch lag check The function ice_lag_is_switchdev_running() is being called from outside of the LAG event handler code. This results in the lag->upper_netdev being NULL sometimes. To avoid a NULL-pointer dereference, there needs to be a check before it is dereferenced. | 2025-08-16 | not yet calculated | CVE-2025-38526 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in cifs_oplock_break A race condition can occur in cifs_oplock_break() leading to a use-after-free of the cinode structure when unmounting: cifs_oplock_break() _cifsFileInfo_put(cfile) cifsFileInfo_put_final() cifs_sb_deactive() [last ref, start releasing sb] kill_sb() kill_anon_super() generic_shutdown_super() evict_inodes() dispose_list() evict() destroy_inode() call_rcu(&inode->i_rcu, i_callback) spin_lock(&cinode->open_file_lock) <- OK [later] i_callback() cifs_free_inode() kmem_cache_free(cinode) spin_unlock(&cinode->open_file_lock) <- UAF cifs_done_oplock_break(cinode) <- UAF The issue occurs when umount has already released its reference to the superblock. When _cifsFileInfo_put() calls cifs_sb_deactive(), this releases the last reference, triggering the immediate cleanup of all inodes under RCU. However, cifs_oplock_break() continues to access the cinode after this point, resulting in use-after-free. Fix this by holding an extra reference to the superblock during the entire oplock break operation. This ensures that the superblock and its inodes remain valid until the oplock break completes. | 2025-08-16 | not yet calculated | CVE-2025-38527 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Reject %p% format string in bprintf-like helpers static const char fmt[] = "%p%"; bpf_trace_printk(fmt, sizeof(fmt)); The above BPF program isn't rejected and causes a kernel warning at runtime: Please remove unsupported %\x00 in format string WARNING: CPU: 1 PID: 7244 at lib/vsprintf.c:2680 format_decode+0x49c/0x5d0 This happens because bpf_bprintf_prepare skips over the second %, detected as punctuation, while processing %p. This patch fixes it by not skipping over punctuation. %\x00 is then processed in the next iteration and rejected. | 2025-08-16 | not yet calculated | CVE-2025-38528 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: comedi: aio_iiro_16: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: if ((1 << it->options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ will be in the range [1,15]. The value 0 explicitly disables the use of interrupts. | 2025-08-16 | not yet calculated | CVE-2025-38529 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: comedi: pcl812: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: if ((1 << it->options[1]) & board->irq_bits) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ will be in the range [1,15]. The value 0 explicitly disables the use of interrupts. | 2025-08-16 | not yet calculated | CVE-2025-38530 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: common: st_sensors: Fix use of uninitialize device structs Throughout the various probe functions &indio_dev->dev is used before it is initialized. This caused a kernel panic in st_sensors_power_enable() when the call to devm_regulator_bulk_get_enable() fails and then calls dev_err_probe() with the uninitialized device. This seems to only cause a panic with dev_err_probe(), dev_err(), dev_warn() and dev_info() don't seem to cause a panic, but are fixed as well. The issue is reported and traced here: [1] | 2025-08-16 | not yet calculated | CVE-2025-38531 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: libwx: properly reset Rx ring descriptor When device reset is triggered by feature changes such as toggling Rx VLAN offload, wx->do_reset() is called to reinitialize Rx rings. The hardware descriptor ring may retain stale values from previous sessions. And only set the length to 0 in rx_desc[0] would result in building malformed SKBs. Fix it to ensure a clean slate after device reset. [ 549.186435] [ C16] ------------[ cut here ]------------ [ 549.186457] [ C16] kernel BUG at net/core/skbuff.c:2814! [ 549.186468] [ C16] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 549.186472] [ C16] CPU: 16 UID: 0 PID: 0 Comm: swapper/16 Kdump: loaded Not tainted 6.16.0-rc4+ #23 PREEMPT(voluntary) [ 549.186476] [ C16] Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024 [ 549.186478] [ C16] RIP: 0010:__pskb_pull_tail+0x3ff/0x510 [ 549.186484] [ C16] Code: 06 f0 ff 4f 34 74 7b 4d 8b 8c 24 c8 00 00 00 45 8b 84 24 c0 00 00 00 e9 c8 fd ff ff 48 c7 44 24 08 00 00 00 00 e9 5e fe ff ff <0f> 0b 31 c0 e9 23 90 5b ff 41 f7 c6 ff 0f 00 00 75 bf 49 8b 06 a8 [ 549.186487] [ C16] RSP: 0018:ffffb391c0640d70 EFLAGS: 00010282 [ 549.186490] [ C16] RAX: 00000000fffffff2 RBX: ffff8fe7e4d40200 RCX: 00000000fffffff2 [ 549.186492] [ C16] RDX: ffff8fe7c3a4bf8e RSI: 0000000000000180 RDI: ffff8fe7c3a4bf40 [ 549.186494] [ C16] RBP: ffffb391c0640da8 R08: ffff8fe7c3a4c0c0 R09: 000000000000000e [ 549.186496] [ C16] R10: ffffb391c0640d88 R11: 000000000000000e R12: ffff8fe7e4d40200 [ 549.186497] [ C16] R13: 00000000fffffff2 R14: ffff8fe7fa01a000 R15: 00000000fffffff2 [ 549.186499] [ C16] FS: 0000000000000000(0000) GS:ffff8fef5ae40000(0000) knlGS:0000000000000000 [ 549.186502] [ C16] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 549.186503] [ C16] CR2: 00007f77d81d6000 CR3: 000000051a032000 CR4: 0000000000750ef0 [ 549.186505] [ C16] PKRU: 55555554 [ 549.186507] [ C16] Call Trace: [ 549.186510] [ C16] <IRQ> [ 549.186513] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5 [ 549.186517] [ C16] __skb_pad+0xc7/0xf0 [ 549.186523] [ C16] wx_clean_rx_irq+0x355/0x3b0 [libwx] [ 549.186533] [ C16] wx_poll+0x92/0x120 [libwx] [ 549.186540] [ C16] __napi_poll+0x28/0x190 [ 549.186544] [ C16] net_rx_action+0x301/0x3f0 [ 549.186548] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5 [ 549.186551] [ C16] ? __raw_spin_lock_irqsave+0x1e/0x50 [ 549.186554] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5 [ 549.186557] [ C16] ? wake_up_nohz_cpu+0x35/0x160 [ 549.186559] [ C16] ? srso_alias_return_thunk+0x5/0xfbef5 [ 549.186563] [ C16] handle_softirqs+0xf9/0x2c0 [ 549.186568] [ C16] __irq_exit_rcu+0xc7/0x130 [ 549.186572] [ C16] common_interrupt+0xb8/0xd0 [ 549.186576] [ C16] </IRQ> [ 549.186577] [ C16] <TASK> [ 549.186579] [ C16] asm_common_interrupt+0x22/0x40 [ 549.186582] [ C16] RIP: 0010:cpuidle_enter_state+0xc2/0x420 [ 549.186585] [ C16] Code: 00 00 e8 11 0e 5e ff e8 ac f0 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 0d ed 5c ff 45 84 ff 0f 85 40 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 84 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d [ 549.186587] [ C16] RSP: 0018:ffffb391c0277e78 EFLAGS: 00000246 [ 549.186590] [ C16] RAX: ffff8fef5ae40000 RBX: 0000000000000003 RCX: 0000000000000000 [ 549.186591] [ C16] RDX: 0000007fde0faac5 RSI: ffffffff826e53f6 RDI: ffffffff826fa9b3 [ 549.186593] [ C16] RBP: ffff8fe7c3a20800 R08: 0000000000000002 R09: 0000000000000000 [ 549.186595] [ C16] R10: 0000000000000000 R11: 000000000000ffff R12: ffffffff82ed7a40 [ 549.186596] [ C16] R13: 0000007fde0faac5 R14: 0000000000000003 R15: 0000000000000000 [ 549.186601] [ C16] ? cpuidle_enter_state+0xb3/0x420 [ 549.186605] [ C16] cpuidle_en ---truncated--- | 2025-08-16 | not yet calculated | CVE-2025-38532 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: libwx: fix the using of Rx buffer DMA The wx_rx_buffer structure contained two DMA address fields: 'dma' and 'page_dma'. However, only 'page_dma' was actually initialized and used to program the Rx descriptor. But 'dma' was uninitialized and used in some paths. This could lead to undefined behavior, including DMA errors or use-after-free, if the uninitialized 'dma' was used. Althrough such error has not yet occurred, it is worth fixing in the code. | 2025-08-16 | not yet calculated | CVE-2025-38533 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfs: Fix copy-to-cache so that it performs collection with ceph+fscache The netfs copy-to-cache that is used by Ceph with local caching sets up a new request to write data just read to the cache. The request is started and then left to look after itself whilst the app continues. The request gets notified by the backing fs upon completion of the async DIO write, but then tries to wake up the app because NETFS_RREQ_OFFLOAD_COLLECTION isn't set - but the app isn't waiting there, and so the request just hangs. Fix this by setting NETFS_RREQ_OFFLOAD_COLLECTION which causes the notification from the backing filesystem to put the collection onto a work queue instead. | 2025-08-16 | not yet calculated | CVE-2025-38534 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode When transitioning from USB_ROLE_DEVICE to USB_ROLE_NONE, the code assumed that the regulator should be disabled. However, if the regulator is marked as always-on, regulator_is_enabled() continues to return true, leading to an incorrect attempt to disable a regulator which is not enabled. This can result in warnings such as: [ 250.155624] WARNING: CPU: 1 PID: 7326 at drivers/regulator/core.c:3004 _regulator_disable+0xe4/0x1a0 [ 250.155652] unbalanced disables for VIN_SYS_5V0 To fix this, we move the regulator control logic into tegra186_xusb_padctl_id_override() function since it's directly related to the ID override state. The regulator is now only disabled when the role transitions from USB_ROLE_HOST to USB_ROLE_NONE, by checking the VBUS_ID register. This ensures that regulator enable/disable operations are properly balanced and only occur when actually transitioning to/from host mode. | 2025-08-16 | not yet calculated | CVE-2025-38535 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: airoha: fix potential use-after-free in airoha_npu_get() np->name was being used after calling of_node_put(np), which releases the node and can lead to a use-after-free bug. Previously, of_node_put(np) was called unconditionally after of_find_device_by_node(np), which could result in a use-after-free if pdev is NULL. This patch moves of_node_put(np) after the error check to ensure the node is only released after both the error and success cases are handled appropriately, preventing potential resource issues. | 2025-08-16 | not yet calculated | CVE-2025-38536 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: phy: Don't register LEDs for genphy If a PHY has no driver, the genphy driver is probed/removed directly in phy_attach/detach. If the PHY's ofnode has an "leds" subnode, then the LEDs will be (un)registered when probing/removing the genphy driver. This could occur if the leds are for a non-generic driver that isn't loaded for whatever reason. Synchronously removing the PHY device in phy_detach leads to the following deadlock: rtnl_lock() ndo_close() ... phy_detach() phy_remove() phy_leds_unregister() led_classdev_unregister() led_trigger_set() netdev_trigger_deactivate() unregister_netdevice_notifier() rtnl_lock() There is a corresponding deadlock on the open/register side of things (and that one is reported by lockdep), but it requires a race while this one is deterministic. Generic PHYs do not support LEDs anyway, so don't bother registering them. | 2025-08-16 | not yet calculated | CVE-2025-38537 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: nbpfaxi: Fix memory corruption in probe() The nbpf->chan[] array is allocated earlier in the nbpf_probe() function and it has "num_channels" elements. These three loops iterate one element farther than they should and corrupt memory. The changes to the second loop are more involved. In this case, we're copying data from the irqbuf[] array into the nbpf->chan[] array. If the data in irqbuf[i] is the error IRQ then we skip it, so the iterators are not in sync. I added a check to ensure that we don't go beyond the end of the irqbuf[] array. I'm pretty sure this can't happen, but it seemed harmless to add a check. On the other hand, after the loop has ended there is a check to ensure that the "chan" iterator is where we expect it to be. In the original code we went one element beyond the end of the array so the iterator wasn't in the correct place and it would always return -EINVAL. However, now it will always be in the correct place. I deleted the check since we know the result. | 2025-08-16 | not yet calculated | CVE-2025-38538 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tracing: Add down_write(trace_event_sem) when adding trace event When a module is loaded, it adds trace events defined by the module. It may also need to modify the modules trace printk formats to replace enum names with their values. If two modules are loaded at the same time, the adding of the event to the ftrace_events list can corrupt the walking of the list in the code that is modifying the printk format strings and crash the kernel. The addition of the event should take the trace_event_sem for write while it adds the new event. Also add a lockdep_assert_held() on that semaphore in __trace_add_event_dirs() as it iterates the list. | 2025-08-16 | not yet calculated | CVE-2025-38539 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras The Chicony Electronics HP 5MP Cameras (USB ID 04F2:B824 & 04F2:B82C) report a HID sensor interface that is not actually implemented. Attempting to access this non-functional sensor via iio_info causes system hangs as runtime PM tries to wake up an unresponsive sensor. Add these 2 devices to the HID ignore list since the sensor interface is non-functional by design and should not be exposed to userspace. | 2025-08-16 | not yet calculated | CVE-2025-38540 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() devm_kasprintf() returns NULL on error. Currently, mt7925_thermal_init() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. | 2025-08-16 | not yet calculated | CVE-2025-38541 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix device refcount leak in atrtr_create() When updating an existing route entry in atrtr_create(), the old device reference was not being released before assigning the new device, leading to a device refcount leak. Fix this by calling dev_put() to release the old device reference before holding the new one. | 2025-08-16 | not yet calculated | CVE-2025-38542 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/tegra: nvdec: Fix dma_alloc_coherent error check Check for NULL return value with dma_alloc_coherent, in line with Robin's fix for vic.c in 'drm/tegra: vic: Fix DMA API misuse'. | 2025-08-16 | not yet calculated | CVE-2025-38543 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix bug due to prealloc collision When userspace is using AF_RXRPC to provide a server, it has to preallocate incoming calls and assign to them call IDs that will be used to thread related recvmsg() and sendmsg() together. The preallocated call IDs will automatically be attached to calls as they come in until the pool is empty. To the kernel, the call IDs are just arbitrary numbers, but userspace can use the call ID to hold a pointer to prepared structs. In any case, the user isn't permitted to create two calls with the same call ID (call IDs become available again when the call ends) and EBADSLT should result from sendmsg() if an attempt is made to preallocate a call with an in-use call ID. However, the cleanup in the error handling will trigger both assertions in rxrpc_cleanup_call() because the call isn't marked complete and isn't marked as having been released. Fix this by setting the call state in rxrpc_service_prealloc_one() and then marking it as being released before calling the cleanup function. | 2025-08-16 | not yet calculated | CVE-2025-38544 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ti: am65-cpsw-nuss: Fix skb size by accounting for skb_shared_info While transitioning from netdev_alloc_ip_align() to build_skb(), memory for the "skb_shared_info" member of an "skb" was not allocated. Fix this by allocating "PAGE_SIZE" as the skb length, accounting for the packet length, headroom and tailroom, thereby including the required memory space for skb_shared_info. | 2025-08-16 | not yet calculated | CVE-2025-38545 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix memory leak of struct clip_vcc. ioctl(ATMARP_MKIP) allocates struct clip_vcc and set it to vcc->user_back. The code assumes that vcc_destroy_socket() passes NULL skb to vcc->push() when the socket is close()d, and then clip_push() frees clip_vcc. However, ioctl(ATMARPD_CTRL) sets NULL to vcc->push() in atm_init_atmarp(), resulting in memory leak. Let's serialise two ioctl() by lock_sock() and check vcc->push() in atm_init_atmarp() to prevent memleak. | 2025-08-16 | not yet calculated | CVE-2025-38546 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps The AXP717 ADC channel maps is missing a sentinel entry at the end. This causes a KASAN warning. Add the missing sentinel entry. | 2025-08-16 | not yet calculated | CVE-2025-38547 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (corsair-cpro) Validate the size of the received input buffer Add buffer_recv_size to store the size of the received bytes. Validate buffer_recv_size in send_usb_cmd(). | 2025-08-16 | not yet calculated | CVE-2025-38548 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: efivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths When processing mount options, efivarfs allocates efivarfs_fs_info (sfi) early in fs_context initialization. However, sfi is associated with the superblock and typically freed when the superblock is destroyed. If the fs_context is released (final put) before fill_super is called-such as on error paths or during reconfiguration-the sfi structure would leak, as ownership never transfers to the superblock. Implement the .free callback in efivarfs_context_ops to ensure any allocated sfi is properly freed if the fs_context is torn down before fill_super, preventing this memory leak. | 2025-08-16 | not yet calculated | CVE-2025-38549 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: Delay put pmc->idev in mld_del_delrec() pmc->idev is still used in ip6_mc_clear_src(), so as mld_clear_delrec() does, the reference should be put after ip6_mc_clear_src() return. | 2025-08-16 | not yet calculated | CVE-2025-38550 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix recursived rtnl_lock() during probe() The deadlock appears in a stack trace like: virtnet_probe() rtnl_lock() virtio_config_changed_work() netdev_notify_peers() rtnl_lock() It happens if the VMM sends a VIRTIO_NET_S_ANNOUNCE request while the virtio-net driver is still probing. The config_work in probe() will get scheduled until virtnet_open() enables the config change notification via virtio_config_driver_enable(). | 2025-08-16 | not yet calculated | CVE-2025-38551 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: plug races between subflow fail and subflow creation We have races similar to the one addressed by the previous patch between subflow failing and additional subflow creation. They are just harder to trigger. The solution is similar. Use a separate flag to track the condition 'socket state prevent any additional subflow creation' protected by the fallback lock. The socket fallback makes such flag true, and also receiving or sending an MP_FAIL option. The field 'allow_infinite_fallback' is now always touched under the relevant lock, we can drop the ONCE annotation on write. | 2025-08-16 | not yet calculated | CVE-2025-38552 |
| makeplane--plane | Server side request forgery (SSRF) vulnerability in makeplane plane 0.23.1 via the password recovery. | 2025-08-13 | not yet calculated | CVE-2025-50251 |
| Malwarebytes--Malwarebytes | An issue was discovered in Malwarebytes 4.6.14.326 and before 5.1.5.116 (and Nebula 2020-10-21 and later). A Stack buffer out-of-bounds access exists because of an integer underflow when handling newline characters. | 2025-08-14 | not yet calculated | CVE-2023-43683 |
| Malwarebytes--Malwarebytes | An issue was discovered in Malwarebytes before 4.6.14.326 and before 5.1.5.116 (and Nebula 2020-10-21 and later). There is a Race condition that leads to code execution because of a lack of locks between file verification and execution. | 2025-08-14 | not yet calculated | CVE-2023-43687 |
| Malwarebytes--Malwarebytes | An issue was discovered in Malwarebytes before 4.6.14.326 and before 5.1.5.116 (and Nebula 2020-10-21 and later). Out-of-bound reads in strings detection utilities lead to system crashes. | 2025-08-14 | not yet calculated | CVE-2023-43692 |
| Malwarebytes--Malwarebytes | An issue was discovered in Malwarebytes 4.6.14.326 and before and 5.1.5.116 and before (and Nebula 2020-10-21 and later). An Out of bounds read in several disassembling utilities causes stability issues and denial of service. | 2025-08-14 | not yet calculated | CVE-2023-43694 |
| myBB Group--Forum Software | myBB version 1.6.4 was distributed with an unauthorized backdoor embedded in the source code. The backdoor allowed remote attackers to execute arbitrary PHP code by injecting payloads into a specially crafted collapsed cookie. This vulnerability was introduced during packaging and was not part of the intended application logic. Exploitation requires no authentication and results in full compromise of the web server under the context of the web application. | 2025-08-13 | not yet calculated | CVE-2011-10018 |
| N-able--N-central | Deserialization of Untrusted Data vulnerability in N-able N-central allows Local Execution of Code.This issue affects N-central: before 2025.3.1. | 2025-08-14 | not yet calculated | CVE-2025-8875 |
| N-able--N-central | Improper Input Validation vulnerability in N-able N-central allows OS Command Injection.This issue affects N-central: before 2025.3.1. | 2025-08-14 | not yet calculated | CVE-2025-8876 |
| n/a--Empirebak 2010 | An issue was discovered in phome Empirebak 2010 in ebak2008/upload/class/config.php allowing attackers to execute arbitrary code when the config file was loaded. | 2025-08-14 | not yet calculated | CVE-2025-50515 |
| n/a--EyouCMS | EyouCMS 1.7.3 is vulnerable to Cross Site Scripting (XSS) in index.php, which can be exploited to obtain sensitive information. | 2025-08-14 | not yet calculated | CVE-2025-52335 |
| n/a--hortusfox-web | A cross-site scripting (XSS) vulnerability in the /tasks endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the title parameter. | 2025-08-13 | not yet calculated | CVE-2025-45313 |
| n/a--hortusfox-web | A cross-site scripting (XSS) vulnerability in the /Calendar endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the add function. | 2025-08-13 | not yet calculated | CVE-2025-45314 |
| n/a--hortusfox-web | A cross-site scripting (XSS) vulnerability in the /controller/admin.php endpoint of hortusfox-web v4.4 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the email parameter. | 2025-08-13 | not yet calculated | CVE-2025-45315 |
| n/a--hortusfox-web | A cross-site scripting (XSS) vulnerability in the TextBlockModule.php component of hortusfox-web v4.4 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name parameter. | 2025-08-13 | not yet calculated | CVE-2025-45316 |
| n/a--hortusfox-web | A zip slip vulnerability in the /modules/ImportModule.php component of hortusfox-web v4.4 allows attackers to execute arbitrary code via a crafted archive. | 2025-08-13 | not yet calculated | CVE-2025-45317 |
| n/a--libcoap | A use-after-free vulnerability exists in the coap_delete_pdu_lkd function within coap_pdu.c of the libcoap library. This issue occurs due to improper handling of memory after the freeing of a PDU object, leading to potential memory corruption or the possibility of executing arbitrary code. | 2025-08-14 | not yet calculated | CVE-2025-50518 |
| n/a--libcsp | libcsp 2.0 is vulnerable to Buffer Overflow in the csp_eth_init() function due to improper handling of the ifname parameter. The function uses strcpy to copy the interface name into a structure member (ctx->name) without validating the input length. | 2025-08-11 | not yet calculated | CVE-2025-51823 |
| n/a--libcsp | libcsp 2.0 is vulnerable to Buffer Overflow in the csp_usart_open() function at drivers/usart/zephyr.c. | 2025-08-11 | not yet calculated | CVE-2025-51824 |
| n/a--Lotus Cars Android app | The Lotus Cars Android app (com.lotus.carsdomestic.intl) 1.2.8 contains an exported component, PushDeepLinkActivity, which is accessible without authentication via ADB or malicious apps. This poses a risk of unintended access to application internals and can cause denial of service or logic abuse. | 2025-08-14 | not yet calculated | CVE-2025-50861 |
| n/a--Lotus Cars Android app | The Lotus Cars Android app (com.lotus.carsdomestic.intl) 1.2.8 has allowBackup=true set in its manifest, allowing data exfiltration via ADB backup on rooted or debug-enabled devices. This presents a risk of user data exposure. | 2025-08-14 | not yet calculated | CVE-2025-50862 |
| n/a--MarkTwo Markdown Editor | Cross-Site Scripting (XSS) vulnerability found in MarkTwo commit e3a1d3f90cce4ea9c26efcbbf3a1cbfb9dcdb298 (May 2025) allows a remote attacker to execute arbitrary code via a crafted script input to the editor interface. The application does not properly sanitize user-supplied Markdown before rendering it. Successful exploitation could lead to session hijacking, credential theft, or arbitrary client-side code execution in the context of the victim's browser. | 2025-08-13 | not yet calculated | CVE-2025-51691 |
| n/a--OURPHP | OURPHP thru 8.6.1 is vulnerable to Cross-Site Scripting (XSS) via the "Name" field of the "Complete Profile" functionality under the "My User Center" page, which can be accessed after registering through the front-end interface. | 2025-08-14 | not yet calculated | CVE-2025-51965 |
| n/a--Python-Future | A vulnerability in the Python-Future 1.0.0 module allows for arbitrary code execution via the unintended import of a file named test.py. When the module is loaded, it automatically imports test.py, if present in the same directory or in the sys.path. This behavior can be exploited by an attacker who has the ability to write files to the server, allowing the execution of arbitrary code. | 2025-08-14 | not yet calculated | CVE-2025-50817 |
| Netis--WF2880 | A buffer overflow vulnerability has been discovered in Netis WF2880 v2.1.40207 in the FUN_00471994 function of the cgitest.cgi file. Attackers can trigger this vulnerability by controlling the value of wl_base_set in the payload, which can cause the program to crash and potentially lead to a Denial of Service (DoS) attack. | 2025-08-13 | not yet calculated | CVE-2025-50608 |
| Netis--WF2880 | A buffer overflow vulnerability has been discovered in Netis WF2880 v2.1.40207 in the Function_00465620 of the cgitest.cgi file. Attackers can trigger this vulnerability by controlling the value of specify_parame in the payload, which can cause the program to crash and potentially lead to a Denial of Service (DoS) attack. | 2025-08-13 | not yet calculated | CVE-2025-50609 |
| Netis--WF2880 | A buffer overflow vulnerability has been discovered in Netis WF2880 v2.1.40207 in the FUN_00476598 function of the cgitest.cgi file. Attackers can trigger this vulnerability by controlling the value of wl_base_set_5g in the payload, which can cause the program to crash and potentially lead to a Denial of Service (DoS) attack. | 2025-08-13 | not yet calculated | CVE-2025-50610 |
| Netis--WF2880 | A buffer overflow vulnerability has been discovered in Netis WF2880 v2.1.40207 in the FUN_00473154 function of the cgitest.cgi file. Attackers can trigger this vulnerability by controlling the value of wl_sec_set_5g and wl_sec_rp_set_5g in the payload, which can cause the program to crash and potentially lead to a Denial of Service (DoS) attack. | 2025-08-13 | not yet calculated | CVE-2025-50611 |
| Netis--WF2880 | A buffer overflow vulnerability has been discovered in the Netis WF2880 v2.1.40207 in the FUN_004743f8 function of the cgitest.cgi file. Attackers can trigger this vulnerability by controlling the value of wl_sec_set in the payload, which may cause the program to crash and potentially lead to a Denial of Service (DoS) attack. | 2025-08-13 | not yet calculated | CVE-2025-50612 |
| Netis--WF2880 | A buffer overflow vulnerability has been discovered in Netis WF2880 v2.1.40207 in the FUN_00475e1c function of the cgitest.cgi file. Attackers can trigger this vulnerability by controlling the value of wds_key_wep in the payload, which can cause the program to crash and potentially lead to a Denial of Service (DoS) attack. | 2025-08-13 | not yet calculated | CVE-2025-50613 |
| Netis--WF2880 | A buffer overflow vulnerability has been discovered in the Netis WF2880 v2.1.40207 in the FUN_0047151c function of the cgitest.cgi file. Attackers can trigger this vulnerability by controlling the value of wds_set in the payload, which can cause the program to crash and potentially lead to a Denial of Service (DoS) attack. | 2025-08-13 | not yet calculated | CVE-2025-50614 |
| Netis--WF2880 | A buffer overflow vulnerability has been discovered in Netis WF2880 v2.1.40207 in the FUN_00470c50 function of the cgitest.cgi file. Attackers can trigger this vulnerability by controlling the value of wl_mac_filter_set in the payload, which can cause the program to crash and lead to a Denial of Service (DoS) attack. | 2025-08-13 | not yet calculated | CVE-2025-50615 |
| Netis--WF2880 | A buffer overflow vulnerability has been discovered in Netis WF2880 v2.1.40207 in the FUN_0046f984 function of the cgitest.cgi file. Attackers can trigger this vulnerability by controlling the value of wl_advanced_set in the payload, which can cause the program to crash and lead to a Denial of Service (DoS) attack. | 2025-08-13 | not yet calculated | CVE-2025-50616 |
| Netis--WF2880 | A buffer overflow vulnerability has been discovered in Netis WF2880 v2.1.40207 in the FUN_0046ed68 function of the cgitest.cgi file. Attackers can trigger this vulnerability by controlling the value of wps_set in the payload, which can cause the program to crash and potentially lead to a Denial of Service (DoS) attack. | 2025-08-13 | not yet calculated | CVE-2025-50617 |
| Netis--WF2880 | A null pointer dereference vulnerability was discovered in Netis WF2780 v2.2.35445. The vulnerability exists in the FUN_0048a728 function of the cgitest.cgi file. Attackers can trigger this vulnerability by controlling the CONTENT_LENGTH variable, causing the program to crash and potentially leading to a denial-of-service (DoS) attack. | 2025-08-13 | not yet calculated | CVE-2025-50635 |
| NetOp--Remote Control Client | NetOp (now part of Impero Software) Remote Control Client v9.5 is vulnerable to a stack-based buffer overflow when processing .dws configuration files. If a .dws file contains a string longer than 520 bytes, the application fails to perform proper bounds checking, allowing an attacker to execute arbitrary code when the file is opened. | 2025-08-13 | not yet calculated | CVE-2011-10012 |
| Netskope--Netskope Client | Netskope has identified a potential gap in its agent (Netskope Client) in which a malicious insider can potentially tamper the Netskope Client configuration by performing MITM (Man-in-the-Middle) activity on the Netskope Client communication channel. A successful exploitation would require administrative privileges on the machine, and could result in temporarily altering the configuration of Netskope Client or permanently disabling or removing the agent from the machine. | 2025-08-14 | not yet calculated | CVE-2024-7402 |
| Netskope--Netskope Client | An insufficient validation on the server connection endpoint in Netskope Client allows local users to elevate privileges on the system. The insufficient validation allows Netskope Client to connect to any other server with Public Signed CA TLS certificates and send specially crafted responses to elevate privileges. | 2025-08-14 | not yet calculated | CVE-2025-0309 |
| Netskope--Netskope Client | Netskope is notified about a potential gap in its agent (NS Client) in which a malicious actor could trigger a memory leak by sending a crafted DNS packet to a machine. A successful exploitation may require administrative privileges on the machine, based on the exact configuration. A successful exploit can potentially result in user-controllable memory being leaked in a domain name stored on the local machine. | 2025-08-14 | not yet calculated | CVE-2025-5941 |
| Netskope--Netskope Client | Netskope was notified about a potential gap in its agent (NS Client) on Windows systems. If this gap is successfully exploited, an unprivileged user can trigger a heap overflow in the epdlpdrv.sys driver, leading to a Blue-Screen-of-Death (BSOD). Successful exploitation can also potentially be performed by an unprivileged user whose NS Client is configured to use Endpoint DLP. A successful exploit can result in a denial-of-service for the local machine. | 2025-08-14 | not yet calculated | CVE-2025-5942 |
| netty--netty | Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final. | 2025-08-13 | not yet calculated | CVE-2025-55163 |
| NixOS--hydra | Hydra is a continuous integration service for Nix based projects. Prior to commit dea1e16, a malicious package can introduce arbitrary JavaScript code into the Hydra database that is automatically evaluated in a client's browser when anyone visits the build page. This could be done by a third-party project as part of its build process. This also happens in other places like with hydra-release-name. This issue has been patched by commit dea1e16. A workaround involves either not building untrusted packages or not visiting the builds page. | 2025-08-12 | not yet calculated | CVE-2025-54800 |
| NixOS--hydra | Hydra is a continuous integration service for Nix based projects. Prior to commit f7bda02, /api/push-github and /api/push-gitea are called by the corresponding forge without HTTP Basic authentication. Both forges do however feature HMAC signing with a secret key. Triggering an evaluation can be very taxing on the infrastructure when large evaluations are done, introducing potential denial of service attacks on the host running the evaluator. This issue has been patched by commit f7bda02. A workaround involves blocking /api/push-github and /api/push-gitea via a reverse proxy. | 2025-08-12 | not yet calculated | CVE-2025-54864 |
| OliveTin--OliveTin | OS Command Injection in Olivetin 2025.4.22 Custom Themes via the ParseRequestURI function in service/internal/executor/arguments.go. | 2025-08-13 | not yet calculated | CVE-2025-50946 |
| Openfiler--Openfiler | Openfiler v2.x contains a command injection vulnerability in the system.html page. The device parameter is used to instantiate a NetworkCard object, whose constructor in network.inc calls exec() with unsanitized input. An authenticated attacker can exploit this to execute arbitrary commands as the openfiler user. Due to misconfigured sudoers, the openfiler user can escalate privileges to root via sudo /bin/bash without a password. | 2025-08-11 | not yet calculated | CVE-2012-10040 |
| OPPO--OPPO HEALTH APP | Loading arbitrary external URLs through WebView components introduces malicious JS code that can steal arbitrary user tokens. | 2025-08-14 | not yet calculated | CVE-2025-27388 |
| OSGeo--spatialreference.org | A Cross-Site Scripting (XSS) vulnerability exists in SpatialReference.org (OSGeo/spatialreference.org) versions prior to 2025-05-17 (commit 2120adfa17ddd535bd0f539e6c4988fa3a2cb491). The vulnerability is caused by improper handling of user input in the search query parameter. An attacker can craft a specially formed URL with malicious JavaScript code, which is then reflected back and executed in the victim's browser. This flaw allows an attacker to execute arbitrary JavaScript in the context of the victim's session, potentially leading to session hijacking, phishing attacks, data theft, or redirection to malicious sites. The issue is exposed on publicly accessible pages, making it exploitable by an unauthenticated attacker. | 2025-08-13 | not yet calculated | CVE-2025-50690 |
| Palo Alto Networks--Checkov by Prisma Cloud | An unsafe deserialization vulnerability in Palo Alto Networks Checkov by Prisma® Cloud allows an authenticated user to execute arbitrary code as a non administrative user by scanning a malicious terraform file when using Checkov in Prisma® Cloud. This issue impacts Checkov 3.0 versions earlier than Checkov 3.2.415. | 2025-08-13 | not yet calculated | CVE-2025-2180 |
| Palo Alto Networks--Checkov by Prisma Cloud | A sensitive information disclosure vulnerability in Palo Alto Networks Checkov by Prisma® Cloud can result in the cleartext exposure of Prisma Cloud access keys in Checkov's output. | 2025-08-13 | not yet calculated | CVE-2025-2181 |
| Palo Alto Networks--Cloud NGFW | A problem with the implementation of the MACsec protocol in Palo Alto Networks PAN-OS® results in the cleartext exposure of the connectivity association key (CAK). This issue is only applicable to PA-7500 Series devices which are in an NGFW cluster. A user who possesses this key can read messages being sent between devices in a NGFW Cluster. There is no impact in non-clustered firewalls or clusters of firewalls that do not enable MACsec. | 2025-08-13 | not yet calculated | CVE-2025-2182 |
| Palo Alto Networks--Cortex XDR Broker VM | A credential management flaw in Palo Alto Networks Cortex XDR® Broker VM causes different Broker VM images to share identical default credentials for internal services. Users knowing these default credentials could access internal services on other Broker VM installations. The attacker must have network access to the Broker VM to exploit this issue. | 2025-08-13 | not yet calculated | CVE-2025-2184 |
| Palo Alto Networks--GlobalProtect App | An insufficient certificate validation issue in the Palo Alto Networks GlobalProtectâ„¢ app enables attackers to connect the GlobalProtect app to arbitrary servers. This can enable a local non-administrative operating system user or an attacker on the same subnet to install malicious root certificates on the endpoint and subsequently install malicious software signed by the malicious root certificates on that endpoint. | 2025-08-13 | not yet calculated | CVE-2025-2183 |
| phoca.cz--phoca.cz - Phoca Commander for Joomla | An authenticated RCE vulnerability in Phoca Commander component 1.0.0-4.0.0 and 5.0.0-5.0.1 for Joomla was discovered. The issue allows code execution via the unzip feature. | 2025-08-15 | not yet calculated | CVE-2025-54473 |
| PHP Volunteer Management--PHP Volunteer Management | PHP Volunteer Management System v1.0.2 contains an arbitrary file upload vulnerability in its document upload functionality. Authenticated users can upload files to the mods/documents/uploads/ directory without any restriction on file type or extension. Because this directory is publicly accessible and lacks execution controls, attackers can upload a malicious PHP payload and execute it remotely. The application ships with default credentials, making exploitation trivial. Once authenticated, the attacker can upload a PHP shell and trigger it via a direct GET request. | 2025-08-13 | not yet calculated | CVE-2012-10056 |
| PhpTax--PhpTax | PhpTax version 0.8 contains a remote code execution vulnerability in drawimage.php. The pfilez GET parameter is unsafely passed to the exec() function without sanitization. A remote attacker can inject arbitrary shell commands, leading to code execution under the web server's context. No authentication is required. | 2025-08-11 | not yet calculated | CVE-2012-10037 |
| py-pdf--pypdf | pypdf is a free and open-source pure-python PDF library. Prior to version 6.0.0, an attacker can craft a PDF which leads to the RAM being exhausted. This requires just reading the file if a series of FlateDecode filters is used on a malicious cross-reference stream. Other content streams are affected on explicit access. This issue has been fixed in 6.0.0. If an update is not possible, a workaround involves including the fixed code from pypdf.filters.decompress into the existing filters file. | 2025-08-13 | not yet calculated | CVE-2025-55197 |
| pyload--pyload | pyLoad is the free and open-source Download Manager written in pure Python. Prior to version 0.5.0b3.dev91, the parameter add_links in API /json/add_package is vulnerable to SQL Injection. Attackers can modify or delete data in the database, causing data errors or loss. This issue has been patched in version 0.5.0b3.dev91. | 2025-08-11 | not yet calculated | CVE-2025-55156 |
| QuickShareHQ--QuickShare File Server | QuickShare File Server 1.2.1 contains a path traversal vulnerability in its FTP service due to improper sanitation of user-supplied file paths. Authenticated users can exploit this flaw by submitting crafted sequences to access or write files outside the intended virtual directory. When the "Writable" option is enabled (default during account creation), this allows attackers to upload arbitrary files to privileged locations such as system32, enabling remote code execution via MOF injection or executable placement. | 2025-08-13 | not yet calculated | CVE-2011-10010 |
| RabidHamster--R4 Embedded Server | RabidHamster R4 v1.25 contains a stack-based buffer overflow vulnerability due to unsafe use of sprintf() when logging malformed HTTP requests. A remote attacker can exploit this flaw by sending a specially crafted URI, resulting in arbitrary code execution under the context of the web server process. | 2025-08-13 | not yet calculated | CVE-2012-10058 |
| rails--rails | Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in versions 7.1.5.2, 7.2.2.2, and 8.0.2.1. | 2025-08-13 | not yet calculated | CVE-2025-55193 |
| RealNetworks Inc.--Netzip Classic | Real Networks Netzip Classic version 7.5.1.86 is vulnerable to a stack-based buffer overflow when parsing a specially crafted ZIP archive. The vulnerability is triggered when the application attempts to process a file name within the archive that exceeds the expected buffer size. Exploitation allows arbitrary code execution under the context of the victim user when the ZIP file is opened. | 2025-08-13 | not yet calculated | CVE-2011-10016 |
| Rockwell Automation--1756-EN2T/D | A security issue exists due to the web-based debugger agent enabled on Rockwell Automation ControlLogix® Ethernet Modules. If a specific IP address is used to connect to the WDB agent, it can allow remote attackers to perform memory dumps, modify memory, and control execution flow. | 2025-08-14 | not yet calculated | CVE-2025-7353 |
| Rockwell Automation--5032-CFGB16M12P5DR | A security issue exists within the 5032 16pt Digital Configurable module's web server. The web server's session number increments at an interval that correlates to the last two consecutive sign in session interval, making it predictable. | 2025-08-14 | not yet calculated | CVE-2025-7773 |
| Rockwell Automation--5032-CFGB16M12P5DR | A security issue exists within the 5032 16pt Digital Configurable module's web server. Intercepted session credentials can be used within a 3-minute timeout window, allowing unauthorized users to perform privileged actions. | 2025-08-14 | not yet calculated | CVE-2025-7774 |
| Rockwell Automation--FactoryTalk Action Manager | A security issue in the runtime event system allows unauthenticated connections to receive a reusable API token. This token is broadcasted over a WebSocket and can be intercepted by any local client listening on the connection. | 2025-08-14 | not yet calculated | CVE-2025-9036 |
| Rockwell Automation--FactoryTalk Linx | A security issue exists within the FactoryTalk Linx Network Browser. By modifying the process.env.NODE_ENV to 'development', the attacker can disable FTSP token validation. This bypass allows access to create, update, and delete FTLinx drivers. | 2025-08-14 | not yet calculated | CVE-2025-7972 |
| Rockwell Automation--FactoryTalk ViewPoint | A security issue exists in FactoryTalk ViewPoint version 14.0 or below due to improper handling of MSI repair operations. During a repair, attackers can hijack the cscript.exe console window, which runs with SYSTEM privileges. This can be exploited to spawn an elevated command prompt, enabling full privilege escalation. | 2025-08-14 | not yet calculated | CVE-2025-7973 |
| Rockwell Automation--FLEX 5000 I/O | A security issue exists due to improper handling of CIP Class 32's request when a module is inhibited on the 5094-IF8 device. It causes the module to enter a fault state with the Module LED flashing red. Upon un-inhibiting, the module returns a connection fault (Code 16#0010), and the module cannot recover without a power cycle. | 2025-08-14 | not yet calculated | CVE-2025-9041 |
| Rockwell Automation--FLEX 5000 I/O | A security issue exists due to improper handling of CIP Class 32's request when a module is inhibited on the 5094-IY8 device. It causes the module to enter a fault state with the Module LED flashing red. Upon un-inhibiting, the module returns a connection fault (Code 16#0010), and the module cannot recover without a power cycle. | 2025-08-14 | not yet calculated | CVE-2025-9042 |
| Rockwell Automation--Studio 5000 Logix Designer | A security issues exists within Studio 5000 Logix Designer due to unsafe handling of environment variables. If the specified path lacks a valid file, Logix Designer crashes; However, it may be possible to execute malicious code without triggering a crash. | 2025-08-14 | not yet calculated | CVE-2025-7971 |
| S40 CMS--S40 CMS | S40 CMS v0.4.2 contains a path traversal vulnerability in its index.php page handler. The p parameter is not properly sanitized, allowing attackers to traverse the file system and access arbitrary files outside the web root. This can be exploited remotely without authentication by appending traversal sequences and a null byte to bypass file extension checks. | 2025-08-13 | not yet calculated | CVE-2011-10009 |
| SA-MP Team--San Andreas Multiplayer | GTA San Andreas Multiplayer (SA-MP) server version 0.3.1.1 is vulnerable to a stack-based buffer overflow triggered by parsing a malformed server.cfg configuration file. The vulnerability allows local attackers to execute arbitrary code when the server binary (samp-server.exe) processes a crafted echo directive containing excessive input. The original 'sa-mp.com' site is defunct, but the community maintains mirrors and forks that may be vulnerable. | 2025-08-13 | not yet calculated | CVE-2011-10014 |
| Seagate--Toolkit | The service executable path in Seagate Toolkit on Versions prior to 2.34.0.33 on Windows allows an attacker with Admin privileges to exploit a vulnerability as classified under CWE-428: Unquoted Search Path or Element. An attacker with write permissions to the root could place a malicious Program.exe file, which would execute with SYSTEM privileges. | 2025-08-14 | not yet calculated | CVE-2025-9043 |
| ServiceNow--ServiceNow AI Platform | ServiceNow has addressed a Broken Access Control vulnerability that was identified in the ServiceNow AI Platform. This vulnerability could allow a low privileged user to bypass access controls and perform a limited set of actions typically reserved for higher privileged users, potentially leading to unauthorized data modifications. This issue is addressed in the listed patches and family releases, which have been made available to hosted and self-hosted customers, as well as partners. | 2025-08-12 | not yet calculated | CVE-2025-3089 |
| Shenzhen Tuoshi--NR500-EA | Shenzhen Tuoshi NR500-EA RG500UEAABxCOMSLICv3.4.2731.16.43 devices enable the SSH service by default. There is a hidden hard-coded root account that cannot be disabled in the GUI. | 2025-08-13 | not yet calculated | CVE-2025-43982 |
| Shenzhen Tuoshi--NR500-EA | The /goform/formJsonAjaxReq POST endpoint of Shenzhen Tuoshi NR500-EA RG500UEAABxCOMSLICv3.4.2731.16.43 devices mishandles the set_timesetting action with the ntpserver0 parameter, which is used in a system command. By setting a username=admin cookie (bypassing normal session checks), an unauthenticated attacker can use that parameter to execute arbitrary OS commands. | 2025-08-13 | not yet calculated | CVE-2025-43989 |
| SILA Embedded Solutions GmbH--freemodbus | An issue was discovered in the demo/LINUXTCP implementation of cwalter-at freemodbus v.2018-09-12 allowing attackers to reach an infinite loop via a crafted length value for a packet. | 2025-08-14 | not yet calculated | CVE-2025-51986 |
| Soosyze--Soosyze CMS | Soosyze CMS 2.0 allows brute-force login attacks via the /user/login endpoint due to missing rate-limiting and lockout mechanisms. An attacker can repeatedly submit login attempts without restrictions, potentially gaining unauthorized administrative access. This vulnerability corresponds to CWE-307: Improper Restriction of Excessive Authentication Attempts. | 2025-08-13 | not yet calculated | CVE-2025-52392 |
| Spreecommerce--Spreecommerce | Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the search[send][] parameter, which is dynamically invoked using Ruby's send method. This allows attackers to execute arbitrary shell commands on the server without authentication. | 2025-08-13 | not yet calculated | CVE-2011-10019 |
| Studio 3T--Studio 3T | An issue in Studio 3T v.2025.1.0 and before allows a remote attacker to execute arbitrary code via a crafted payload to the child_process module | 2025-08-13 | not yet calculated | CVE-2025-52385 |
| SUSE Linux--Enterprise Module for Development Tools | A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them-using malformed frames or flow control errors-an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This CVE will be updated as affected product details are released. | 2025-08-13 | not yet calculated | CVE-2025-8671 |
| Symmetrix Technologies--Snort Report | Snort Report versions < 1.3.2 contains a remote command execution vulnerability in the nmap.php and nbtscan.php scripts. These scripts fail to properly sanitize user input passed via the target GET parameter, allowing attackers to inject arbitrary shell commands. Exploitation requires no authentication and can result in full compromise of the underlying system. | 2025-08-13 | not yet calculated | CVE-2011-10017 |
| Synergetic Data Systems Inc.--UnForm Server Manager | UnForm Server Manager versions prior to 10.1.12 expose an unauthenticated file read vulnerability via its log file analysis interface. The flaw resides in the arc endpoint, which accepts a fl parameter to specify the log file to be opened. Due to insufficient input validation and lack of path sanitization, attackers can supply relative paths to access arbitrary files on the host system - including sensitive OS-level files - without authentication. | 2025-08-13 | not yet calculated | CVE-2025-34154 |
| Sysax Software--Multi Server | Sysax Multi Server versions prior to 5.55 contains a stack-based buffer overflow in its SSH service. When a remote attacker supplies an overly long username during authentication, the server copies the input to a fixed-size stack buffer without proper bounds checking. This allows remote code execution under the context of the service. | 2025-08-13 | not yet calculated | CVE-2012-10060 |
| telstra--open-kilda | OpenKilda is an open-source OpenFlow controller. Prior to version 1.164.0, an XML external entity (XXE) injection vulnerability was found in OpenKilda which in combination with GHSL-2025-024 allows unauthenticated attackers to exfiltrate information from the instance where the OpenKilda UI is running. This issue may lead to Information disclosure. This issue has been patched in version 1.164.0. | 2025-08-11 | not yet calculated | CVE-2025-54992 |
| tokio-rs--slab | slab is a pre-allocated storage for a uniform data type. In version 0.4.10, the get_disjoint_mut method incorrectly checked if indices were within the slab's capacity instead of its length, allowing access to uninitialized memory. This could lead to undefined behavior or potential crashes. This has been fixed in slab 0.4.11. A workaround for this issue involves to avoid using get_disjoint_mut with indices that might be beyond the slab's actual length. | 2025-08-11 | not yet calculated | CVE-2025-55159 |
| TOTOLINK--A7000R | In TOTOLINK A7000R firmware 9.1.0u.6115_B20201022, an attacker can bypass login by sending a specific request through formLoginAuth.htm. | 2025-08-13 | not yet calculated | CVE-2025-51452 |
| TOTOLINK--EX1200T | In TOTOLINK EX1200T firmware 4.1.2cu.5215, an attacker can bypass login by sending a specific request through formLoginAuth.htm. | 2025-08-13 | not yet calculated | CVE-2025-51451 |
| Traq Project--Issue Tracking System | Traq versions 2.0 through 2.3 contain a remote code execution vulnerability in the admincp/common.php script. The flawed authorization logic fails to halt execution after a failed access check, allowing unauthenticated users to reach admin-only functionality. This can be exploited via plugins.php to inject and execute arbitrary PHP code. | 2025-08-13 | not yet calculated | CVE-2011-10013 |
| Umbraco--CMS | Umbraco CMS versions prior to 4.7.1 are vulnerable to unauthenticated remote code execution via the codeEditorSave.asmx SOAP endpoint, which exposes a SaveDLRScript operation that permits arbitrary file uploads without authentication. By exploiting a path traversal flaw in the fileName parameter, attackers can write malicious ASPX scripts directly into the web-accessible /umbraco/ directory and execute them remotely. | 2025-08-13 | not yet calculated | CVE-2012-10054 |
| Unknown--CBX Restaurant Booking | The CBX Restaurant Booking WordPress plugin through 1.2.1 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | 2025-08-11 | not yet calculated | CVE-2025-7965 |
| Unknown--disable-right-click-powered-by-pixterme | The disable-right-click-powered-by-pixterme through v1.2 and pixter-image-digital-license thtough v1.0 WordPress plugins load a JavaScript file which has been compromised from an apparent abandoned S3 bucket. It can be used as a backdoor by those who control it, but it currently displays an alert marketing security services. Users that pay are added to allowedDomains to suppress the popup. | 2025-08-14 | not yet calculated | CVE-2025-8047 |
| Unknown--Ebook Store | The Ebook Store WordPress plugin before 5.8015 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers. | 2025-08-16 | not yet calculated | CVE-2025-8113 |
| Unknown--Injection Guard | The Injection Guard WordPress plugin before 1.2.8 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers | 2025-08-14 | not yet calculated | CVE-2025-8046 |
| Unknown--LatePoint | The LatePoint WordPress plugin before 5.1.94 is vulnerable to Local File Inclusion via the layout parameter. This makes it possible for attackers to include and execute PHP files on the server, allowing the execution of any PHP code in those files. | 2025-08-13 | not yet calculated | CVE-2025-6715 |
| Unknown--PPWP Password Protect Pages | The PPWP - Password Protect Pages WordPress plugin before version 1.9.11 allows to put the site content behind a password authorization, however users with subscriber or greater roles can view content via the REST API. | 2025-08-14 | not yet calculated | CVE-2025-5998 |
| Unknown--Quiz and Survey Master (QSM) | The Quiz and Survey Master (QSM) WordPress plugin before 10.2.3 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack. | 2025-08-14 | not yet calculated | CVE-2025-6790 |
| Unknown--Structured Content (JSON-LD) #wpsc | The Structured Content (JSON-LD) #wpsc WordPress plugin before 1.7.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 2025-08-14 | not yet calculated | CVE-2025-3414 |
| Unknown--WP Shopify | The WP Shopify WordPress plugin before 1.5.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 2025-08-14 | not yet calculated | CVE-2025-7808 |
| vancluever--z2d | z2d is a pure Zig 2D graphics library. z2d v0.7.0 released with a new multi-sample anti-aliasing (MSAA) method, which uses a new buffering mechanism for storing coverage data. This differs from the standard alpha mask surface used for the previous super-sample anti-aliasing (SSAA) method. Under certain circumstances where the path being drawn existed in whole or partly outside of the rendering surface, incorrect bounding could cause out-of-bounds access within the coverage buffer. This affects the higher-level drawing operations, such as Context.fill, Context.stroke, painter.fill, and painter.stroke, when either the .default or .multisample_4x anti-aliasing modes were used. .supersample_4x was not affected, nor was drawing without anti-aliasing. In non-safe optimization modes (consumers compiling with ReleaseFast or ReleaseSmall), this could potentially lead to invalid memory accesses or corruption. z2d v0.7.1 fixes this issue, and it's recommended to upgrade to v0.7.1, or, given the small period of time v0.7.0 has been released, use v0.7.1 immediately, skipping v0.7.0. | 2025-08-16 | not yet calculated | CVE-2025-55286 |
| vim--vim | Vim is an open source, command line text editor. In versions from 9.1.1231 to before 9.1.1400, When processing nested tuples in Vim script, an error during evaluation can trigger a use-after-free in Vim's internal tuple reference management. Specifically, the tuple_unref() function may access already freed memory due to improper lifetime handling, leading to memory corruption. The exploit requires direct user interaction, as the script must be explicitly executed within Vim. This issue has been patched in version 9.1.1400. | 2025-08-11 | not yet calculated | CVE-2025-55157 |
| vim--vim | Vim is an open source, command line text editor. In versions from 9.1.1231 to before 9.1.1406, when processing nested tuples during Vim9 script import operations, an error during evaluation can trigger a double-free in Vim's internal typed value (typval_T) management. Specifically, the clear_tv() function may attempt to free memory that has already been deallocated, due to improper lifetime handling in the handle_import / ex_import code paths. The vulnerability can only be triggered if a user explicitly opens and executes a specially crafted Vim script. This issue has been patched in version 9.1.1406. | 2025-08-11 | not yet calculated | CVE-2025-55158 |
| WeBid--WeBid | WeBid 1.0.2 contains a remote code injection vulnerability in the converter.php script, where unsanitized input in the to parameter of a POST request is written directly into includes/currencies.php. This allows unauthenticated attackers to inject arbitrary PHP code, resulting in persistent remote code execution when the modified script is accessed or included by the application. | 2025-08-13 | not yet calculated | CVE-2011-10011 |
| withastro--astro | Astro is a web framework for content-driven websites. Following CVE-2025-54793 there's still an Open Redirect vulnerability in a subset of Astro deployment scenarios prior to version 9.4.1. Astro 5.12.8 addressed CVE-2025-54793 where https://example.com//astro.build/press would redirect to the external origin //astro.build/press. However, with the Node deployment adapter in standalone mode and trailingSlash set to "always" in the Astro configuration, https://example.com//astro.build/press still redirects to //astro.build/press. This affects any user who clicks on a specially crafted link pointing to the affected domain. Since the domain appears legitimate, victims may be tricked into trusting the redirected page, leading to possible credential theft, malware distribution, or other phishing-related attacks. This issue has been patched in version 9.4.1. | 2025-08-15 | not yet calculated | CVE-2025-55207 |
| Wulkano--KAP | Improper Control of Generation of Code ('Code Injection') vulnerability in Wulkano KAP on MacOS allows TCC Bypass.This issue affects KAP: 3.6.0. | 2025-08-15 | not yet calculated | CVE-2025-7961 |
| YugabyteDB Inc--YugabyteDB | YugabyteDB has been collecting diagnostics information from YugabyteDB servers, which may include sensitive gflag configurations. To mitigate this, we recommend upgrading the database to a version where this information is properly redacted. | 2025-08-11 | not yet calculated | CVE-2025-8862 |
| YugabyteDB Inc--YugabyteDB | YugabyteDB diagnostic information was transmitted over HTTP, which could expose sensitive data during transmission | 2025-08-11 | not yet calculated | CVE-2025-8863 |
| YugabyteDB Inc--YugabyteDB | The YugabyteDB tablet server contains a flaw in its YCQL query handling that can trigger a null pointer dereference when processing certain malformed inputs. An authenticated attacker could exploit this issue to crash the YCQL tablet server, resulting in a denial of service. | 2025-08-11 | not yet calculated | CVE-2025-8865 |
| YugabyteDB Inc--YugabyteDB Anywhere | Shared Access Signature token is not masked in the backup configuration response and is also exposed in the yb_backup logs | 2025-08-11 | not yet calculated | CVE-2025-8864 |
| YugabyteDB Inc--YugabyteDB Anywhere | YugabyteDB Anywhere web server does not properly enforce authentication for the /metamaster/universe API endpoint. An unauthenticated attacker could exploit this flaw to obtain server networking configuration details, including private and public IP addresses and DNS records. | 2025-08-11 | not yet calculated | CVE-2025-8866 |
| zed-industries--zed | Zed is a multiplayer code editor. Prior to version 0.197.3, in the Zed Agent Panel allowed for an AI agent to achieve Remote Code Execution (RCE) by bypassing user permission checks. An AI Agent could have exploited a permissions bypass vulnerability to create or modify a project-specific configuration file, leading to the execution of arbitrary commands on a victim's machine without the explicit approval that would otherwise be required. This vulnerability has been patched in version 0.197.3. A workaround for this issue involves either avoid sending prompts to the Agent Panel, or to limit the AI Agent's file system access. | 2025-08-11 | not yet calculated | CVE-2025-55012 |
| ZEN Load Balancer--ZEN Load Balancer | ZEN Load Balancer versions 2.0 and 3.0-rc1 contain a command injection vulnerability in content2-2.cgi. The filelog parameter is passed directly into a backtick-delimited exec() call without sanitation. An authenticated attacker can inject arbitrary shell commands, resulting in remote code execution as the root user. ZEN Load Balancer is the predecessor of ZEVENET and SKUDONET. The affected versions (2.0 and 3.0-rc1) are no longer supported. SKUDONET CE is the current community-maintained successor. | 2025-08-11 | not yet calculated | CVE-2012-10039 |
| ZKTeco Co--WL20 Biometric Attendance System | This vulnerability exists in ZKTeco WL20 due to storage of admin and user credentials without encryption in the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and reverse engineer the binary data to access the unencrypted credentials stored in the firmware of targeted device. | 2025-08-13 | not yet calculated | CVE-2025-54464 |
| ZKTeco Co--WL20 Biometric Attendance System | This vulnerability exists in ZKTeco WL20 due to hard-coded MQTT credentials and endpoints stored in plaintext within the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and analyzing the binary data to retrieve the hard-coded MQTT credentials and endpoints from the targeted device. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the MQTT broker and manipulate the communications of the targeted device. | 2025-08-13 | not yet calculated | CVE-2025-54465 |
| ZKTeco Co--WL20 Biometric Attendance System | This vulnerability exists in ZKTeco WL20 due to hard-coded private key stored in plaintext within the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and analyzing the binary data to retrieve private key stored in the firmware of the targeted device. Successful exploitation of this vulnerability could allow the attacker to perform unauthorized decryption of sensitive data and Man-in-the-Middle (MitM) attacks on the targeted device. | 2025-08-13 | not yet calculated | CVE-2025-55279 |
| ZKTeco Co--WL20 Biometric Attendance System | This vulnerability exists in ZKTeco WL20 due to storage of Wi-Fi credentials, configuration data and system data in plaintext within the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and reverse engineer the binary data to access the plaintext sensitive data stored in the targeted device. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized network access, retrieve and manipulate data on the targeted device. | 2025-08-13 | not yet calculated | CVE-2025-55280 |
Vulnerability Summary for the Week of August 4, 2025
Posted on Monday August 11, 2025
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by a Misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code. Exploitation of this issue does not require user interaction and scope is changed. | 2025-08-05 | 10 | CVE-2025-54253 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.23 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files on the local file system. Exploitation of this issue does not require user interaction. | 2025-08-05 | 8.6 | CVE-2025-54254 |
| ADOdb--ADOdb | ADOdb is a PHP database class library that provides abstractions for performing queries and managing databases. In versions 5.22.9 and below, improper escaping of a query parameter may allow an attacker to execute arbitrary SQL statements when the code using ADOdb connects to a sqlite3 database and calls the metaColumns(), metaForeignKeys() or metaIndexes() methods with a crafted table name. This is fixed in version 5.22.10. To workaround this issue, only pass controlled data to metaColumns(), metaForeignKeys() and metaIndexes() method's $table parameter. | 2025-08-05 | 10 | CVE-2025-54119 |
| arraytics--Eventin Event Manager, Events Calendar, Booking, Tickets and Registration | The Eventin plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.34. This is due to the plugin not properly validating a user's identity or capability prior to updating their details like email in the 'Eventin\Speaker\Api\SpeakerController::update_item' function. This makes it possible for unauthenticated attackers with contributor-level and above permissions to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | 2025-08-08 | 8.8 | CVE-2025-4796 |
| Autodesk--3ds Max | A maliciously crafted RBG file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. | 2025-08-06 | 8.3 | CVE-2025-6633 |
| Autodesk--3ds Max | A maliciously crafted TGA file, when linked or imported into Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-08-06 | 7.8 | CVE-2025-6634 |
| Belkin--F9K1009 | A vulnerability was found in Belkin F9K1009 and F9K1010 2.00.04/2.00.09 and classified as critical. Affected by this issue is some unknown functionality of the component Web Interface. The manipulation leads to hard-coded credentials. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-08 | 9.8 | CVE-2025-8730 |
| Burk Technology--ARC Solo | Burk Technology ARC Solo's password change mechanism can be utilized without proper authentication procedures, allowing an attacker to take over the device. A password change request can be sent directly to the device's HTTP endpoint without providing valid credentials. The system does not enforce proper authentication or session validation, allowing the password change to proceed without verifying the request's legitimacy. | 2025-08-08 | 9.8 | CVE-2025-5095 |
| callstackincubator--react-native-bottom-tabs | react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. In versions 0.9.2 and below, the github/workflows/release-canary.yml GitHub Actions repository workflow improperly used the pull_request_target event trigger, which allowed for untrusted code from a forked pull request to be executed in a privileged context. An attacker could create a pull request containing a malicious preinstall script in the package.json file and then trigger the vulnerable workflow by posting a specific comment (!canary). This allowed for arbitrary code execution, leading to the exfiltration of sensitive secrets such as GITHUB_TOKEN and NPM_TOKEN, and could have allowed an attacker to push malicious code to the repository or publish compromised packages to the NPM registry. There is a remediation commit which removes github/workflows/release-canary.yml, but a version with this fix has yet to be released. | 2025-08-05 | 9.1 | CVE-2025-54594 |
| cconard96--glpi-screenshot-plugin | The glpi-screenshot-plugin allows users to take screenshots or screens recording directly from GLPI. In versions below 2.0.2, authenticated user can use the /ajax/screenshot.php endpoint to leak files from the system or use PHP wrappers. This is fixed in version 2.0.2. | 2025-08-05 | 7.7 | CVE-2025-54780 |
| CesiumLab--Web | A vulnerability classified as critical was found in CesiumLab Web up to 4.0. This vulnerability affects unknown code of the file /lodmodels/. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-08 | 7.3 | CVE-2025-8744 |
| cleverreach43--CleverReach WP | The CleverReach® WP plugin for WordPress is vulnerable to time-based SQL Injection via the 'title' parameter in all versions up to, and including, 1.5.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-08-06 | 7.5 | CVE-2025-7036 |
| code-projects--Online Medicine Guide | A vulnerability classified as critical has been found in code-projects Online Medicine Guide 1.0. Affected is an unknown function of the file /addelidetails.php. The manipulation of the argument del leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-10 | 7.3 | CVE-2025-8809 |
| code-projects--Simple Art Gallery | A vulnerability, which was classified as critical, has been found in code-projects Simple Art Gallery 1.0. Affected by this issue is some unknown functionality of the file /Admin/registration.php. The manipulation of the argument fname leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-10 | 7.3 | CVE-2025-8811 |
| CODESYS--Control RTE (SL) | A low-privileged attacker can remotely access the PKI folder of the CODESYS Control runtime system and thus read and write certificates and its keys. This allows sensitive data to be extracted or to accept certificates as trusted. Although all services remain available, only unencrypted communication is possible if the certificates are deleted. | 2025-08-04 | 8.3 | CVE-2025-41659 |
| CODESYS--Control RTE (SL) | An unauthenticated remote attacker may trigger a NULL pointer dereference in the affected CODESYS Control runtime systems by sending specially crafted communication requests, potentially leading to a denial-of-service (DoS) condition. | 2025-08-04 | 7.5 | CVE-2025-41691 |
| cursor--cursor | Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions below 1.3.9, If the file is a dotfile, editing it requires approval but creating a new one doesn't. Hence, if sensitive MCP files, such as the .cursor/mcp.json file don't already exist in the workspace, an attacker can chain a indirect prompt injection vulnerability to hijack the context to write to the settings file and trigger RCE on the victim without user approval. This is fixed in version 1.3.9. | 2025-08-05 | 8.6 | CVE-2025-54135 |
| cursor--cursor | Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions less than 1.3.9. If the file is a dotfile, editing it requires approval but creating a new one doesn't. Hence, if sensitive editor files, such as the .vscode/settings.json file don't already exist in the workspace, an attacker can chain a indirect prompt injection vulnerability to hijack the context to write to the settings file and trigger RCE on the victim without user approval. This is fixed in version 1.3.9. | 2025-08-05 | 7.5 | CVE-2025-54130 |
| CybercentreCanada--assemblyline | The Assemblyline 4 Service Client interfaces with the API to fetch tasks and publish the result for a service in Assemblyline 4. In versions below 4.6.1.dev138, the Assemblyline 4 Service Client (task_handler.py) accepts a SHA-256 value returned by the service server and uses it directly as a local file name.A malicious or compromised server (or any MITM that can speak to client) can return a path-traversal payload such as `../../../etc/cron.d/evil` and force the client to write the downloaded bytes to an arbitrary location on disk. This is fixed in version 4.6.1.dev138. | 2025-08-09 | 10 | CVE-2025-55013 |
| danny-avila--LibreChat | LibreChat is a ChatGPT clone with additional features. In versions 0.0.6 through 0.7.7-rc1, an exposed testing endpoint allows reading arbitrary chats directly from the Meilisearch engine. The endpoint /api/search/test allows for direct access to stored chats in the Meilisearch engine without proper access control. This results in the ability to read chats from arbitrary users. This issue is fixed in version 0.7.7. | 2025-08-05 | 7.5 | CVE-2025-54868 |
| Dassault Systmes--DELMIA Apriso | A missing authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to gain privileged access to the application. | 2025-08-04 | 9.1 | CVE-2025-6205 |
| Dassault Systmes--DELMIA Apriso | An Improper Control of Generation of Code (Code Injection) vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to execute arbitrary code. | 2025-08-04 | 8 | CVE-2025-6204 |
| Dell--Avamar Data Store Gen4T | Dell Avamar, versions prior to 19.12 with patch 338905, excluding version 19.10SP1 with patch 338904, contains a Trusting HTTP Permission Methods on the Server-Side vulnerability in Security. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. | 2025-08-04 | 8.3 | CVE-2025-21120 |
| Dell--Dell Digital Delivery | Dell Digital Delivery, versions prior to 5.6.1.0, contains an Insufficiently Protected Credentials vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to Information Disclosure. | 2025-08-04 | 7.2 | CVE-2025-38739 |
| Dell--ECS | Dell ECS versions prior to 3.8.1.5/ ObjectScale version 4.0.0.0, contain a Use of Hard-coded Cryptographic Key vulnerability. An unauthenticated attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access. | 2025-08-04 | 8.4 | CVE-2025-26476 |
| Dell--Enterprise SONiC OS | Dell Enterprise SONiC OS, version 4.5.0, contains a cryptographic key vulnerability in SSH. An unauthenticated remote attacker could potentially exploit this vulnerability, leading to unauthorized access to communication. | 2025-08-04 | 7.5 | CVE-2025-38741 |
| Dell--PowerProtect Data Domain Feature Release | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.3.0.15, LTS2024 release Versions 7.13.1.0 through 7.13.1.25, LTS 2023 release versions 7.10.1.0 through 7.10.1.60, contain an Authentication Bypass by Spoofing vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Protection mechanism bypass. Remote unauthenticated user can create account that potentially expose customer info, affect system integrity and availability. | 2025-08-04 | 9.8 | CVE-2025-36594 |
| Dell--PowerProtect Data Domain Feature Release | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.1.0.10, LTS2024 release Versions 7.13.1.0 through 7.13.1.25, LTS 2023 release versions 7.10.1.0 through 7.10.1.50, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in the DDSH CLI. A low privileged attacker with local access could potentially exploit this vulnerability to execute arbitrary commands with root privileges. | 2025-08-04 | 7.8 | CVE-2025-30099 |
| Dell--SupportAssist OS Recovery | Dell SupportAssist OS Recovery, versions prior to 5.5.14.0, contain a Creation of Temporary File With Insecure Permissions vulnerability. A local authenticated attacker could potentially exploit this vulnerability, leading to Elevation of Privileges. | 2025-08-06 | 7.8 | CVE-2025-38747 |
| Dell--Unity | Dell Unity, version(s) 5.5 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution. | 2025-08-04 | 7.3 | CVE-2025-36604 |
| Dell--Unity | Dell Unity, version(s) 5.5 and prior, contain(s) an OS Command Injection Vulnerability in its svc_nfssupport utility. An authenticated attacker could potentially exploit this vulnerability, escaping the restricted shell and execute arbitrary operating system commands with root privileges. | 2025-08-04 | 7.8 | CVE-2025-36606 |
| Dell--Unity | Dell Unity, version(s) 5.5 and prior, contain(s) an OS Command Injection Vulnerability in its svc_nas utility. An authenticated attacker could potentially exploit this vulnerability, escaping the restricted shell and execute arbitrary operating system commands with root privileges. | 2025-08-04 | 7.8 | CVE-2025-36607 |
| Dinstar--Monitoring Platform | A vulnerability, which was classified as critical, was found in Dinstar Monitoring Platform 甘肃çœå±é™©å“åº“ç›‘æŽ§å¹³å° 1.0. Affected is an unknown function of the file /itc/$%7BappPath%7D/login_getPasswordErrorNum.action. The manipulation of the argument userBean.loginName leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-09 | 7.3 | CVE-2025-8773 |
| Draeger--Draeger ICMHelper | A low privileged local attacker can interact with the affected service although user-interaction should not be allowed. | 2025-08-05 | 7.8 | CVE-2025-41698 |
| Dreame Technology--Dreamehome iOS app | A TLS vulnerability exists in the phone application used to manage a connected device. The phone application accepts self-signed certificates when establishing TLS communication which may result in man-in-the-middle attacks on untrusted networks. Captured communications may include user credentials and sensitive session tokens. | 2025-08-08 | 7.3 | CVE-2025-8393 |
| EG4 Electronics--EG4 12kPV | The affected product does not limit the number of attempts for inputting the correct PIN for a registered product, which may allow an attacker to gain unauthorized access using brute-force methods if they possess a valid device serial number. The API provides clear feedback when the correct PIN is entered. This vulnerability was patched in a server-side update on April 6, 2025. | 2025-08-08 | 8.1 | CVE-2025-46414 |
| EG4 Electronics--EG4 12kPV | The affected product allows firmware updates to be downloaded from EG4's website, transferred via USB dongles, or installed through EG4's Monitoring Center (remote, cloud-connected interface) or via a serial connection, and can install these files without integrity checks. The TTComp archive format used for the firmware is unencrypted and can be unpacked and altered without detection. | 2025-08-08 | 8.8 | CVE-2025-53520 |
| emarket-design--Request a Quote Form Plugin Price Quote Request Management Made Easy | The Request a Quote Form plugin for WordPress is vulnerable to Remote Code Execution in version less than, or equal to, 2.5.2 via the emd_form_builder_lite_pagenum function. This is due to the plugin not properly validating user input before using it as a function name. This makes it possible for unauthenticated attackers to execute code on the server, however, parameters can not be passed to the functions called. | 2025-08-06 | 8.1 | CVE-2025-8420 |
| Emby--MediaBrowser | CWE-639 Authorization Bypass Through User-Controlled Key | 2025-08-06 | 8.8 | CVE-2025-46386 |
| Emby--MediaBrowser | CWE-639 Authorization Bypass Through User-Controlled Key | 2025-08-06 | 8.8 | CVE-2025-46387 |
| Emby--MediaBrowser | CWE-204: Observable Response Discrepancy | 2025-08-06 | 7.5 | CVE-2025-46390 |
| FTB-Gamepedia--Tilesheets | Tilesheets MediaWiki Extension adds a table lookup parser function for an item and returns the requested image. A missing backtick in a query executed by the Tilesheets extension allows users to insert and potentially execute malicious SQL code. This issue has not been fixed. | 2025-08-05 | 7.3 | CVE-2025-54865 |
| himmelblau-idm--himmelblau | Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. In versions 0.8.0 through 0.9.21 and 1.0.0-beta through 1.1.0, Himmelblau stores the cloud TGT received during logon in the Kerberos credential cache. The created credential cache collection and received credentials are stored as world readable. This is fixed in versions 0.9.22 and 1.2.0. To work around this issue, remove all read access to Himmelblau caches for all users except for owners. | 2025-08-07 | 7.1 | CVE-2025-54882 |
| Huawei--HarmonyOS | Binding authentication bypass vulnerability in the devicemanager module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-08-06 | 8.3 | CVE-2025-54622 |
| Huawei--HarmonyOS | Out-of-bounds write vulnerability in the skia module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-08-06 | 8.8 | CVE-2025-54627 |
| Huawei--HarmonyOS | Vulnerability of improper processing of abnormal conditions in huge page separation. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-08-06 | 8 | CVE-2025-54634 |
| Huawei--HarmonyOS | Path traversal vulnerability in the virtualization base module. Successful exploitation of this vulnerability may affect the confidentiality of the virtualization module. | 2025-08-06 | 8.4 | CVE-2025-54652 |
| Huawei--HarmonyOS | Path traversal vulnerability in the virtualization file module. Successful exploitation of this vulnerability may affect the confidentiality of the virtualization file module. | 2025-08-06 | 8.4 | CVE-2025-54653 |
| Huawei--HarmonyOS | Race condition vulnerability in the virtualization base module. Successful exploitation of this vulnerability may affect the confidentiality and integrity of the virtualization graphics module. | 2025-08-06 | 8.1 | CVE-2025-54655 |
| Huawei--HarmonyOS | Status verification vulnerability in the lock screen module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. | 2025-08-06 | 7.3 | CVE-2025-54606 |
| Huawei--HarmonyOS | Authentication management vulnerability in the ArkWeb module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-08-06 | 7.7 | CVE-2025-54607 |
| Huawei--HarmonyOS | EXTRA_REFERRER resource read vulnerability in the Gallery module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-08-06 | 7.3 | CVE-2025-54611 |
| i--Morning | A vulnerability was found in 猫å®i Morning up to bc782730c74ff080494f145cc363a0b4f43f7d3e. It has been classified as critical. Affected is an unknown function of the file /index of the component Shiro Configuration. The manipulation leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-08-10 | 7.3 | CVE-2025-8815 |
| IBM--i | IBM i 7.3, 7.4, 7.5, and 7.6 is affected by an authenticated user obtaining elevated privileges with IBM Digital Certificate Manager for i (DCM) due to a web session hijacking vulnerability. An authenticated user without administrator privileges could exploit this vulnerability to perform actions in DCM as an administrator. | 2025-08-08 | 7.1 | CVE-2025-36119 |
| IBM--Tivoli Monitoring | IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 20 is vulnerable to a heap-based buffer overflow, caused by improper bounds checking. A remote attacker could overflow a buffer and execute arbitrary code on the system or cause the server to crash. | 2025-08-06 | 8.1 | CVE-2025-3320 |
| IBM--Tivoli Monitoring | IBM Tivoli Monitoring 6.3.0.7 through 6.3.0.7 Service Pack 20 is vulnerable to a heap-based buffer overflow, caused by improper bounds checking. A remote attacker could overflow a buffer and execute arbitrary code on the system or cause the server to crash. | 2025-08-06 | 8.1 | CVE-2025-3354 |
| jwt--ruby-jwe | jwe is a Ruby implementation of the RFC 7516 JSON Web Encryption (JWE) standard. In versions 1.1.0 and below, authentication tags of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs. This puts users at risk because JWEs can be modified to decrypt to an arbitrary value, decrypted by observing parsing differences and the GCM internal GHASH key can be recovered. Users are affected by this vulnerability even if they do not use an AES-GCM encryption algorithm for their JWEs. As the GHASH key may have been leaked, users must rotate the encryption keys after upgrading. This issue is fixed in version 1.1.1. | 2025-08-08 | 9.1 | CVE-2025-54887 |
| Latkecrszy--LinkJoin | LinkJoin through 882f196 mishandles lacks type checking in password reset. | 2025-08-07 | 7.4 | CVE-2025-55137 |
| Latkecrszy--LinkJoin | LinkJoin through 882f196 mishandles token ownership in password reset. | 2025-08-07 | 7.4 | CVE-2025-55138 |
| Linksys--RE6250 | A vulnerability was determined in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. Affected is the function setOpMode of the file /goform/setOpMode. The manipulation of the argument ethConv leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-10 | 8.8 | CVE-2025-8816 |
| Linksys--RE6250 | A vulnerability was identified in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. Affected by this vulnerability is the function setLan of the file /goform/setLan. The manipulation of the argument lan2enabled leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-10 | 8.8 | CVE-2025-8817 |
| Linksys--RE6250 | A vulnerability was found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. This affects the function setWan of the file /goform/setWan. The manipulation of the argument staticIp leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-10 | 8.8 | CVE-2025-8819 |
| Linksys--RE6250 | A vulnerability was determined in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. This vulnerability affects the function wirelessBasic of the file /goform/wirelessBasic. The manipulation of the argument submit_SSID1 leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-10 | 8.8 | CVE-2025-8820 |
| LiquidFiles--LiquidFiles | LiquidFiles before 4.1.2 supports FTP SITE CHMOD for mode 6777 (setuid and setgid), which allows FTPDrop users to execute arbitrary code as root by leveraging the Actionscript feature and the sudoers configuration. | 2025-08-04 | 9.9 | CVE-2025-46093 |
| Microsoft--Azure Open AI | Azure OpenAI Elevation of Privilege Vulnerability | 2025-08-07 | 10 | CVE-2025-53767 |
| Microsoft--Azure Portal | Azure Portal Elevation of Privilege Vulnerability | 2025-08-07 | 9.1 | CVE-2025-53792 |
| Microsoft--Microsoft 365 Copilot's Business Chat | Microsoft 365 Copilot BizChat Information Disclosure Vulnerability | 2025-08-07 | 8.2 | CVE-2025-53787 |
| Microsoft--Microsoft Exchange Server Subscription Edition RTM | On April 18th 2025, Microsoft announced Exchange Server Security Changes for Hybrid Deployments and accompanying non-security Hot Fix. Microsoft made these changes in the general interest of improving the security of hybrid Exchange deployments. Following further investigation, Microsoft identified specific security implications tied to the guidance and configuration steps outlined in the April announcement. Microsoft is issuing CVE-2025-53786 to document a vulnerability that is addressed by taking the steps documented with the April 18th announcement. Microsoft strongly recommends reading the information, installing the April 2025 (or later) Hot Fix and implementing the changes in your Exchange Server and hybrid environment. | 2025-08-06 | 8 | CVE-2025-53786 |
| Mobile Industrial Robots--MiR Robots | MiR software versions prior to version 3.0.0 are affected by a command injection vulnerability. A malicious HTTP request crafted by an authenticated user could allow the execution of arbitrary commands on the underlying operating system. | 2025-08-08 | 8.8 | CVE-2025-8748 |
| n/a--Sage DPW | Incorrect access control in Sage DPW v2024.12.003 allows unauthorized attackers to access the built-in Database Monitor via a crafted request. This is fixed in Halbjahresversion 2024_12_004. | 2025-08-06 | 7.5 | CVE-2025-51532 |
| NetApp--SAN Host Utilities for Windows | The installer for SAN Host Utilities for Windows versions prior to 8.0 is susceptible to a vulnerability which when successfully exploited could allow a local user to escalate their privileges. | 2025-08-07 | 7 | CVE-2025-26513 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability where an attacker could cause stack buffer overflow by specially crafted inputs. A successful exploit of this vulnerability might lead to remote code execution, denial of service, information disclosure, and data tampering. | 2025-08-06 | 9.8 | CVE-2025-23310 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability where an attacker could cause a stack overflow through specially crafted HTTP requests. A successful exploit of this vulnerability might lead to remote code execution, denial of service, information disclosure, or data tampering. | 2025-08-06 | 9.8 | CVE-2025-23311 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server contains a vulnerability in the HTTP server, where an attacker could start a reverse shell by sending a specially crafted HTTP request. A successful exploit of this vulnerability might lead to remote code execution, denial of service, data tampering, or information disclosure. | 2025-08-06 | 9.1 | CVE-2025-23317 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability in the Python backend, where an attacker could cause an out-of-bounds write. A successful exploit of this vulnerability might lead to code execution, denial of service, data tampering, and information disclosure. | 2025-08-06 | 8.1 | CVE-2025-23318 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability in the Python backend, where an attacker could cause an out-of-bounds write by sending a request. A successful exploit of this vulnerability might lead to remote code execution, denial of service, data tampering, or information disclosure. | 2025-08-06 | 8.1 | CVE-2025-23319 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability in the Python backend, where an attacker could cause the shared memory limit to be exceeded by sending a very large request. A successful exploit of this vulnerability might lead to information disclosure. | 2025-08-06 | 7.5 | CVE-2025-23320 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability where a user could cause a divide by zero issue by issuing an invalid request. A successful exploit of this vulnerability might lead to denial of service. | 2025-08-06 | 7.5 | CVE-2025-23321 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability where multiple requests could cause a double free when a stream is cancelled before it is processed. A successful exploit of this vulnerability might lead to denial of service. | 2025-08-06 | 7.5 | CVE-2025-23322 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability where a user could cause an integer overflow or wraparound, leading to a segmentation fault, by providing an invalid request. A successful exploit of this vulnerability might lead to denial of service. | 2025-08-06 | 7.5 | CVE-2025-23323 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability where a user could cause an integer overflow or wraparound, leading to a segmentation fault, by providing an invalid request. A successful exploit of this vulnerability might lead to denial of service. | 2025-08-06 | 7.5 | CVE-2025-23324 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability where an attacker could cause uncontrolled recursion through a specially crafted input. A successful exploit of this vulnerability might lead to denial of service. | 2025-08-06 | 7.5 | CVE-2025-23325 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability where an attacker could cause an integer overflow through a specially crafted input. A successful exploit of this vulnerability might lead to denial of service. | 2025-08-06 | 7.5 | CVE-2025-23326 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability where an attacker could cause an integer overflow through specially crafted inputs. A successful exploit of this vulnerability might lead to denial of service and data tampering. | 2025-08-06 | 7.5 | CVE-2025-23327 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability where a user could cause a memory allocation with excessive size value, leading to a segmentation fault, by providing an invalid request. A successful exploit of this vulnerability might lead to denial of service. | 2025-08-06 | 7.5 | CVE-2025-23331 |
| oitcode--samarium | A vulnerability was found in oitcode samarium up to 0.9.6. It has been classified as critical. Affected is an unknown function of the file /dashboard/product of the component Create Product Page. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-10 | 7.3 | CVE-2025-8798 |
| open-metadata--OpenMetadata | OpenMetadata <=1.4.4 is vulnerable to SQL Injection. An attacker can extract information from the database in function listCount in the TestDefinitionDAO interface. The testPlatform parameter can be used to build a SQL query. | 2025-08-08 | 7.1 | CVE-2025-50465 |
| open-metadata--OpenMetadata | OpenMetadata <=1.4.4 is vulnerable to SQL Injection. An attacker can extract information from the database in function listCount in the TestDefinitionDAO interface. The entityType parameter can be used to build a SQL query. | 2025-08-08 | 7.1 | CVE-2025-50466 |
| openbao--openbao | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, some OpenBao deployments intentionally limit privileged API operators from executing system code or making network connections. However, these operators can bypass both restrictions through the audit subsystem by manipulating log prefixes. This allows unauthorized code execution and network access that violates the intended security model. This issue is fixed in version 2.3.2. To workaround, users can block access to sys/audit/* endpoints using explicit deny policies, but root operators cannot be restricted this way. | 2025-08-09 | 9.1 | CVE-2025-54997 |
| openbao--openbao | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, accounts with access to highly-privileged identity entity systems in root namespaces were able to increase their scope directly to the root policy. While the identity system allowed adding arbitrary policies, which in turn could contain capability grants on arbitrary paths, the root policy was restricted to manual generation using unseal or recovery key shares. The global root policy was not accessible from child namespaces. This issue is fixed in version 2.3.2. To workaround this vulnerability, use of denied_parameters in any policy which has access to the affected identity endpoints (on identity entities) may be sufficient to prohibit this type of attack. | 2025-08-09 | 7.2 | CVE-2025-54996 |
| Packet Power--EMX | By default, the Packet Power Monitoring and Control Web Interface do not enforce authentication mechanisms. This vulnerability could allow unauthorized users to access and manipulate monitoring and control functions. | 2025-08-08 | 9.8 | CVE-2025-8284 |
| Paramount Software--Macrium Reflect | Paramount Macrium Reflect through 2025-06-26 allows attackers to execute arbitrary code with administrator privileges via a crafted .mrimgx or .mrbax backup file and a renamed executable placed in the same directory. When a user with administrative privileges opens the crafted backup file and proceeds to mount it, Reflect launches the renamed executable (e.g., explorer.exe), which is under attacker control. This occurs because of insufficient validation of companion files referenced during backup mounting. | 2025-08-04 | 7.7 | CVE-2025-53394 |
| Paramount Software--Macrium Reflect | Paramount Macrium Reflect through 2025-06-26 allows local attackers to execute arbitrary code with administrator privileges via a crafted .mrimgx backup file and a malicious VSSSvr.dll located in the same directory. When a user with administrative privileges mounts a backup by opening the .mrimgx file, Reflect loads the attacker's VSSSvr.dll after the mount completes. This occurs because of untrusted DLL search path behavior in ReflectMonitor.exe. | 2025-08-04 | 7.7 | CVE-2025-53395 |
| pyload--pyload | pyLoad is the free and open-source Download Manager written in pure Python. In versions 0.5.0b3.dev89 and below, there is an opportunity for path traversal in pyLoad-ng CNL Blueprint via package parameter, allowing Arbitrary File Write which leads to Remote Code Execution (RCE). The addcrypted endpoint in pyload-ng suffers from an unsafe path construction vulnerability, allowing unauthenticated attackers to write arbitrary files outside the designated storage directory. This can be abused to overwrite critical system files, including cron jobs and systemd services, leading to privilege escalation and remote code execution as root. This issue is fixed in version 0.5.0b3.dev90. | 2025-08-05 | 9.8 | CVE-2025-54802 |
| Qualcomm, Inc.--Snapdragon | Transient DOS while processing a random-access response (RAR) with an invalid PDU length on LTE network. | 2025-08-06 | 7.5 | CVE-2025-21452 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while submitting blob data to kernel space though IOCTL. | 2025-08-06 | 7.8 | CVE-2025-21455 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing IOCTL command when multiple threads are called to map/unmap buffer concurrently. | 2025-08-06 | 7.8 | CVE-2025-21456 |
| Qualcomm, Inc.--Snapdragon | Memory corruption when IOCTL interface is called to map and unmap buffers simultaneously. | 2025-08-06 | 7.8 | CVE-2025-21458 |
| Qualcomm, Inc.--Snapdragon | Memory corruption when programming registers through virtual CDM. | 2025-08-06 | 7.8 | CVE-2025-21461 |
| Qualcomm, Inc.--Snapdragon | Memory corruption when using Virtual cdm (Camera Data Mover) to write registers. | 2025-08-06 | 7.8 | CVE-2025-21473 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing commands from A2dp sink command queue. | 2025-08-06 | 7.8 | CVE-2025-21474 |
| Qualcomm, Inc.--Snapdragon | Transient DOS while processing CCCH data when NW sends data with invalid length. | 2025-08-06 | 7.5 | CVE-2025-21477 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while handling client exceptions, allowing unauthorized channel access. | 2025-08-06 | 7.8 | CVE-2025-27062 |
| Qualcomm, Inc.--Snapdragon | Transient DOS while processing a frame with malformed shared-key descriptor. | 2025-08-06 | 7.5 | CVE-2025-27065 |
| Qualcomm, Inc.--Snapdragon | Transient DOS while processing an ANQP message. | 2025-08-06 | 7.5 | CVE-2025-27066 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing DDI call with invalid buffer. | 2025-08-06 | 7.8 | CVE-2025-27067 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing an IOCTL command with an arbitrary address. | 2025-08-06 | 7.8 | CVE-2025-27068 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing DDI command calls. | 2025-08-06 | 7.8 | CVE-2025-27069 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing specific files in Powerline Communication Firmware. | 2025-08-06 | 7.3 | CVE-2025-27071 |
| Qualcomm, Inc.--Snapdragon | Transient DOS while creating NDP instance. | 2025-08-06 | 7.5 | CVE-2025-27073 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing IOCTL command with larger buffer in Bluetooth Host. | 2025-08-06 | 7.8 | CVE-2025-27075 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing simultaneous requests via escape path. | 2025-08-06 | 7.8 | CVE-2025-27076 |
| Qualcomm, Inc.--Snapdragon | Information disclosure while accessing and modifying the PIB file of a remote device via powerline. | 2025-08-06 | 7.5 | CVE-2025-47324 |
| RUCKUS--Network Director | RUCKUS Network Director (RND) before 4.5 allows spoofing of an administrator JWT by an attacker who knows the hardcoded value of a certain secret key. | 2025-08-04 | 9 | CVE-2025-44963 |
| RUCKUS--Network Director | RUCKUS Network Director (RND) before 4.5 allows jailed users to obtain root access vis a weak, hardcoded password. | 2025-08-04 | 8.8 | CVE-2025-44955 |
| RUCKUS--SmartZone | RUCKUS SmartZone (SZ) before 6.1.2p3 Refresh Build has a hardcoded SSH private key for a root-equivalent user account. | 2025-08-04 | 9 | CVE-2025-44954 |
| RUCKUS--SmartZone | In RUCKUS SmartZone (SZ) before 6.1.2p3 Refresh Build, OS command injection can occur via an IP address field provided by an authenticated user. | 2025-08-04 | 9.9 | CVE-2025-44961 |
| RUCKUS--SmartZone | Ruckus SmartZone (SZ) before 6.1.2p3 Refresh Build allows authentication bypass via a valid API key and crafted HTTP headers. | 2025-08-04 | 8.5 | CVE-2025-44957 |
| RUCKUS--SmartZone | RUCKUS SmartZone (SZ) before 6.1.2p3 Refresh Build allows OS command injection via a certain parameter in an API route. | 2025-08-04 | 8.5 | CVE-2025-44960 |
| SEIKO EPSON--Multiple EPSON product | On multiple products of SEIKO EPSON and FUJIFILM Corporation, the initial administrator password is easy to guess from the information available via SNMP. If the administrator password is not changed from the initial one, a remote attacker with SNMP access can log in to the product with the administrator privilege. | 2025-08-07 | 7.5 | CVE-2025-35970 |
| skops-dev--skops | skops is a Python library which helps users share and ship their scikit-learn based models. In versions 0.12.0 and below, the Card.get_model does not contain any logic to prevent arbitrary code execution. The Card.get_model function supports both joblib and skops for model loading. When loading .skops models, it uses skops' secure loading with trusted type validation, raising errors for untrusted types unless explicitly allowed. However, when non-.zip file formats are provided, the function silently falls back to joblib without warning. Unlike skops, joblib allows arbitrary code execution during loading, bypassing security measures and potentially enabling malicious code execution. This issue is fixed in version 0.13.0. | 2025-08-08 | 8.4 | CVE-2025-54886 |
| SmartDataSoft--Reveal Listing | The Reveal Listing plugin by smartdatasoft for WordPress is vulnerable to privilege escalation in versions up to, and including, 3.3. This is due to the plugin allowing users who are registering new accounts to set their own role or by supplying 'listing_user_role' field. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the administrator role. | 2025-08-06 | 9.8 | CVE-2025-6994 |
| SuiteCRM--SuiteCRM | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, user-supplied input is not validated/sanitized before it is passed to the unserialize function, which could lead to penetration, privilege escalation, sensitive data exposure, Denial of Service, cryptomining and ransomware. This issue is fixed in version 7.14.7 and 8.8.1. | 2025-08-06 | 8.8 | CVE-2025-54785 |
| SuiteCRM--SuiteCRM | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions and below, the InboundEmail module allows the arbitrary execution of queries in the backend database, leading to SQL injection. This can have wide-reaching implications on confidentiality, integrity, and availability, as database data can be retrieved, modified, or removed entirely. This issue is fixed in version 7.14.7. | 2025-08-06 | 8.8 | CVE-2025-54788 |
| Tenda--AC20 | A vulnerability classified as critical was found in Tenda AC20 16.03.08.05. Affected by this vulnerability is the function strcpy of the file /goform/SetFirewallCfg. The manipulation of the argument firewallEn leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-10 | 8.8 | CVE-2025-8810 |
| TianoCore--EDK2 | EDK2 contains a vulnerability in BIOS where an attacker may cause "Protection Mechanism Failure" by local access. Successful exploitation of this vulnerability will lead to arbitrary code execution and impact Confidentiality, Integrity, and Availability. | 2025-08-07 | 7 | CVE-2025-3770 |
| Trend Micro, Inc.--Trend Micro Apex One | A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. | 2025-08-05 | 9.4 | CVE-2025-54948 |
| Trend Micro, Inc.--Trend Micro Apex One | A vulnerability in Trend Micro Apex One (on-premise) management console could allow a pre-authenticated remote attacker to upload malicious code and execute commands on affected installations. This vulnerability is essentially the same as CVE-2025-54948 but targets a different CPU architecture. | 2025-08-05 | 9.4 | CVE-2025-54987 |
| TRENDnet--TEW-822DRE | A vulnerability was found in TRENDnet TEW-822DRE FW103B02. It has been classified as problematic. This affects an unknown part of the component vsftpd. The manipulation leads to least privilege violation. Attacking locally is a requirement. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-09 | 7 | CVE-2025-8758 |
| TRENDnet--TI-G160i | A vulnerability was found in TRENDnet TI-G160i, TI-PG102i and TPL-430AP up to 20250724. It has been classified as critical. This affects an unknown part of the component SSH Service. The manipulation leads to use of default credentials. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-08 | 9.8 | CVE-2025-8731 |
| TRENDnet--TV-IP110WN | A vulnerability was found in TRENDnet TV-IP110WN 1.2.2 and classified as problematic. Affected by this issue is some unknown functionality of the file /server/boa.conf of the component Embedded Boa Web Server. The manipulation leads to least privilege violation. Local access is required to approach this attack. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-09 | 7 | CVE-2025-8757 |
| TriliumNext--Trilium | Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. In versions below 0.97.0, a brute-force protection bypass in the initial sync seed retrieval endpoint allows unauthenticated attackers to guess the login password without triggering rate limiting. Trilium is a single-user app without a username requirement, and brute-force protection bypass makes exploitation much more feasible. Multiple features provided by Trilium (e.g. MFA, share notes, custom request handler) indicate that Trilium can be exposed to the internet. This is fixed in version 0.97.0. | 2025-08-05 | 7.5 | CVE-2025-53544 |
| Tyler Technologies--ERP Pro 9 SaaS | Tyler Technologies ERP Pro 9 SaaS allows an authenticated user to escape the application and execute limited operating system commands within the remote Microsoft Windows environment with the privileges of the authenticated user. Tyler Technologies deployed hardened remote Windows environment settings to all ERP Pro 9 SaaS customer environments as of 2025-08-01. | 2025-08-07 | 7.4 | CVE-2025-55077 |
| vjinfotech--WP Import Export Lite | The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_parse_upload_data' function in all versions up to, and including, 3.9.29. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability was partially patched in version 3.9.29. | 2025-08-05 | 7.5 | CVE-2025-5061 |
| vjinfotech--WP Import Export Lite | The WP Import Export Lite plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpie_tempalte_import' function in all versions up to, and including, 3.9.28. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-08-05 | 7.5 | CVE-2025-6207 |
| wangzhixuan--spring-shiro-training | A vulnerability was found in wangzhixuan spring-shiro-training up to 94812c1fd8f7fe796c931f4984ff1aa0671ab562. It has been declared as critical. This vulnerability affects unknown code of the file /role/add. The manipulation leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | 2025-08-09 | 7.3 | CVE-2025-8752 |
| workos--authkit-react-router | The AuthKit library for React Router 7+ provides helpers for authentication and session management using WorkOS & AuthKit with React Router. In versions 0.6.1 and below, @workos-inc/authkit-react-router exposed sensitive authentication artifacts - specifically sealedSession and accessToken by returning them from the authkitLoader. This caused them to be rendered into the browser HTML. This issue is fixed in version 0.7.0. | 2025-08-09 | 7.1 | CVE-2025-55008 |
| workos--authkit-remix | The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In versions 0.14.1 and below, @workos-inc/authkit-remix exposed sensitive authentication artifacts - specifically sealedSession and accessToken - by returning them from the authkitLoader. This caused them to be rendered into the browser HTML. | 2025-08-09 | 7.1 | CVE-2025-55009 |
| WP Cloud Plugins/_deleeuw_--Use-your-Drive | Google Drive plugin for WordPress | The Use-your-Drive | Google Drive plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in file metadata in all versions up to, and including, 3.3.1 due to insufficient input sanitization and output escaping. This makes it possible for attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability can be exploited by the lowest authentication level permitted to upload files, including unauthenticated users, once a file upload shortcode is published on a publicly accessible post. | 2025-08-05 | 7.2 | CVE-2025-7050 |
| WPExperts--Post SMTP | Authentication Bypass Using an Alternate Path or Channel vulnerability in WPExperts Post SMTP allows Authentication Bypass.This issue affects Post SMTP: from n/a through 3.2.0. | 2025-08-07 | 8.8 | CVE-2025-24000 |
| Xerox--FreeFlow Core | In Xerox FreeFlow Core version 8.0.4, an attacker can exploit a Path Traversal vulnerability to access unauthorized files on the server. This can lead to Remote Code Execution (RCE), allowing the attacker to run arbitrary commands on the system. | 2025-08-08 | 9.8 | CVE-2025-8356 |
| Xerox--FreeFlow Core | In Xerox FreeFlow Core version 8.0.4, improper handling of XML input allows injection of external entities. An attacker can craft malicious XML containing references to internal URLs, this results in a Server-Side Request Forgery (SSRF). | 2025-08-08 | 7.5 | CVE-2025-8355 |
| Zscaler--Authentication Server | An improper verification of cryptographic signature in Zscaler's SAML authentication mechanism on the server-side allowed an authentication abuse. | 2025-08-05 | 9.6 | CVE-2025-54982 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-08-05 | 5.4 | CVE-2025-46958 |
| agno-agi--agno | A vulnerability, which was classified as critical, has been found in agno-agi agno up to 1.7.5. This issue affects the function MCPTools/MultiMCPTools in the library libs/agno/agno/tools/mcp.py of the component Model Context Protocol Handler. The manipulation of the argument command leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-06 | 6.3 | CVE-2025-8665 |
| Agora Foundation--Agora | In Agora Foundation Agora fall23-Alpha1 before b087490, there is XSS via topicName in client/agora/public/js/editorManager.js. | 2025-08-07 | 6.4 | CVE-2025-55133 |
| Agora Foundation--Agora | In Agora Foundation Agora fall23-Alpha1 before b087490, there is XSS via tag in client/agora/public/js/editorManager.js. | 2025-08-07 | 6.4 | CVE-2025-55134 |
| Agora Foundation--Agora | In Agora Foundation Agora fall23-Alpha1 before 690ce56, there is XSS via a profile picture to server/controller/userController.js. Formats other than PNG, JPEG, and WEBP are permitted by server/routes/userRoutes.js; this includes SVG. | 2025-08-07 | 6.4 | CVE-2025-55135 |
| Akamai--AkamaiGhost | An issue was discovered in Akamai Ghost, as used for the Akamai CDN platform before 2025-03-26. Under certain circumstances, a client making an HTTP/1.x OPTIONS request with an "Expect: 100-continue" header, and using obsolete line folding, can lead to a discrepancy in how two in-path Akamai servers interpret the request, allowing an attacker to smuggle a second request in the original request body. | 2025-08-07 | 4 | CVE-2025-32094 |
| anatolyk--Download Counter | The Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-05 | 6.4 | CVE-2025-8294 |
| Antabot--White-Jotter | A vulnerability was found in Antabot White-Jotter 0.22. It has been declared as critical. This vulnerability affects the function CookieRememberMeManager of the file ShiroConfiguration.java of the component com.gm.wj.config.ShiroConfiguration. The manipulation with the input EVANNIGHTLY_WAOU leads to deserialization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | 2025-08-08 | 5 | CVE-2025-8708 |
| archaeopath--WP Tournament Registration | The WP Tournament Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'field' parameter in all versions up to, and including, 1.3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-06 | 6.4 | CVE-2025-6690 |
| atjiu--pybbs | A vulnerability, which was classified as problematic, was found in atjiu pybbs up to 6.0.0. This affects the function adminlogin/login of the component Verification Code Handler. The manipulation leads to guessable captcha. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The patch is named ecaf8d46944fd03e3c4ea05698f8acf0aaa570cf. It is recommended to apply a patch to fix this issue. | 2025-08-05 | 5.3 | CVE-2025-8546 |
| atjiu--pybbs | A vulnerability has been found in atjiu pybbs up to 6.0.0 and classified as critical. This vulnerability affects unknown code of the component Email Verification Handler. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 044f22893bee254dc2bb0d30f614913fab3c22c2. It is recommended to apply a patch to fix this issue. | 2025-08-05 | 5.3 | CVE-2025-8547 |
| atjiu--pybbs | A vulnerability was found in atjiu pybbs up to 6.0.0 and classified as problematic. This issue affects the function setCookie of the file src/main/java/co/yiiu/pybbs/util/CookieUtil.java. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The patch is named 8aa2bb1aef3346e49aec6358edf5e47ce905ae7b. It is recommended to apply a patch to fix this issue. | 2025-08-10 | 4.3 | CVE-2025-8814 |
| Autodesk--3ds Max | A maliciously crafted PSD file, when linked or imported into Autodesk 3ds Max, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-08-06 | 5.3 | CVE-2025-6632 |
| bdthemes--Element Pack Addons for Elementor Mega Menu, Header Footer, Dynamic Builder and Ready Templates | The Element Pack Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'marker_content' parameter in versions up to, and including, 8.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-06 | 5.4 | CVE-2025-8100 |
| Boquan--DotWallet App | A vulnerability was found in Boquan DotWallet App 2.15.2 on Android and classified as problematic. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.boquanhash.dotwallet. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-04 | 5.3 | CVE-2025-8524 |
| checkpoint--Check Point Management Log Server | Lack of TLS validation when downloading a CSV file including mapping from IPs to countries used ONLY for displaying country flags in logs | 2025-08-06 | 6.5 | CVE-2025-2028 |
| checkpoint--Check Point Mobile Access | The Mobile Access Portal's File Share application is vulnerable to a directory traversal attack, allowing an authenticated, malicious end-user (authorized to at least one File Share application) to list the file names of 'nobody'-accessible directories on the Mobile Access gateway. | 2025-08-06 | 5 | CVE-2024-52885 |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in the web-based management interface of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to conduct a stored XSS attack against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have at least a low-privileged account on the affected device. | 2025-08-06 | 5.4 | CVE-2025-20331 |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in the web-based management interface of Cisco ISE could allow an authenticated, remote attacker to modify parts of the configuration on an affected device. This vulnerability is due to the lack of server-side validation of Administrator permissions. An attacker could exploit this vulnerability by submitting a crafted HTTP request to an affected system. A successful exploit could allow the attacker to modify descriptions of files on a specific page. To exploit this vulnerability, an attacker would need valid read-only Administrator credentials. | 2025-08-06 | 4.3 | CVE-2025-20332 |
| Cisco--Cisco Webex Meetings | A vulnerability in the meeting-join functionality of Cisco Webex Meetings could have allowed an unauthenticated, network-proximate attacker to complete a meeting-join process in place of an intended targeted user, provided the requisite conditions were satisfied. Cisco has addressed this vulnerability in the Cisco Webex Meetings service, and no customer action is needed. This vulnerability existed due to client certificate validation issues. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by monitoring local wireless or adjacent networks for client-join requests and attempting to interrupt and complete the meeting-join flow as another user who was currently joining a meeting. To successfully exploit the vulnerability, an attacker would need the capability to position themselves in a local wireless or adjacent network, to monitor and intercept the targeted network traffic flows, and to satisfy timing requirements in order to interrupt the meeting-join flow and exploit the vulnerability. A successful exploit could have allowed the attacker to join the meeting as another user. However, the Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of the vulnerability that is described in this advisory. | 2025-08-06 | 5.4 | CVE-2025-20215 |
| cloudfavorites--favorites-web | A vulnerability classified as critical was found in cloudfavorites favorites-web up to 1.3.0. Affected by this vulnerability is the function getCollectLogoUrl of the file app/src/main/java/com/favorites/web/CollectController.java. The manipulation of the argument url leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-04 | 6.3 | CVE-2025-8529 |
| CODESYS--Runtime Toolkit | CODESYS Runtime Toolkit-based products may expose sensitive files to local low-privileged operating system users due to default file permissions. | 2025-08-04 | 5.5 | CVE-2025-41658 |
| Dell--PowerProtect Data Domain Feature Release | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.1.0.10, LTS2024 release Versions 7.13.1.0 through 7.13.1.25, LTS 2023 release versions 7.10.1.0 through 7.10.1.50, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in the DDSH CLI. A high privileged attacker with local access could potentially exploit this vulnerability to execute arbitrary commands with root privileges. | 2025-08-04 | 6.7 | CVE-2025-30096 |
| Dell--PowerProtect Data Domain Feature Release | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.1.0.10, LTS2024 release Versions 7.13.1.0 through 7.13.1.25, LTS 2023 release versions 7.10.1.0 through 7.10.1.50, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in the DDSH CLI. A high privileged attacker with local access could potentially exploit this vulnerability to execute arbitrary commands with root privileges | 2025-08-04 | 6.7 | CVE-2025-30097 |
| Dell--PowerProtect Data Domain Feature Release | Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 7.7.1.0 through 8.1.0.10, LTS2024 release Versions 7.13.1.0 through 7.13.1.25, LTS 2023 release versions 7.10.1.0 through 7.10.1.50, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in the DDSH CLI. A high privileged attacker with local access could potentially exploit this vulnerability to execute arbitrary commands with root privileges. | 2025-08-04 | 6.7 | CVE-2025-30098 |
| Dell--Unity | Dell Unity, version(s) 5.5 and prior, contain(s) an Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in the CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to the execution of malicious HTML or JavaScript code in a victim user's web browser in the context of the vulnerable web application. Exploitation may lead to information disclosure, session theft, or client-side request forgery. | 2025-08-04 | 6.1 | CVE-2025-36605 |
| Draeger--Draeger ICMHelper | A low privileged local attacker can abuse the affected service by using a hardcoded cryptographic key. | 2025-08-05 | 5.5 | CVE-2025-2810 |
| dragwp--Flex Guten A Multipurpose Gutenberg Blocks Plugin | The Flex Guten plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'thumbnailHoverEffect' parameter in all versions up to, and including, 1.2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-06 | 6.4 | CVE-2025-6256 |
| Dream-Theme--The7 Website and eCommerce Builder for WordPress | The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via its lightbox rendering code in all versions up to, and including, 12.6.0 due to insufficient input sanitization and output escaping. The theme's JavaScript reads user-supplied 'title' and 'data-dt-img-description' attributes directly via jQuery.attr(), concatenates them into an HTML string, and inserts that string into the DOM using methods such as jQuery.html() without escaping or filtering. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-09 | 6.4 | CVE-2025-7726 |
| Eaton--G4 PDU | The server identity check mechanism for firmware upgrade performed via command shell is insecurely implemented potentially allowing an attacker to perform a Man-in-the-middle attack. This security issue has been fixed in the latest version which is available on the Eaton download center. | 2025-08-06 | 5.7 | CVE-2025-48393 |
| Eaton--G4 PDU | An attacker with authenticated and privileged access could modify the contents of a non-sensitive file by traversing the path in the limited shell of the CLI. This security issue has been fixed in the latest version which is available on the Eaton download center. | 2025-08-06 | 4.7 | CVE-2025-48394 |
| EG4 Electronics--EG4 12kPV | The MOD3 command traffic between the monitoring application and the inverter is transmitted in plaintext without encryption or obfuscation. This vulnerability may allow an attacker with access to a local network to intercept, manipulate, replay, or forge critical data, including read/write operations for voltage, current, and power configuration, operational status, alarms, telemetry, system reset, or inverter control commands, potentially disrupting power generation or reconfiguring inverter settings. | 2025-08-08 | 6.9 | CVE-2025-52586 |
| EG4 Electronics--EG4 12kPV | The public-facing product registration endpoint server responds differently depending on whether the S/N is valid and unregistered, valid but already registered, or does not exist in the database. Combined with the fact that serial numbers are sequentially assigned, this allows an attacker to gain information on the product registration status of different S/Ns. | 2025-08-08 | 5.8 | CVE-2025-47872 |
| elunez--eladmin | A vulnerability, which was classified as problematic, has been found in elunez eladmin up to 2.7. Affected by this issue is some unknown functionality of the file eladmin-system\src\main\resources\config\application-prod.yml of the component Druid. The manipulation of the argument login-username/login-password leads to use of default credentials. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-04 | 5.3 | CVE-2025-8530 |
| emarket-design--Campus Directory Faculty, Staff & Student Directory Plugin for WordPress | The Campus Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'noaccess_msg' parameter in all versions up to, and including, 1.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-05 | 6.4 | CVE-2025-8313 |
| emarket-design--Employee Directory Staff Listing & Team Directory Plugin for WordPress | The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'noaccess_msg' parameter in all versions up to, and including, 4.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-05 | 6.4 | CVE-2025-8295 |
| emarket-design--Simple Contact Form Plugin for WordPress WP Easy Contact | The WP Easy Contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'noaccess_msg' parameter in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-05 | 6.4 | CVE-2025-8315 |
| Emby--MediaBrowser | CWE-620: Unverified Password Change | 2025-08-06 | 6.5 | CVE-2025-46389 |
| Emby--MediaBrowser | CWE-284: Improper Access Control | 2025-08-06 | 6.5 | CVE-2025-46391 |
| Emby--MediaBrowser | CWE-200 Exposure of Sensitive Information to an Unauthorized Actor | 2025-08-06 | 4.3 | CVE-2025-46388 |
| espocrm--espocrm | EspoCRM is a web application with a frontend designed as a single-page application and a REST API backend written in PHP. In versions 9.1.6 and below, if a user loads Espo in the browser with double slashes (e.g https://domain//#Admin) and the webserver does not strip the double slash, it can cause a corrupted Slim router's cache. This will make the instance unusable until there is a completed rebuild. This is fixed in version 9.1.7. | 2025-08-05 | 4.5 | CVE-2025-52892 |
| Eugeny--russh | Russh is a Rust SSH client & server library. In versions 0.54.0 and below, the channel window adjust message of the SSH protocol is used to track the free space in the receive buffer of the other side of a channel. The current implementation takes the value from the message and adds it to an internal state value. This can result in a integer overflow. If the Rust code is compiled with overflow checks, it will panic. A malicious client can crash a server. This is fixed in version 0.54.1. | 2025-08-05 | 6.5 | CVE-2025-54804 |
| Exrick--xboot | A vulnerability was found in Exrick xboot up to 3.3.4. It has been declared as critical. This vulnerability affects the function Upload of the file xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/UploadController.java. The manipulation of the argument File leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-04 | 6.3 | CVE-2025-8526 |
| Exrick--xboot | A vulnerability was found in Exrick xboot up to 3.3.4. It has been rated as critical. This issue affects some unknown processing of the file xboot-fast/src/main/java/cn/exrick/xboot/modules/base/controller/common/SecurityController.java of the component Swagger. The manipulation of the argument loginUrl leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-04 | 6.3 | CVE-2025-8527 |
| Exrick--xboot | A vulnerability was found in Exrick xboot up to 3.3.4. It has been classified as problematic. This affects an unknown part of the component Spring Boot Admin/Spring Actuator. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-04 | 5.3 | CVE-2025-8525 |
| frappe--lms | Frappe Learning is a learning system that helps users structure their content. In versions 2.33.0 and below, the image upload functionality did not adequately sanitize uploaded SVG files. This allowed users to upload SVG files containing embedded JavaScript or other potentially malicious content. Malicious SVG files could be used to execute arbitrary scripts in the context of other users. A fix for this issue is planned for version 2.34.0. | 2025-08-09 | 4.3 | CVE-2025-55006 |
| FUJIFILM Business Innovation Corp.--DocuPrint CP225 w | Out-of-bounds write vulnerability exists in FUJIFILM Business Innovation MFPs. A specially crafted IPP (Internet Printing Protocol) or LPD (Line Printer Daemon) packet may cause a denial-of-service (DoS) condition on an affected MFP. Resetting the MFP is required to recover from the denial-of-service (DoS) condition. | 2025-08-04 | 5.3 | CVE-2025-48499 |
| geoplay9--esri-map-view | The esri-map-view plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's esri-map-view shortcode in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-06 | 6.4 | CVE-2025-6259 |
| givanz--Vvveb | A vulnerability was found in givanz Vvveb 1.0.6.1. It has been declared as critical. Affected by this vulnerability is an unknown functionality. The manipulation leads to session fixiation. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.7 is able to address this issue. The patch is named d4b1e030066417b77d15b4ac505eed5ae7bf2c5e. It is recommended to upgrade the affected component. | 2025-08-04 | 6.3 | CVE-2025-8517 |
| givanz--Vvveb | A vulnerability was found in givanz Vvveb 1.0.5. It has been rated as critical. Affected by this issue is the function Save of the file admin/controller/editor/code.php of the component Code Editor. The manipulation leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.6 is able to address this issue. The name of the patch is f684f3e374d04db715730fc4796e102f5ebcacb2. It is recommended to upgrade the affected component. | 2025-08-04 | 4.7 | CVE-2025-8518 |
| givanz--Vvveb | A vulnerability classified as critical was found in givanz Vvveb up to 1.0.5. This vulnerability affects unknown code of the file /vadmin123/?module=editor/editor of the component Drag-and-Drop Editor. The manipulation of the argument url leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.6 is able to address this issue. The patch is identified as f684f3e374d04db715730fc4796e102f5ebcacb2. It is recommended to upgrade the affected component. | 2025-08-04 | 4.7 | CVE-2025-8520 |
| givanz--Vvvebjs | A vulnerability, which was classified as critical, was found in givanz Vvvebjs up to 2.0.4. Affected is an unknown function of the file /save.php of the component node.js. The manipulation of the argument File leads to path traversal. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. | 2025-08-04 | 5 | CVE-2025-8522 |
| givewp--GiveWP Donation Plugin and Fundraising Platform | The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 4.6.0. This makes it possible for unauthenticated attackers to extract donor names, emails, and donor id. | 2025-08-06 | 5.3 | CVE-2025-8620 |
| GNU--cflow | A vulnerability, which was classified as critical, has been found in GNU cflow up to 1.8. Affected by this issue is the function yylex of the file c.c of the component Lexer. The manipulation leads to buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. | 2025-08-08 | 5.3 | CVE-2025-8736 |
| Grafana--grafana-infinity-datasource | Grafana is an open-source platform for monitoring and observability. The Infinity datasource plugin, maintained by Grafana Labs, allows visualizing data from JSON, CSV, XML, GraphQL, and HTML endpoints. If the plugin was configured to allow only certain URLs, an attacker could bypass this restriction using a specially crafted URL. This vulnerability is fixed in version 3.4.1. | 2025-08-04 | 5 | CVE-2025-8341 |
| HashiCorp--Vault | Vault and Vault Enterprise's ("Vault") ldap auth method may not have correctly enforced MFA if username_as_alias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and 1.16.24. | 2025-08-06 | 6.5 | CVE-2025-6013 |
| Huawei--EnzoH-W5611T | EnzoH has an OS command injection vulnerability. Successful exploitation of this vulnerability may lead to arbitrary command execution. | 2025-08-08 | 5 | CVE-2024-58255 |
| Huawei--EnzoH-W5611T | EnzoH has an OS command injection vulnerability. Successful exploitation of this vulnerability may lead to arbitrary command execution. | 2025-08-08 | 5.7 | CVE-2024-58257 |
| Huawei--EnzoH-W5611T | EnzoH has an OS command injection vulnerability. Successful exploitation of this vulnerability may lead to arbitrary command execution. | 2025-08-08 | 4.5 | CVE-2024-58256 |
| Huawei--HarmonyOS | Vulnerability that allows setting screen rotation direction without permission verification in the screen management module. Impact: Successful exploitation of this vulnerability may cause device screen orientation to be arbitrarily set. | 2025-08-06 | 6.2 | CVE-2025-54608 |
| Huawei--HarmonyOS | Input verification vulnerability in the home screen module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-08-06 | 6.2 | CVE-2025-54614 |
| Huawei--HarmonyOS | Vulnerability of insufficient information protection in the media library module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-08-06 | 6.2 | CVE-2025-54615 |
| Huawei--HarmonyOS | Stack-based buffer overflow vulnerability in the dms_fwk module. Impact: Successful exploitation of this vulnerability can cause RCE. | 2025-08-06 | 6.8 | CVE-2025-54617 |
| Huawei--HarmonyOS | Out-of-bounds read vulnerability in the devicemanager module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-08-06 | 6.3 | CVE-2025-54623 |
| Huawei--HarmonyOS | Race condition vulnerability in the kernel file system module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-08-06 | 6.7 | CVE-2025-54625 |
| Huawei--HarmonyOS | Race condition issue occurring in the physical page import process of the memory management module. Impact: Successful exploitation of this vulnerability may affect service integrity. | 2025-08-06 | 6.7 | CVE-2025-54629 |
| Huawei--HarmonyOS | :Vulnerability of insufficient data length verification in the DFA module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-08-06 | 6.8 | CVE-2025-54630 |
| Huawei--HarmonyOS | Vulnerability of insufficient data length verification in the partition module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-08-06 | 6.7 | CVE-2025-54631 |
| Huawei--HarmonyOS | Vulnerability of insufficient data length verification in the HVB module. Impact: Successful exploitation of this vulnerability may affect service integrity. | 2025-08-06 | 6.8 | CVE-2025-54632 |
| Huawei--HarmonyOS | Out-of-bounds read vulnerability in the register configuration of the DMA module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-08-06 | 6.7 | CVE-2025-54633 |
| Huawei--HarmonyOS | Issue of buffer overflow caused by insufficient data verification in the kernel acceleration module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-08-06 | 6.7 | CVE-2025-54641 |
| Huawei--HarmonyOS | Issue of buffer overflow caused by insufficient data verification in the kernel gyroscope module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-08-06 | 6.7 | CVE-2025-54642 |
| Huawei--HarmonyOS | Out-of-bounds array access issue due to insufficient data verification in the kernel ambient light module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-08-06 | 6.6 | CVE-2025-54643 |
| Huawei--HarmonyOS | Out-of-bounds array access issue due to insufficient data verification in the kernel ambient light module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-08-06 | 6.6 | CVE-2025-54644 |
| Huawei--HarmonyOS | Out-of-bounds access vulnerability in the audio codec module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-08-06 | 5.4 | CVE-2025-54609 |
| Huawei--HarmonyOS | Out-of-bounds access vulnerability in the audio codec module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-08-06 | 5.4 | CVE-2025-54610 |
| Huawei--HarmonyOS | Iterator failure vulnerability in the card management module. Impact: Successful exploitation of this vulnerability may affect function stability. | 2025-08-06 | 5.9 | CVE-2025-54612 |
| Huawei--HarmonyOS | Iterator failure vulnerability in the card management module. Impact: Successful exploitation of this vulnerability may affect function stability. | 2025-08-06 | 5.9 | CVE-2025-54613 |
| Huawei--HarmonyOS | Permission control vulnerability in the distributed clipboard module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-08-06 | 5.7 | CVE-2025-54618 |
| Huawei--HarmonyOS | Iterator failure issue in the multi-mode input module. Impact: Successful exploitation of this vulnerability may cause iterator failures and affect availability. | 2025-08-06 | 5.3 | CVE-2025-54619 |
| Huawei--HarmonyOS | Deserialization vulnerability of untrusted data in the ability module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-08-06 | 5.5 | CVE-2025-54620 |
| Huawei--HarmonyOS | Iterator failure issue in the WantAgent module. Impact: Successful exploitation of this vulnerability may cause memory release failures. | 2025-08-06 | 5.3 | CVE-2025-54621 |
| Huawei--HarmonyOS | Unexpected injection event vulnerability in the multimodalinput module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-08-06 | 5.7 | CVE-2025-54624 |
| Huawei--HarmonyOS | Vulnerability of incomplete verification information in the communication module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-08-06 | 5.3 | CVE-2025-54628 |
| Huawei--HarmonyOS | Vulnerability of returning released pointers in the distributed notification service. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-08-06 | 5.9 | CVE-2025-54635 |
| Huawei--HarmonyOS | Issue of inconsistent read/write serialization in the ad module. Impact: Successful exploitation of this vulnerability may affect the availability of the ad service. | 2025-08-06 | 5.5 | CVE-2025-54638 |
| Huawei--HarmonyOS | ParcelMismatch vulnerability in attribute deserialization. Impact: Successful exploitation of this vulnerability may cause playback control screen display exceptions. | 2025-08-06 | 5.5 | CVE-2025-54639 |
| Huawei--HarmonyOS | ParcelMismatch vulnerability in attribute deserialization. Impact: Successful exploitation of this vulnerability may cause playback control screen display exceptions. | 2025-08-06 | 5.5 | CVE-2025-54640 |
| Huawei--HarmonyOS | Out-of-bounds array access issue due to insufficient data verification in the location service module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-08-06 | 5 | CVE-2025-54645 |
| Huawei--HarmonyOS | Vulnerability of inadequate packet length check in the BLE module. Impact: Successful exploitation of this vulnerability may affect performance. | 2025-08-06 | 5.1 | CVE-2025-54646 |
| Huawei--HarmonyOS | Out-of-bounds read vulnerability in the SSAP module of the NearLink protocol stack. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-08-06 | 5.4 | CVE-2025-54647 |
| Huawei--HarmonyOS | Out-of-bounds read vulnerability in the SSAP module of the NearLink protocol stack. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-08-06 | 5.4 | CVE-2025-54648 |
| Huawei--HarmonyOS | Out-of-bounds array access vulnerability in the ArkUI framework. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-08-06 | 4 | CVE-2025-54616 |
| Huawei--HarmonyOS | Pointer dangling vulnerability in the cjwindow module. Impact: Successful exploitation of this vulnerability may affect function stability. | 2025-08-06 | 4.4 | CVE-2025-54626 |
| Huawei--HarmonyOS | Issue of buffer overflow caused by insufficient data verification in the kernel drop detection module. Impact: Successful exploitation of this vulnerability may affect availability. | 2025-08-06 | 4.4 | CVE-2025-54636 |
| Huawei--HarmonyOS | Out-of-bounds array access issue due to insufficient data verification in the kernel ambient light module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-08-06 | 4.4 | CVE-2025-54637 |
| Huawei--HarmonyOS | Vulnerability of using incompatible types to access resources in the location service. Impact: Successful exploitation of this vulnerability may cause some location information attributes to be incorrect. | 2025-08-06 | 4.5 | CVE-2025-54649 |
| Huawei--HarmonyOS | Improper array index verification vulnerability in the audio codec module. Impact: Successful exploitation of this vulnerability may affect the audio decoding function. | 2025-08-06 | 4.2 | CVE-2025-54650 |
| Huawei--HarmonyOS | Race condition vulnerability in the kernel hufs module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-08-06 | 4.8 | CVE-2025-54651 |
| Huuge--Box App | A vulnerability was found in Huuge Box App 1.0.3 on Android. It has been classified as problematic. This affects an unknown part of the file AndroidManifest.xml of the component com.huuge.game.zjbox. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. | 2025-08-08 | 5.3 | CVE-2025-8707 |
| IBM--Cloud Pak for Business Automation | IBM Cloud Pak for Business Automation 24.0.0 through 24.0.0 IF005 and 24.0.1 through 24.0.1 IF002 could allow an authenticated user to view sensitive user and system information due to an indirect object reference through a user-controlled key. | 2025-08-08 | 6.5 | CVE-2025-36023 |
| IBM--Guardium Data Protection | IBM Guardium Data Protection could allow a remote attacker to obtain sensitive information due to cleartext transmission of sensitive credential information. | 2025-08-06 | 5.9 | CVE-2025-36020 |
| IBM--IBM Engineering Lifecycle Optimization - Publishing | IBM Engineering Lifecycle Optimization - Publishing 7.0.2 and 7.03 could be susceptible to cross-site scripting due to no validation of URIs. | 2025-08-05 | 6.1 | CVE-2024-52890 |
| jegstudio--Gutenverse Ultimate Block Addons and Page Builder for Site Editor | The Gutenverse plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Animated Text and Fun Fact blocks in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-06 | 6.4 | CVE-2025-7727 |
| Kingdee--Cloud-Starry-Sky Enterprise Edition | A vulnerability was found in Kingdee Cloud-Starry-Sky Enterprise Edition up to 8.2. It has been classified as problematic. Affected is the function BaseServiceFactory.getFileUploadService.deleteFileAction of the file K3Cloud\BBCMallSite\WEB-INF\lib\Kingdee.K3.O2O.Base.WebApp.jar!\kingdee\k3\o2o\base\webapp\action\FileUploadAction.class of the component IIS-K3CloudMiniApp. The manipulation of the argument filePath leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor recommends as a short-term measure to "[t]emporarily disable external network access to the Kingdee Cloud Galaxy Retail System or set up an IP whitelist for access control." The long-term remediation will be: "Install the security patch provided by the Starry Sky system, with the specific solutions being: i) Adding authentication to the vulnerable CMKAppWebHandler.ashx interface; ii) Removing the file reading function." | 2025-08-04 | 5.3 | CVE-2025-8516 |
| Linksys--RE6250 | A vulnerability has been found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 up to 20250801. Affected by this issue is the function setDFSSetting of the file /goform/setLan. The manipulation of the argument lanNetmask/lanIp leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-10 | 6.3 | CVE-2025-8818 |
| linlinjava--litemall | A vulnerability classified as critical has been found in linlinjava litemall up to 1.8.0. Affected is the function Upload of the file /wx/storage/upload. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-09 | 6.3 | CVE-2025-8764 |
| linlinjava--litemall | A vulnerability, which was classified as critical, has been found in linlinjava litemall up to 1.8.0. Affected by this issue is the function delete of the file /admin/storage/delete of the component File Handler. The manipulation of the argument key leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-09 | 5.4 | CVE-2025-8753 |
| LitmusChaos--Litmus | A vulnerability was found in LitmusChaos Litmus up to 3.19.0. It has been rated as critical. This issue affects some unknown processing of the file /auth/list_projects. The manipulation of the argument role leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-10 | 6.3 | CVE-2025-8791 |
| LitmusChaos--Litmus | A vulnerability, which was classified as critical, was found in LitmusChaos Litmus up to 3.19.0. This affects an unknown part of the file /auth/login. The manipulation of the argument projectID leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-10 | 6.3 | CVE-2025-8795 |
| LitmusChaos--Litmus | A vulnerability was found in LitmusChaos Litmus up to 3.19.0 and classified as critical. This issue affects some unknown processing of the component LocalStorage Handler. The manipulation leads to permission issues. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-10 | 6.3 | CVE-2025-8797 |
| LitmusChaos--Litmus | A vulnerability, which was classified as problematic, has been found in LitmusChaos Litmus up to 3.19.0. Affected by this issue is some unknown functionality of the component LocalStorage Handler. The manipulation of the argument projectID leads to authorization bypass. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-10 | 5.3 | CVE-2025-8794 |
| LitmusChaos--Litmus | A vulnerability has been found in LitmusChaos Litmus up to 3.19.0 and classified as problematic. This vulnerability affects unknown code of the file /auth/delete_project/ of the component Delete Request Handler. The manipulation of the argument projectID leads to missing authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-10 | 5.4 | CVE-2025-8796 |
| LitmusChaos--Litmus | A vulnerability classified as problematic has been found in LitmusChaos Litmus up to 3.19.0. Affected is an unknown function. The manipulation leads to client-side enforcement of server-side security. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-10 | 4.3 | CVE-2025-8792 |
| LitmusChaos--Litmus | A vulnerability classified as problematic was found in LitmusChaos Litmus up to 3.19.0. Affected by this vulnerability is an unknown functionality. The manipulation of the argument projectID leads to improper control of resource identifiers. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-10 | 4.3 | CVE-2025-8793 |
| macrozheng--mall | A vulnerability was found in macrozheng mall up to 1.0.3 and classified as problematic. This issue affects the function detail of the file UmsMemberController.java of the component com.macro.mall.portal.controller. The manipulation of the argument orderId leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-09 | 5.3 | CVE-2025-8755 |
| mastodon--mastodon | Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon's rate-limiting system has a critical configuration error where the email-based throttle for confirmation emails incorrectly checks the password reset path instead of the confirmation path, effectively disabling per-email limits for confirmation requests. This allows attackers to bypass rate limits by rotating IP addresses and send unlimited confirmation emails to any email address, as only a weak IP-based throttle (25 requests per 5 minutes) remains active. The vulnerability enables denial-of-service attacks that can overwhelm mail queues and facilitate user harassment through confirmation email spam. This is fixed in versions 4.2.24, 4.3.11 and 4.4.3. | 2025-08-05 | 5.3 | CVE-2025-54879 |
| Microsoft--Microsoft 365 Copilot's Business Chat | Microsoft 365 Copilot BizChat Information Disclosure Vulnerability | 2025-08-07 | 6.5 | CVE-2025-53774 |
| MigoXLab--LMeterX | A vulnerability has been found in MigoXLab LMeterX 1.2.0 and classified as critical. Affected by this vulnerability is the function process_cert_files of the file backend/service/upload_service.py. The manipulation of the argument task_id leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is f1b00597e293d09452aabd4fa57f3185207350e8. It is recommended to apply a patch to fix this issue. | 2025-08-08 | 6.3 | CVE-2025-8729 |
| Mitsubishi Electric Corporation--GENESIS64 | Windows Shortcut Following (.LNK) vulnerability in multiple processes of Mitsubishi Electric Iconics Digital Solutions GENESIS64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS version 11.00, Mitsubishi Electric GENESIS64 all versions, Mitsubishi Electric MC Works64 all versions, and Mitsubishi Electric GENESIS version 11.00 allows a local authenticated attacker to make an unauthorized write to arbitrary files, by creating a symbolic link from a file used as a write destination by the processes of the affected products to a target file. This could allow the attacker to destroy the file on a PC with the affected products installed, resulting in a denial-of-service (DoS) condition on the PC if the destroyed file is necessary for the operation of the PC. | 2025-08-06 | 5.9 | CVE-2025-7376 |
| Mobile Industrial Robots--MiR Robots | Path Traversal vulnerability in API Endpoint in Mobile Industrial Robots (MiR) Software Versions prior to 3.0.0 on MiR Robots allows authenticated users to extract files from the robot file system via a crafted API request. | 2025-08-08 | 6.5 | CVE-2025-8749 |
| MuffinGroup--Betheme | The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via an Elementor display setting in all versions up to, and including, 28.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-06 | 6.4 | CVE-2025-7399 |
| n/a--agentUniverse | A vulnerability was found in agentUniverse up to 0.0.18 and classified as critical. This issue affects the function StdioServerParameters of the component MCPSessionManager/MCPTool/MCPToolkit. The manipulation leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-07 | 6.3 | CVE-2025-8697 |
| n/a--libav | A vulnerability, which was classified as critical, has been found in libav up to 12.3. Affected by this issue is the function main of the file /avtools/avconv.c of the component DSS File Demuxer. The manipulation leads to double free. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The bug was initially reported by the researcher to the wrong project. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-08-05 | 5.3 | CVE-2025-8585 |
| n/a--Open5GS | A vulnerability was found in Open5GS up to 2.7.5. It has been declared as problematic. Affected by this vulnerability is the function amf_npcf_am_policy_control_build_create/amf_nsmf_pdusession_build_create_sm_context of the file src/amf/npcf-build.c of the component AMF. The manipulation leads to denial of service. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.7.6 is able to address this issue. The patch is named cf63dd63197bf61a4b041aa364ba6a6199ab15e4. It is recommended to upgrade the affected component. | 2025-08-10 | 5.3 | CVE-2025-8799 |
| n/a--Open5GS | A vulnerability was found in Open5GS up to 2.7.5. It has been rated as problematic. Affected by this issue is the function esm_handle_pdn_connectivity_request of the file src/mme/esm-handler.c of the component AMF Component. The manipulation leads to denial of service. The attack may be launched remotely. Upgrading to version 2.7.6 is able to address this issue. The name of the patch is 701505102f514cbde2856cd2ebc9bedb7efc820d. It is recommended to upgrade the affected component. | 2025-08-10 | 5.3 | CVE-2025-8800 |
| n/a--Open5GS | A vulnerability classified as problematic has been found in Open5GS up to 2.7.5. This affects the function gmm_state_exception of the file src/amf/gmm-sm.c of the component AMF. The manipulation leads to denial of service. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.7.6 is able to address this issue. The identifier of the patch is f47f2bd4f7274295c5fbb19e2f806753d183d09a. It is recommended to upgrade the affected component. | 2025-08-10 | 5.3 | CVE-2025-8801 |
| n/a--Open5GS | A vulnerability classified as problematic was found in Open5GS up to 2.7.5. This vulnerability affects the function smf_state_operational of the file src/smf/smf-sm.c of the component SMF. The manipulation of the argument stream leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version v2.7.6 is able to address this issue. The patch is identified as f168f7586a4fa536cee95ae60ac437d997f15b97. It is recommended to upgrade the affected component. | 2025-08-10 | 5.3 | CVE-2025-8802 |
| n/a--Open5GS | A vulnerability, which was classified as problematic, was found in Open5GS up to 2.7.5. Affected is the function gmm_state_de_registered/gmm_state_exception of the file src/amf/gmm-sm.c of the component AMF. The manipulation leads to denial of service. It is possible to launch the attack remotely. Upgrading to version 2.7.6 is able to address this issue. The name of the patch is 1f30edac27f69f61cff50162e980fe58fdeb30ca. It is recommended to upgrade the affected component. | 2025-08-10 | 5.3 | CVE-2025-8803 |
| n/a--Open5GS | A vulnerability has been found in Open5GS up to 2.7.5 and classified as problematic. Affected by this vulnerability is the function ngap_build_downlink_nas_transport of the component AMF. The manipulation leads to reachable assertion. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.7.6 is able to address this issue. The identifier of the patch is bca0a7b6e01d254f4223b83831162566d4626428. It is recommended to upgrade the affected component. | 2025-08-10 | 5.3 | CVE-2025-8804 |
| n/a--Open5GS | A vulnerability was found in Open5GS up to 2.7.5 and classified as problematic. Affected by this issue is the function smf_gsm_state_wait_pfcp_deletion of the file src/smf/gsm-sm.c of the component SMF. The manipulation leads to denial of service. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 2.7.6 is able to address this issue. The patch is identified as c58b8f081986aaf2a312d73a0a17985518b47fe6. It is recommended to upgrade the affected component. | 2025-08-10 | 5.3 | CVE-2025-8805 |
| n/a--Sage DPW | An Insecure Direct Object Reference (IDOR) in Sage DPW v2024_12_004 and below allows unauthorized attackers to access internal forms via sending a crafted GET request. | 2025-08-07 | 5.3 | CVE-2025-51533 |
| ninjateam--FileBird WordPress Media Library Folders & File Manager | The FileBird - WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to SQL Injection via the 'search' parameter in all versions up to, and including, 6.4.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-08-06 | 6.5 | CVE-2025-6986 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability in the Python backend, where an attacker could cause an out-of-bounds read by manipulating shared memory data. A successful exploit of this vulnerability might lead to information disclosure. | 2025-08-06 | 5.9 | CVE-2025-23333 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability in the Python backend, where an attacker could cause an out-of-bounds read by sending a request. A successful exploit of this vulnerability might lead to information disclosure. | 2025-08-06 | 5.9 | CVE-2025-23334 |
| NVIDIA--Triton Inference Server | NVIDIA Triton Inference Server for Windows and Linux and the Tensor RT backend contain a vulnerability where an attacker could cause an underflow by a specific model configuration and a specific input. A successful exploit of this vulnerability might lead to denial of service. | 2025-08-06 | 4.4 | CVE-2025-23335 |
| oakserver--oak | oak is a middleware framework for Deno's native HTTP server, Deno Deploy, Node.js 16.5 and later, Cloudflare Workers and Bun. In versions 17.1.5 and below, it's possible to significantly slow down an oak server with specially crafted values of the x-forwarded-proto or x-forwarded-for headers. | 2025-08-09 | 5.3 | CVE-2025-55152 |
| openbao--openbao | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, OpenBao's TOTP secrets engine could accept valid codes multiple times rather than strictly-once. This was caused by unexpected normalization in the underlying TOTP library. To work around, ensure that all codes are first normalized before submitting to the OpenBao endpoint. TOTP code verification is a privileged action; only trusted systems should be verifying codes. | 2025-08-09 | 6.5 | CVE-2025-55000 |
| openbao--openbao | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao allowed the assignment of policies and MFA attribution based upon entity aliases, chosen by the underlying auth method. When the username_as_alias=true parameter in the LDAP auth method was in use, the caller-supplied username was used verbatim without normalization, allowing an attacker to bypass alias-specific MFA requirements. This issue was fixed in version 2.3.2. To work around this, remove all usage of the username_as_alias=true parameter and update any entity aliases accordingly. | 2025-08-09 | 6.5 | CVE-2025-55001 |
| openbao--openbao | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, attackers could bypass the automatic user lockout mechanisms in the OpenBao Userpass or LDAP auth systems. This was caused by different aliasing between pre-flight and full login request user entity alias attributions. This is fixed in version 2.3.2. To work around this issue, existing users may apply rate-limiting quotas on the authentication endpoints:, see https://openbao.org/api-docs/system/rate-limit-quotas/. | 2025-08-09 | 5.3 | CVE-2025-54998 |
| openbao--openbao | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 2.3.1 and below, OpenBao's Login Multi-Factor Authentication (MFA) system allows enforcing MFA using Time-based One Time Password (TOTP). Due to normalization applied by the underlying TOTP library, codes were accepted which could contain whitespace; this whitespace could bypass internal rate limiting of the MFA method and allow reuse of existing MFA codes. This issue was fixed in version 2.3.2. To work around this, use of rate-limiting quotas can limit an attacker's ability to exploit this: https://openbao.org/api-docs/system/rate-limit-quotas/. | 2025-08-09 | 5.7 | CVE-2025-55003 |
| PDF-XChange Co. Ltd--PDF-XChange Editor | An out-of-bounds read vulnerability exists in the EMF functionality of PDF-XChange Editor version 10.5.2.395. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information. | 2025-08-05 | 6.5 | CVE-2025-27931 |
| PDF-XChange Co. Ltd--PDF-XChange Editor | An out-of-bounds read vulnerability exists in the EMF functionality of PDF-XChange Co. Ltd PDF-XChange Editor 10.6.0.396. By using a specially crafted EMF file, an attacker could exploit this vulnerability to perform an out-of-bounds read, potentially leading to the disclosure of sensitive information. | 2025-08-05 | 6.5 | CVE-2025-47152 |
| Portabilis--i-Educar | A vulnerability was found in Portabilis i-Educar up to 2.9.0. It has been classified as problematic. This affects an unknown part of the file /module/Api/Diario of the component API Endpoint. The manipulation leads to authorization bypass. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-10 | 4.3 | CVE-2025-8789 |
| Portabilis--i-Educar | A vulnerability was found in Portabilis i-Educar up to 2.9.0. It has been declared as critical. This vulnerability affects unknown code of the file /module/Api/pessoa of the component API Endpoint. The manipulation of the argument ID leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-10 | 4.3 | CVE-2025-8790 |
| Qiyuesuo--Eelectronic Signature Platform | A vulnerability was found in Qiyuesuo Eelectronic Signature Platform up to 4.34 and classified as critical. Affected by this issue is the function execute of the file /api/code/upload of the component Scheduled Task Handler. The manipulation of the argument File leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-09 | 6.3 | CVE-2025-8775 |
| Qualcomm, Inc.--Snapdragon | Information disclosure while opening a fastrpc session when domain is not sanitized. | 2025-08-06 | 6.1 | CVE-2025-21457 |
| Qualcomm, Inc.--Snapdragon | Information disclosure while reading data from an image using specified offset and size parameters. | 2025-08-06 | 6.5 | CVE-2025-21464 |
| Qualcomm, Inc.--Snapdragon | Information disclosure while processing the hash segment in an MBN file. | 2025-08-06 | 6.5 | CVE-2025-21465 |
| Qualcomm, Inc.--Snapdragon | Information disclosure while capturing logs as eSE debug messages are logged. | 2025-08-06 | 5.5 | CVE-2025-21472 |
| Qualcomm, Inc.--Snapdragon | Information disclosure while processing a packet at EAVB BE side with invalid header length. | 2025-08-06 | 5.5 | CVE-2025-27072 |
| Red Hat--File Integrity Operator | Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container. | 2025-08-07 | 5.2 | CVE-2025-7195 |
| Red Hat--Red Hat Ansible Automation Platform 2.5 for RHEL 8 | A flaw was found in the Ansible aap-gateway. Cross-site request forgery (CSRF) origin checking is not done on requests from the gateway to external components, such as the controller, hub, and eda. | 2025-08-04 | 5.3 | CVE-2025-5988 |
| Red Hat--Red Hat Build of Keycloak | A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks. | 2025-08-06 | 6.5 | CVE-2025-8419 |
| RiderLike--Fruit Crush-Brain App | A vulnerability has been found in RiderLike Fruit Crush-Brain App 1.0 on Android and classified as problematic. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.fruitcrush.fun. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-04 | 5.3 | CVE-2025-8523 |
| RUCKUS--Network Director | RUCKUS Network Director (RND) before 4.5 stores passwords in a recoverable format. | 2025-08-04 | 5.3 | CVE-2025-44958 |
| RUCKUS--SmartZone | RUCKUS SmartZone (SZ) before 6.1.2p3 Refresh Build allows ../ directory traversal to read files. | 2025-08-04 | 5 | CVE-2025-44962 |
| Samsung Mobile--Blockchain Keystore | Out-of-bounds write in detaching crypto box in Blockchain Keystore prior to version 1.3.17.2 allows local privileged attackers to write out-of-bounds memory. | 2025-08-06 | 6.3 | CVE-2025-21017 |
| Samsung Mobile--Blockchain Keystore | Out-of-bounds write in creating bitmap images in Blockchain Keystore prior to version 1.3.17.2 allows local privileged attackers to write out-of-bounds memory. | 2025-08-06 | 5.7 | CVE-2025-21020 |
| Samsung Mobile--Blockchain Keystore | Out-of-bounds write in drawing pinpad in Blockchain Keystore prior to version 1.3.17.2 allows local privileged attackers to write out-of-bounds memory. | 2025-08-06 | 5.7 | CVE-2025-21021 |
| Samsung Mobile--Blockchain Keystore | Out-of-bounds read in Blockchain Keystore prior to version 1.3.17.2 allows local privileged attackers to read out-of-bounds memory. | 2025-08-06 | 4.4 | CVE-2025-21018 |
| Samsung Mobile--Samsung Health | Improper authorization in Samsung Health prior to version 6.30.1.003 allows local attackers to access data in Samsung Health. User interaction is required for triggering this vulnerability. | 2025-08-06 | 5.5 | CVE-2025-21019 |
| Samsung Mobile--Samsung Mobile Devices | Improper privilege management in SamsungAccount prior to SMR Aug-2025 Release 1 allows local privileged attackers to deactivate Samsung account. | 2025-08-06 | 6 | CVE-2025-21010 |
| Samsung Mobile--Samsung Mobile Devices | Improper access control in SemSensorManager for Galaxy Watch prior to SMR Aug-2025 Release 1 allows local attackers to access sensitive information related to outdoor exercise and sleep time. | 2025-08-06 | 6.2 | CVE-2025-21013 |
| Samsung Mobile--Samsung Mobile Devices | Improper access control in SemSensorService for Galaxy Watch prior to SMR Aug-2025 Release 1 allows local attackers to access sensitive information related to motion and body sensors. | 2025-08-06 | 5.5 | CVE-2025-21011 |
| Samsung Mobile--Samsung Mobile Devices | Improper access control in fall detection for Galaxy Watch prior to SMR Aug-2025 Release 1 allows local attackers to modify fall detection configuration. | 2025-08-06 | 5.5 | CVE-2025-21012 |
| Samsung Mobile--Samsung Mobile Devices | Improper access control in accessing system device node prior to SMR Aug-2025 Release 1 allows local attackers to access device identifier. | 2025-08-06 | 4 | CVE-2025-20990 |
| Samsung Mobile--Samsung Mobile Devices | Improper export of android application component in Emergency SoS prior to SMR Aug-2025 Release 1 allows local attackers to access sensitive information. | 2025-08-06 | 4.3 | CVE-2025-21014 |
| Samsung Mobile--Samsung Mobile Devices | Path Traversal in Document scanner prior to SMR Aug-2025 Release 1 allows local attackers to delete file with Document scanner's privilege. | 2025-08-06 | 4 | CVE-2025-21015 |
| Samsung Mobile--Samsung Mobile Devices | Improper access control in PkgPredictorService prior to SMR Aug-2025 Release 1 in Chinese Android 13, 14, 15 and 16 allows local attackers to use the privileged APIs. | 2025-08-06 | 4.3 | CVE-2025-21016 |
| SkyworkAI--DeepResearchAgent | A vulnerability, which was classified as critical, was found in SkyworkAI DeepResearchAgent up to 08eb7f8eb9505d0094d75bb97ff7dacc3fa3bbf2. Affected is the function from_code/from_dict/from_mcp of the file src/tools/tools.py. The manipulation leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-06 | 6.3 | CVE-2025-8667 |
| StarDict--StarDict | The YouDao plugin for StarDict, as used in stardict 3.0.7+git20220909+dfsg-6 in Debian trixie and elsewhere, sends an X11 selection to the dict.youdao.com and dict.cn servers via cleartext HTTP. | 2025-08-04 | 4.7 | CVE-2025-55014 |
| steveseguin--electroncapture | Electron Capture facilitates video playback for screen-sharing and capture. In versions 2.19.1 and below, the elecap app on macOS allows local unprivileged users to bypass macOS TCC privacy protections by enabling ELECTRON_RUN_AS_NODE. This environment variable allows arbitrary Node.js code to be executed via the -e flag, which runs inside the main Electron context, inheriting any previously granted TCC entitlements (such as access to Documents, Downloads, etc.). This issue is fixed in version 2.20.0. | 2025-08-05 | 5.5 | CVE-2025-54871 |
| SuiteCRM--SuiteCRM-Core | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. In versions 7.14.6 and 8.8.0, the broken authentication in the legacy iCal service allows unauthenticated access to meeting data. An unauthenticated actor can view any user's meeting (calendar event) data given their username, related functionality allows user enumeration. This is fixed in versions 7.14.7 and 8.8.1. | 2025-08-06 | 5.3 | CVE-2025-54786 |
| tae898--ERC | ERC (aka Emotion Recognition in Conversation) through 0.3 has insecure deserialization via a serialized object because jsonpickle is used. | 2025-08-07 | 5.7 | CVE-2025-55136 |
| TDuckCloud--tduck-platform | A vulnerability has been found in TDuckCloud tduck-platform up to 5.1 and classified as critical. Affected by this vulnerability is the function preHandle of the file /manage/ of the component com.tduck.cloud.api.web.interceptor.AuthorizationInterceptor. The manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-09 | 6.3 | CVE-2025-8756 |
| Tera Insights--tiCrypt | tiaudit in Tera Insights tiCrypt before 2025-07-17 allows unauthenticated REST API requests that reveal sensitive information about the underlying SQL queries and database structure. | 2025-08-04 | 5.3 | CVE-2025-54554 |
| themegrill--Zakra | The Zakra theme for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the welcome_notice_import_handler() function in all versions up to, and including, 4.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo settings. | 2025-08-06 | 4.3 | CVE-2025-8595 |
| thiagoralves--OpenPLC_v3 | /edit-user in webserver in OpenPLC Runtime 3 through 9cd8f1b allows authenticated users to upload arbitrary files (such as .html or .svg), and these are then publicly accessible under the /static URI. | 2025-08-04 | 6.4 | CVE-2025-54962 |
| timstrifler--Exclusive Addons for Elementor | The Exclusive Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Countdown Widget in all versions up to, and including, 2.7.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-06 | 6.4 | CVE-2025-7498 |
| Vinades--NukeViet | A vulnerability, which was classified as problematic, has been found in Vinades NukeViet up to 4.5.06. This issue affects some unknown processing of the file /admin/index.php?language=en&nv=upload of the component Module Handler. The manipulation leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-09 | 4.3 | CVE-2025-8772 |
| Wanzhou--WOES Intelligent Optimization Energy Saving System | A vulnerability was found in Wanzhou WOES Intelligent Optimization Energy Saving System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /OL_OprationLog/GetPageList. The manipulation of the argument optUser leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-07 | 6.3 | CVE-2025-8701 |
| Wanzhou--WOES Intelligent Optimization Energy Saving System | A vulnerability classified as critical has been found in Wanzhou WOES Intelligent Optimization Energy Saving System 1.0. This affects an unknown part of the file /CommonSolution/GetVariableByOneIDNew of the component Historical Data Query Module. The manipulation of the argument ObjectID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-07 | 6.3 | CVE-2025-8702 |
| Wanzhou--WOES Intelligent Optimization Energy Saving System | A vulnerability classified as critical was found in Wanzhou WOES Intelligent Optimization Energy Saving System 1.0. This vulnerability affects unknown code of the file /WEAS_HomePage/GetAreaTrendChartData of the component Environmental Real-Time Data Module. The manipulation of the argument energyId leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-08 | 6.3 | CVE-2025-8703 |
| Wanzhou--WOES Intelligent Optimization Energy Saving System | A vulnerability, which was classified as critical, has been found in Wanzhou WOES Intelligent Optimization Energy Saving System 1.0. This issue affects some unknown processing of the file /WEAS_AlarmResult/GetAlarmResultProcessList of the component Analysis Conclusion Query Module. The manipulation of the argument resultId leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-08 | 6.3 | CVE-2025-8704 |
| Wanzhou--WOES Intelligent Optimization Energy Saving System | A vulnerability, which was classified as critical, was found in Wanzhou WOES Intelligent Optimization Energy Saving System 1.0. Affected is an unknown function of the file /WEAS_HomePage/GetTargetConfig of the component Energy Overview Module. The manipulation of the argument BP_ProID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-08 | 6.3 | CVE-2025-8705 |
| Wanzhou--WOES Intelligent Optimization Energy Saving System | A vulnerability has been found in Wanzhou WOES Intelligent Optimization Energy Saving System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /CommonSolution/CreateFunctionLog of the component Energy Overview Module. The manipulation of the argument MM_MenID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-08 | 6.3 | CVE-2025-8706 |
| Weee--RICEPO App | A vulnerability, which was classified as problematic, has been found in Weee RICEPO App 6.17.77 on Android. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.ricepo.app. The manipulation leads to improper export of android application components. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-09 | 5.3 | CVE-2025-8745 |
| wpbakery--WPBakery Page Builder | The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several shortcodes in all versions up to, and including, 8.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-06 | 6.4 | CVE-2025-7502 |
| xujeff--tianti | A vulnerability was found in xujeff tianti 天梯 up to 2.3. It has been declared as critical. This vulnerability affects unknown code of the file /tianti-module-admin/user/ajax/save. The manipulation leads to missing authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-10 | 6.3 | CVE-2025-8807 |
| xujeff--tianti | A vulnerability was found in xujeff tianti 天梯 up to 2.3. It has been rated as problematic. This issue affects the function exportOrder of the file /tianti-module-admin/user/ajax/save of the component com.jeff.tianti.controller. The manipulation leads to csv injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-10 | 4.3 | CVE-2025-8808 |
| zhenfeng13--My-Blog | A vulnerability was found in zhenfeng13 My-Blog up to 1.0.0 and classified as problematic. This issue affects some unknown processing of the file /admin/tags/save. The manipulation of the argument tagName leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-08 | 4.3 | CVE-2025-8739 |
| zhilink ()--ADP Application Developer Platform | A vulnerability was found in zhilink 智互è”(深圳)科技有é™å…¬å¸ ADP Application Developer Platform 应用开å‘è€…å¹³å° 1.0.0. It has been classified as critical. This affects an unknown part of the file /adpweb/a/sys/office/treeData. The manipulation of the argument extId leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-10 | 6.3 | CVE-2025-8806 |
| zlt2000--microservices-platform | A vulnerability has been found in zlt2000 microservices-platform up to 6.0.0 and classified as problematic. This vulnerability affects unknown code of the file /actuator of the component Spring Actuator Interface. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-08 | 5.3 | CVE-2025-8738 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 7-Zip--7-Zip | 7-Zip before 25.01 does not always properly handle symbolic links during extraction. | 2025-08-08 | 3.6 | CVE-2025-55188 |
| atjiu--pybbs | A vulnerability was found in atjiu pybbs up to 6.0.0 and classified as problematic. This issue affects the function sendEmailCode of the file src/main/java/co/yiiu/pybbs/controller/api/SettingsApiController.java of the component Registered Email Handler. The manipulation of the argument email leads to information exposure through error message. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 234197c4f8fc7ce24bdcff5430cd42492f28936a. It is recommended to apply a patch to fix this issue. | 2025-08-05 | 3.7 | CVE-2025-8548 |
| atjiu--pybbs | A vulnerability was found in atjiu pybbs up to 6.0.0. It has been classified as critical. Affected is the function update of the file src/main/java/co/yiiu/pybbs/controller/admin/UserAdminController.java. The manipulation leads to weak password requirements. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The patch is identified as d09cb19a8e7d7e5151282926ada54080244d499f. It is recommended to apply a patch to fix this issue. | 2025-08-05 | 3.7 | CVE-2025-8549 |
| atjiu--pybbs | A vulnerability was found in atjiu pybbs up to 6.0.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /admin/comment/list. The manipulation of the argument Username leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 2fe4a51afbce0068c291bc1818bbc8f7f3b01a22. It is recommended to apply a patch to fix this issue. | 2025-08-05 | 3.5 | CVE-2025-8551 |
| atjiu--pybbs | A vulnerability, which was classified as problematic, was found in atjiu pybbs up to 6.0.0. Affected is an unknown function of the file /search. The manipulation of the argument keyword leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The name of the patch is 2fe4a51afbce0068c291bc1818bbc8f7f3b01a22. It is recommended to apply a patch to fix this issue. | 2025-08-05 | 3.5 | CVE-2025-8555 |
| atjiu--pybbs | A vulnerability has been found in atjiu pybbs up to 6.0.0 and classified as problematic. This vulnerability affects the function changeLanguage of the file src/main/java/co/yiiu/pybbs/controller/front/IndexController.java. The manipulation of the argument referer leads to open redirect. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The patch is identified as edb14ff13e9e05394960ba46c3d31d844ff2deac. It is recommended to apply a patch to fix this issue. | 2025-08-10 | 3.5 | CVE-2025-8813 |
| atjiu--pybbs | A vulnerability was found in atjiu pybbs up to 6.0.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/topic/list. The manipulation of the argument Username leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The patch is named 2fe4a51afbce0068c291bc1818bbc8f7f3b01a22. It is recommended to apply a patch to fix this issue. | 2025-08-05 | 2.4 | CVE-2025-8550 |
| atjiu--pybbs | A vulnerability classified as problematic has been found in atjiu pybbs up to 6.0.0. This affects an unknown part of the file /admin/tag/list. The manipulation of the argument Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 2fe4a51afbce0068c291bc1818bbc8f7f3b01a22. It is recommended to apply a patch to fix this issue. | 2025-08-05 | 2.4 | CVE-2025-8552 |
| atjiu--pybbs | A vulnerability classified as problematic was found in atjiu pybbs up to 6.0.0. This vulnerability affects unknown code of the file /admin/sensitive_word/list. The manipulation of the argument word leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 2fe4a51afbce0068c291bc1818bbc8f7f3b01a22. It is recommended to apply a patch to fix this issue. | 2025-08-05 | 2.4 | CVE-2025-8553 |
| atjiu--pybbs | A vulnerability, which was classified as problematic, has been found in atjiu pybbs up to 6.0.0. This issue affects some unknown processing of the file /admin/user/list. The manipulation of the argument Username leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The patch is named 2fe4a51afbce0068c291bc1818bbc8f7f3b01a22. It is recommended to apply a patch to fix this issue. | 2025-08-05 | 2.4 | CVE-2025-8554 |
| atjiu--pybbs | A vulnerability, which was classified as problematic, was found in atjiu pybbs up to 6.0.0. This affects an unknown part of the file /api/settings of the component Admin Panel. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 2fe4a51afbce0068c291bc1818bbc8f7f3b01a22. It is recommended to apply a patch to fix this issue. | 2025-08-10 | 2.4 | CVE-2025-8812 |
| Axiomatic--Bento4 | A vulnerability, which was classified as problematic, was found in Axiomatic Bento4 up to 1.6.0-641. Affected is the function AP4_DataBuffer::SetDataSize of the file Mp4Decrypt.cpp of the component mp4decrypt. The manipulation leads to allocation of resources. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. | 2025-08-05 | 3.7 | CVE-2025-8537 |
| cairographics--Cairo | Cairo through 1.18.4, as used in Poppler through 25.08.0, has an "unscaled->face == NULL" assertion failure for _cairo_ft_unscaled_font_fini in cairo-ft-font.c. | 2025-08-04 | 2.9 | CVE-2025-50422 |
| cronoh--NanoVault | A vulnerability, which was classified as problematic, has been found in cronoh NanoVault up to 1.2.1. This issue affects the function executeJavaScript of the file /main.js of the component xrb URL Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-05 | 3.5 | CVE-2025-8535 |
| Datacom--DM955 5GT 1200 | A vulnerability classified as problematic was found in Datacom DM955 5GT 1200 825.8010.00. Affected by this vulnerability is an unknown functionality of the component Wireless Basic Settings. The manipulation of the argument SSID leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-09 | 3.5 | CVE-2025-8765 |
| Dell--SupportAssist OS Recovery | Dell SupportAssist OS Recovery, versions prior to 5.5.14.0, contains an Exposure of Sensitive Information to an Unauthorized Actor vulnerability. An unauthenticated attacker with physical access could potentially exploit this vulnerability, leading to Information Disclosure. | 2025-08-06 | 3.5 | CVE-2025-38746 |
| EMQX--EMQX | In EMQX before 5.8.6, administrators can install arbitrary novel plugins via the Dashboard web interface. NOTE: the Supplier's position is that this is the intended behavior; however, 5.8.6 adds a defense-in-depth feature in which a plugin's acceptability (for later Dashboard installation) is set by the "emqx ctl plugins allow" CLI command. | 2025-08-10 | 3 | CVE-2025-52136 |
| Exrick--xboot | A vulnerability classified as problematic has been found in Exrick xboot up to 3.3.4. Affected is an unknown function of the file /xboot/permission/getMenuList. The manipulation leads to cleartext storage of sensitive information in a cookie. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. | 2025-08-04 | 3.7 | CVE-2025-8528 |
| givanz--Vvveb | A vulnerability classified as problematic has been found in givanz Vvveb up to 1.0.5. This affects an unknown part of the file /vadmin123/index.php?module=editor/editor of the component Drag-and-Drop Editor. The manipulation of the argument url leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.6 is able to address this issue. The identifier of the patch is f684f3e374d04db715730fc4796e102f5ebcacb2. It is recommended to upgrade the affected component. | 2025-08-04 | 2.7 | CVE-2025-8519 |
| givanz--Vvveb | A vulnerability, which was classified as problematic, has been found in givanz Vvveb up to 1.0.5. This issue affects some unknown processing of the file /vadmin123/index.php?module=settings/post-types of the component Add Type Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.6 is able to address this issue. The patch is named b53c7161da606f512b7efcb392d6ffc708688d49/605a70f8729e4d44ebe272671cb1e43e3d6ae014. It is recommended to upgrade the affected component. | 2025-08-04 | 2.4 | CVE-2025-8521 |
| GNU--Bison | A vulnerability was found in GNU Bison up to 3.8.2. It has been rated as problematic. This issue affects the function __obstack_vprintf_internal of the file obprintf.c. The manipulation leads to reachable assertion. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. | 2025-08-08 | 3.3 | CVE-2025-8733 |
| GNU--Bison | A vulnerability classified as problematic has been found in GNU Bison up to 3.8.2. Affected is the function code_free of the file src/scan-code.c. The manipulation leads to double free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. | 2025-08-08 | 3.3 | CVE-2025-8734 |
| GNU--cflow | A vulnerability classified as problematic was found in GNU cflow up to 1.8. Affected by this vulnerability is the function yylex of the file c.c of the component Lexer. The manipulation leads to null pointer dereference. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. | 2025-08-08 | 3.3 | CVE-2025-8735 |
| GNU--libopts | A vulnerability, which was classified as problematic, was found in GNU libopts up to 27.6. Affected is the function __strstr_sse2. The manipulation leads to memory corruption. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. This issue was initially reported to the tcpreplay project, but the code maintainer explains, that this "bug appears to be in libopts which is an external library." This vulnerability only affects products that are no longer supported by the maintainer. | 2025-08-09 | 3.3 | CVE-2025-8746 |
| IBM--WebSphere Application Server | IBM WebSphere Application Server 9.0 and WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.7 could allow a remote attacker to bypass security restrictions caused by a failure to honor security configuration. | 2025-08-07 | 3.7 | CVE-2024-56339 |
| Intelbras--InControl | A vulnerability was found in Intelbras InControl 2.21.60.9 and classified as problematic. This issue affects some unknown processing of the file /v1/operador/ of the component JSON Endpoint. The manipulation leads to information disclosure. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | 2025-08-04 | 3.1 | CVE-2025-8515 |
| LiquidFiles--LiquidFiles | LiquidFiles before 4.1.2 allows directory traversal by configuring the pathname of a local executable file as an Actionscript. | 2025-08-04 | 3.8 | CVE-2025-46094 |
| macrozheng--mall | A vulnerability was found in macrozheng mall up to 1.0.3. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/login. The manipulation leads to cleartext transmission of sensitive information. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-08 | 3.7 | CVE-2025-8741 |
| macrozheng--mall | A vulnerability was found in macrozheng mall 1.0.3. It has been rated as problematic. Affected by this issue is some unknown functionality of the component Admin Login. The manipulation leads to improper restriction of excessive authentication attempts. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-08 | 3.7 | CVE-2025-8742 |
| macrozheng--mall | A vulnerability has been found in macrozheng mall up to 1.0.3 and classified as problematic. Affected by this vulnerability is the function Upload of the file /minio/upload of the component Add Product Page. The manipulation of the argument File leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-09 | 2.4 | CVE-2025-8750 |
| n/a--libav | A vulnerability classified as problematic was found in libav up to 12.3. Affected by this vulnerability is the function av_buffer_unref of the file libavutil/buffer.c of the component AVI File Parser. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The bug was initially reported by the researcher to the wrong project. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-08-05 | 3.3 | CVE-2025-8584 |
| n/a--libav | A vulnerability, which was classified as problematic, was found in libav up to 12.3. This affects the function ff_seek_frame_binary of the file /libavformat/utils.c of the component MPEG File Parser. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The bug was initially reported by the researcher to the wrong project. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-08-05 | 3.3 | CVE-2025-8586 |
| n/a--libtiff | A vulnerability classified as problematic was found in libtiff 4.6.0. This vulnerability affects the function PS_Lvl2page of the file tools/tiff2ps.c of the component tiff2ps. The manipulation leads to null pointer dereference. It is possible to launch the attack on the local host. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The name of the patch is 6ba36f159fd396ad11bf6b7874554197736ecc8b. It is recommended to apply a patch to fix this issue. One of the maintainers explains, that "[t]his error only occurs if DEFER_STRILE_LOAD (defer-strile-load:BOOL=ON) or TIFFOpen( .. "rD") option is used." | 2025-08-04 | 2.5 | CVE-2025-8534 |
| n/a--libxml2 | A vulnerability was found in libxml2 up to 2.14.5. It has been declared as problematic. This vulnerability affects the function xmlParseSGMLCatalog of the component xmlcatalog. The manipulation leads to uncontrolled recursion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The code maintainer explains, that "[t]he issue can only be triggered with untrusted SGML catalogs and it makes absolutely no sense to use untrusted catalogs. I also doubt that anyone is still using SGML catalogs at all." | 2025-08-08 | 3.3 | CVE-2025-8732 |
| n/a--Open5GS | A vulnerability was found in Open5GS up to 2.7.5. It has been classified as problematic. Affected is the function amf_nsmf_pdusession_handle_release_sm_context of the file src/amf/nsmf-handler.c of the component AMF Service. The manipulation leads to reachable assertion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The name of the patch is 66bc558e417e70ae216ec155e4e81c14ae0ecf30. It is recommended to apply a patch to fix this issue. | 2025-08-07 | 3.3 | CVE-2025-8698 |
| n/a--Scada-LTS | A vulnerability classified as problematic has been found in Scada-LTS up to 2.7.8.1. This affects an unknown part of the file /data_source_edit.shtm of the component Virtual Data Source Property Handler. The manipulation of the argument Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-08 | 3.5 | CVE-2025-8743 |
| openbao--openbao | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-existent users and users with stored credentials. This is independent of whether the supplied credentials were valid for the given user. This issue was fixed in version 2.3.2. To work around this issue, users may use another auth method or apply rate limiting quotas to limit the number of requests in a period of time: https://openbao.org/api-docs/system/rate-limit-quotas/. | 2025-08-09 | 3.7 | CVE-2025-54999 |
| Portabilis--i-Diario | A vulnerability, which was classified as problematic, was found in Portabilis i-Diario up to 1.5.0. Affected is an unknown function of the file /registros-de-conteudos-por-areas-de-conhecimento/ of the component Registro das atividades. The manipulation of the argument Registro de atividades/Conteúdos leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-10 | 3.5 | CVE-2025-8786 |
| Portabilis--i-Diario | A vulnerability has been found in Portabilis i-Diario up to 1.5.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /registros-de-conteudos-por-disciplina/ of the component Registro das atividades. The manipulation of the argument Registro de atividades/Conteúdos leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-10 | 3.5 | CVE-2025-8787 |
| Portabilis--i-Diario | A vulnerability was found in Portabilis i-Diario up to 1.5.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /planos-de-aula-por-areas-de-conhecimento/ of the component Informações adicionais. The manipulation of the argument Parecer/Conteúdos/Objetivos leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-10 | 3.5 | CVE-2025-8788 |
| Portabilis--i-Educar | A vulnerability classified as problematic was found in Portabilis i-Educar up to 2.9. This vulnerability affects unknown code of the file /intranet/funcionario_vinculo_cad.php of the component Cadastrar VÃnculo Page. The manipulation of the argument nome leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-09 | 3.5 | CVE-2025-8784 |
| Portabilis--i-Educar | A vulnerability, which was classified as problematic, has been found in Portabilis i-Educar up to 2.9. This issue affects some unknown processing of the file /intranet/educar_usuario_lst.php. The manipulation of the argument nm_pessoa/matricula/matricula_interna leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-09 | 3.5 | CVE-2025-8785 |
| Portabilis--i-Educar | A vulnerability has been found in Portabilis i-Educar 2.10 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /usuarios/tipos/novo. The manipulation of the argument name/description leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-05 | 2.4 | CVE-2025-8538 |
| Portabilis--i-Educar | A vulnerability was found in Portabilis i-Educar 2.10 and classified as problematic. Affected by this issue is some unknown functionality of the file /intranet/public_distrito_cad.php. The manipulation of the argument nome leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-05 | 2.4 | CVE-2025-8539 |
| Portabilis--i-Educar | A vulnerability was found in Portabilis i-Educar 2.10. It has been classified as problematic. This affects an unknown part of the file /intranet/public_municipio_cad.php. The manipulation of the argument nome leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-05 | 2.4 | CVE-2025-8540 |
| Portabilis--i-Educar | A vulnerability was found in Portabilis i-Educar 2.10. It has been declared as problematic. This vulnerability affects unknown code of the file /intranet/public_uf_cad.php. The manipulation of the argument nome leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-05 | 2.4 | CVE-2025-8541 |
| Portabilis--i-Educar | A vulnerability was found in Portabilis i-Educar 2.10. It has been rated as problematic. This issue affects some unknown processing of the file /intranet/empresas_cad.php. The manipulation of the argument fantasia/razao_social leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-05 | 2.4 | CVE-2025-8542 |
| Portabilis--i-Educar | A vulnerability classified as problematic has been found in Portabilis i-Educar 2.10. Affected is an unknown function of the file /intranet/educar_raca_cad.php. The manipulation of the argument nm_raca leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-05 | 2.4 | CVE-2025-8543 |
| Portabilis--i-Educar | A vulnerability classified as problematic was found in Portabilis i-Educar 2.10. Affected by this vulnerability is an unknown functionality of the file /module/RegraAvaliacao/edit. The manipulation of the argument nome leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-05 | 2.4 | CVE-2025-8544 |
| Portabilis--i-Educar | A vulnerability, which was classified as problematic, has been found in Portabilis i-Educar 2.10. Affected by this issue is some unknown functionality of the file /intranet/educar_motivo_afastamento_cad.php. The manipulation of the argument nm_motivo leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-05 | 2.4 | CVE-2025-8545 |
| Protected--Total WebShield Extension | A vulnerability was found in Protected Total WebShield Extension up to 3.2.0 on Chrome. It has been classified as problematic. This affects an unknown part of the component Block Page. The manipulation of the argument Category leads to cross site scripting. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-09 | 3.1 | CVE-2025-8751 |
| raszi--node-tmp | tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4. | 2025-08-07 | 2.5 | CVE-2025-54798 |
| Red Hat--Builds for Red Hat OpenShift | A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange. | 2025-08-06 | 3.7 | CVE-2025-8556 |
| riscv-boom--SonicBOOM | A vulnerability has been found in riscv-boom SonicBOOM up to 2.2.3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component L1 Data Cache Handler. The manipulation leads to observable timing discrepancy. Local access is required to approach this attack. The complexity of an attack is rather high. The exploitation appears to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-09 | 2.5 | CVE-2025-8774 |
| Ruijie--EG306MG | A vulnerability was found in Ruijie EG306MG 3.0(1)B11P309. It has been rated as problematic. This issue affects some unknown processing of the file /etc/strongswan.conf of the component strongSwan. The manipulation of the argument i_dont_care_about_security_and_use_aggressive_mode_psk leads to missing encryption of sensitive data. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-09 | 3.7 | CVE-2025-8763 |
| Samsung Mobile--Galaxy Wearable | Improper access control in Galaxy Wearable prior to version 2.2.63.25042861 allows local attackers to access sensitive information. | 2025-08-06 | 3.3 | CVE-2025-21022 |
| Samsung Mobile--Smart View | Use of Implicit Intent for Sensitive Communication in Smart View prior to Android 16 allows local attackers to access sensitive information. | 2025-08-06 | 3.3 | CVE-2025-21024 |
| Samsung Mobile--WcsExtension for Galaxy Watch | Improper access control in WcsExtension for Galaxy Watch prior to Android Watch 16 allows local attackers to access sensitive information. | 2025-08-06 | 3.3 | CVE-2025-21023 |
| SuiteCRM--SuiteCRM | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. There is a vulnerability in SuiteCRM version 7.14.6 which allows unauthenticated downloads of any file from the upload-directory, as long as it is named by an ID (e.g. attachments). An unauthenticated attacker could download internal files when he discovers a valid file-ID. Valid IDs could be brute-forced, but this is quite time-consuming as the file-IDs are usually UUIDs. This issue is fixed in version 7.14.7. | 2025-08-07 | 3.7 | CVE-2025-54787 |
| TRENDnet--TN-200 | A vulnerability was found in TRENDnet TN-200 1.02b02. It has been declared as problematic. This vulnerability affects unknown code of the component Lighttpd. The manipulation of the argument secdownload.secret with the input neV3rUseMe leads to use of hard-coded cryptographic key . The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-09 | 3.7 | CVE-2025-8759 |
| zhenfeng13--My-Blog | A vulnerability was found in zhenfeng13 My-Blog up to 1.0.0. It has been classified as problematic. Affected is an unknown function of the file /admin/categories/save of the component Category Handler. The manipulation of the argument categoryName leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-08 | 2.4 | CVE-2025-8740 |
| zlt2000--microservices-platform | A vulnerability, which was classified as problematic, was found in zlt2000 microservices-platform up to 6.0.0. This affects the function onLogoutSuccess of the file src/main/java/com/central/oauth/handler/OauthLogoutSuccessHandler.java. The manipulation of the argument redirect_url leads to open redirect. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-08 | 3.5 | CVE-2025-8737 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 4C Strategies--Exonaut | 4C Strategies Exonaut before v22.4 was discovered to contain insecure permissions. | 2025-08-06 | not yet calculated | CVE-2024-55398 |
| 4C Strategies--Exonaut | 4C Strategies Exonaut before v21.6.2.1-1 was discovered to contain a Server-Side Request Forgery (SSRF). | 2025-08-06 | not yet calculated | CVE-2024-55399 |
| 4C Strategies--Exonaut | An issue in 4C Strategies Exonaut before v22.4 allows attackers to execute a directory traversal. | 2025-08-07 | not yet calculated | CVE-2024-55401 |
| 4C Strategies--Exonaut | 4C Strategies Exonaut before v22.4 was discovered to contain an access control issue. | 2025-08-06 | not yet calculated | CVE-2024-55402 |
| 4C Strategies--Exonaut | An issue was discovered in ExonautWeb in 4C Strategies Exonaut 21.6. There are verbose error messages. | 2025-08-05 | not yet calculated | CVE-2025-46658 |
| 4C Strategies--Exonaut | An issue was discovered in ExonautWeb in 4C Strategies Exonaut 21.6. Information disclosure can occur via an external HTTPS request. | 2025-08-06 | not yet calculated | CVE-2025-46659 |
| 4C Strategies--Exonaut | An issue was discovered in 4C Strategies Exonaut 21.6. Passwords, stored in the database, are hashed without a salt. | 2025-08-06 | not yet calculated | CVE-2025-46660 |
| ActFax Communication--ActFax Server | A stack-based buffer overflow vulnerability exists in ActFax Server version 5.01. The server's RAW protocol interface fails to safely process user-supplied data in @F506 fax header fields due to insecure usage of strcpy. Remote attackers can exploit this vulnerability by sending specially crafted @F506 fields, potentially leading to arbitrary code execution. Successful exploitation requires network access to TCP port 4559 and does not require authentication. | 2025-08-05 | not yet calculated | CVE-2013-10064 |
| ActFax--Server | A stack-based buffer overflow vulnerability exists in ActFax Server version 4.32, specifically in the "Import Users from File" functionality of the client interface. The application fails to properly validate the length of tab-delimited fields in .exp files, leading to unsafe usage of strcpy() during CSV parsing. An attacker can exploit this vulnerability by crafting a malicious .exp file and importing it using the default character set "ECMA-94 / Latin 1 (ISO 8859)". Successful exploitation may result in arbitrary code execution, leading to full system compromise. User interaction is required to trigger the vulnerability. | 2025-08-08 | not yet calculated | CVE-2012-10043 |
| Advanced Custom Fields--WordPress Plugin | The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. When the PHP configuration directive allow_url_include is enabled (default: Off), an unauthenticated attacker can exploit the acf_abspath POST parameter to include and execute arbitrary remote PHP code. This leads to remote code execution under the web server's context, allowing full compromise of the host. | 2025-08-05 | not yet calculated | CVE-2012-10025 |
| Agenzia Impresa-- Eccobook | Incorrect access control in CaricaVerbale in Agenzia Impresa Eccobook v2.81.1 allows authenticated attackers with low-level access to escalate privileges to Administrator. | 2025-08-05 | not yet calculated | CVE-2025-51627 |
| Agenzia Impresa-- Eccobook | Insecure Direct Object Reference (IDOR) vulnerability in PdfHandler component in Agenzia Impresa Eccobook v2.81.1 and below allows unauthenticated attackers to read confidential documents via the DocumentoId parameter. | 2025-08-05 | not yet calculated | CVE-2025-51628 |
| Agenzia Impresa-- Eccobook | A cross-site scripting (XSS) vulnerability in the PdfViewer component of Agenzia Impresa Eccobook 2.81.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Temp parameter. | 2025-08-07 | not yet calculated | CVE-2025-51629 |
| Airoha Technology Corp.--AB156x, AB157x, AB158x, AB159x series | In the Airoha Bluetooth audio SDK, there is a possible way to pair Bluetooth audio device without user consent. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-04 | not yet calculated | CVE-2025-20701 |
| Airoha Technology Corp.--AB156x, AB157x, AB158x, AB159x series, AB1627 | In the Airoha Bluetooth audio SDK, there is a possible permission bypass that allows access critical data of RACE protocol through Bluetooth LE GATT service. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-04 | not yet calculated | CVE-2025-20700 |
| Airoha Technology Corp.--AB156x, AB157x, AB158x, AB159x series, AB1627 | In the Airoha Bluetooth audio SDK, there is a possible unauthorized access to the RACE protocol. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2025-08-04 | not yet calculated | CVE-2025-20702 |
| AjaXplorer--AjaXplorer | An unauthenticated remote command execution vulnerability exists in AjaXplorer (now known as Pydio Cells) versions prior to 2.6. The flaw resides in the checkInstall.php script within the access.ssh plugin, which fails to properly sanitize user-supplied input to the destServer GET parameter. By injecting shell metacharacters, remote attackers can execute arbitrary system commands on the server with the privileges of the web server process. | 2025-08-08 | not yet calculated | CVE-2010-10013 |
| anthropics--claude-code | Claude Code is an agentic coding tool. In versions below 0.2.111, a path validation flaw using prefix matching instead of canonical path comparison, makes it possible to bypass directory restrictions and access files outside the CWD. Successful exploitation depends on the presence of (or ability to create) a directory with the same prefix as the CWD and the ability to add untrusted content into a Claude Code context window. This is fixed in version 0.2.111. | 2025-08-05 | not yet calculated | CVE-2025-54794 |
| anthropics--claude-code | Claude Code is an agentic coding tool. In versions below 1.0.20, an error in command parsing makes it possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This is fixed in version 1.0.20. | 2025-08-05 | not yet calculated | CVE-2025-54795 |
| Apache Software Foundation--Apache CXF | If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility. Users are recommended to upgrade to versions 3.6.8, 4.0.9 or 4.1.3, which fix this issue. | 2025-08-08 | not yet calculated | CVE-2025-48913 |
| Apache Software Foundation--Apache Seata (incubating) | Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This issue affects Apache Seata (incubating): 2.4.0. Users are recommended to upgrade to version 2.5.0, which fixes the issue. | 2025-08-08 | not yet calculated | CVE-2025-53606 |
| Arm Ltd--Bifrost GPU Userspace Driver | Use After Free vulnerability in Arm Ltd Bifrost GPU Userspace Driver, Arm Ltd Valhall GPU Userspace Driver, Arm Ltd Arm 5th Gen GPU Architecture Userspace Driver allows a non-privileged user process to perform valid GPU processing operations, including via WebGL or WebGPU, to gain access to already freed memory.This issue affects Bifrost GPU Userspace Driver: from r48p0 through r49p3, from r50p0 through r51p0; Valhall GPU Userspace Driver: from r48p0 through r49p3, from r50p0 through r54p0; Arm 5th Gen GPU Architecture Userspace Driver: from r48p0 through r49p3, from r50p0 through r54p0. | 2025-08-04 | not yet calculated | CVE-2025-0932 |
| Artifex Software--muPDF | An issue in Artifex mupdf 1.25.6, 1.25.5 allows a remote attacker to cause a denial of service via an infinite recursion in the `mutool clean` utility. When processing a crafted PDF file containing cyclic /Next references in the outline structure, the `strip_outline()` function enters infinite recursion | 2025-08-04 | not yet calculated | CVE-2025-46206 |
| Asset-Manager--Wordpress Plugin | The WordPress plugin Asset-Manager version 2.0 and below contains an unauthenticated arbitrary file upload vulnerability in upload.php. The endpoint fails to properly validate and restrict uploaded file types, allowing remote attackers to upload malicious PHP scripts to a predictable temporary directory. Once uploaded, the attacker can execute the file via a direct HTTP GET request, resulting in remote code execution under the web server's context. | 2025-08-05 | not yet calculated | CVE-2012-10026 |
| astral-sh--uv | uv is a Python package and project manager written in Rust. In versions 0.8.5 and earlier, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive's central directory. An attacker could contrive a ZIP archive that would extract with legitimate contents on some package installers, and malicious contents on others due to multiple local file entries. An attacker could also contrive a "stacked" ZIP input with multiple internal ZIPs, which would be handled differently by different package installers. The attacker could choose which installer to target in both scenarios. This issue is fixed in version 0.8.6. To work around this issue, users may choose to set UV_INSECURE_NO_ZIP_VALIDATION=1 to revert to the previous behavior. | 2025-08-08 | not yet calculated | CVE-2025-54368 |
| Austrian Archaeological Institute (AI)--OpenAtlas | A cross-site scripting (XSS) vulnerability in Austrian Archaeological Institute (AI) OpenAtlas v8.11.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field. | 2025-08-04 | not yet calculated | CVE-2025-51534 |
| Austrian Archaeological Institute (AI)--OpenAtlas | Austrian Archaeological Institute (AI) OpenAtlas v8.11.0 as discovered to contain a SQL injection vulnerability. | 2025-08-04 | not yet calculated | CVE-2025-51535 |
| Austrian Archaeological Institute (AI)--OpenAtlas | Austrian Archaeological Institute (AI) OpenAtlas v8.11.0 as discovered to contain a hardcoded Administrator password. | 2025-08-04 | not yet calculated | CVE-2025-51536 |
| Axelor--Axelor | A Boolean-based SQL injection vulnerability was discovered in Axelor 5.2.4 via the _domain parameter. An attacker can manipulate the SQL query logic and determine true/false conditions, potentially leading to data exposure or further exploitation. | 2025-08-04 | not yet calculated | CVE-2025-50341 |
| BlazeVideo Inc.--HDTV Player Pro | BlazeVideo HDTV Player Pro v6.6.0.3 is vulnerable to a stack-based buffer overflow due to improper handling of user-supplied input embedded in .plf playlist files. When parsing a crafted .plf file, the MediaPlayerCtrl.dll component invokes PathFindFileNameA() to extract a filename from a URL-like string. The returned value is then copied to a fixed-size stack buffer using an inline strcpy call without bounds checking. If the input exceeds the buffer size, this leads to a stack overflow and potential arbitrary code execution under the context of the user. | 2025-08-05 | not yet calculated | CVE-2012-10031 |
| Blue Access--Cobalt X1 | An Authentication Bypass vulnerability in Blue Access' Cobalt X1 thru 02.000.187 allows an unauthorized attacker to log into the application as an administrator without valid credentials. | 2025-08-05 | not yet calculated | CVE-2025-50454 |
| BlueStacks--BlueStacks Player | A lack of SSL certificate validation in BlueStacks v5.20 allows attackers to execute a man-it-the-middle attack and obtain sensitive information. | 2025-08-05 | not yet calculated | CVE-2025-44964 |
| BMC Software--BMC Control-M | An issue was discovered in BMC Control-M 9.0.21.300. When Control-M Server has a database connection, it runs DBUStatus.exe frequently, which then calls dbu_connection_details.vbs with the username, password, database hostname, and port written in cleartext, which can be seen in event and process logs in two separate locations. | 2025-08-07 | not yet calculated | CVE-2025-48709 |
| Bottinelli Informatica--Vedo Suite | A path traversal vulnerability in Vedo Suite 2024.17 allows remote authenticated attackers to read arbitrary filesystem files by exploiting an unsanitized 'file_get_contents()' function call in '/api_vedo/template'. | 2025-08-06 | not yet calculated | CVE-2025-51052 |
| Bottinelli Informatica--Vedo Suite | A Cross-site scripting (XSS) vulnerability in /api_vedo/ in Vedo Suite version 2024.17 allows remote attackers to inject arbitrary Javascript or HTML code and potentially trigger code execution in victim's browser. | 2025-08-06 | not yet calculated | CVE-2025-51053 |
| Bottinelli Informatica--Vedo Suite | Vedo Suite 2024.17 is vulnerable to Incorrect Access Control, which allows remote attackers to obtain a valid high privilege JWT token without prior authentication via sending an empty HTTP POST request to the /autologin/ API endpoint. | 2025-08-06 | not yet calculated | CVE-2025-51054 |
| Bottinelli Informatica--Vedo Suite | Insecure Data Storage of credentials has been found in /api_vedo/configuration/config.yml file in Vedo Suite version 2024.17. This file contains clear-text credentials, secret keys, and database information. | 2025-08-06 | not yet calculated | CVE-2025-51055 |
| Bottinelli Informatica--Vedo Suite | An unrestricted file upload vulnerability in Vedo Suite version 2024.17 allows remote authenticated attackers to write to arbitrary filesystem paths by exploiting the insecure 'uploadPreviews()' custom function in '/api_vedo/colorways_preview', ultimately resulting in remote code execution (RCE). | 2025-08-06 | not yet calculated | CVE-2025-51056 |
| Bottinelli Informatica--Vedo Suite | A local file inclusion (LFI) vulnerability in Vedo Suite version 2024.17 allows remote authenticated attackers to read arbitrary filesystem files by exploiting an unsanitized 'readfile()' function call in '/api_vedo/video/preview'. | 2025-08-06 | not yet calculated | CVE-2025-51057 |
| Bottinelli Informatica--Vedo Suite | Bottinelli Informatical Vedo Suite 2024.17 is vulnerable to Server-side Request Forgery (SSRF) in the /api_vedo/video/preview endpoint, which allows remote authenticated attackers to trigger HTTP requests towards arbitrary remote paths via the "file" URL parameter. | 2025-08-06 | not yet calculated | CVE-2025-51058 |
| BYD--DiLink OS | An incorrect encryption implementation vulnerability exists in the system log dump feature of BYD's DiLink 3.0 OS (e.g. in the model ATTO3). An attacker with physical access to the vehicle can bypass the encryption of log dumps on the In-Vehicle Infotainment (IVI) unit's storage. This allows the attacker to access and read system logs containing sensitive data, including personally identifiable information (PII) and location data. This vulnerability was introduced in a patch intended to fix CVE-2024-54728. | 2025-08-09 | not yet calculated | CVE-2025-7020 |
| ClanSphere Project--ClanSphere | ClanSphere 2011.3 is vulnerable to a local file inclusion (LFI) flaw due to improper handling of the cs_lang cookie parameter. The application fails to sanitize user-supplied input, allowing attackers to traverse directories and read arbitrary files outside the web root. The vulnerability is further exacerbated by null byte injection (%00) to bypass file extension checks. | 2025-08-05 | not yet calculated | CVE-2012-10034 |
| Cloudflare--quiche | Cloudflare quiche was discovered to be vulnerable to an infinite loop when sending packets containing RETIRE_CONNECTION_ID frames. QUIC connections possess a set of connection identifiers (IDs); see Section 5.1 of RFC 9000 https://datatracker.ietf.org/doc/html/rfc9000#section-5.1 . Once the QUIC handshake completes, a local endpoint is responsible for issuing and retiring Connection IDs that are used by the remote peer to populate the Destination Connection ID field in packets sent from remote to local. Each Connection ID has a sequence number to ensure synchronization between peers. An unauthenticated remote attacker can exploit this vulnerability by first completing a handshake and then sending a specially-crafted set of frames that trigger a connection ID retirement in the victim. When the victim attempts to send a packet containing RETIRE_CONNECTION_ID frames, Section 19.16 of RFC 9000 https://datatracker.ietf.org/doc/html/rfc9000#section-19.6 requires that the sequence number of the retired connection ID must not be the same as the sequence number of the connection ID used by the packet. In other words, a packet cannot contain a frame that retires itself. In scenarios such as path migration, it is possible for there to be multiple active paths with different active connection IDs that could be used to retire each other. The exploit triggered an unintentional behaviour of a quiche design feature that supports retirement across paths while maintaining full connection ID synchronization, leading to an infinite loop.This issue affects quiche: from 0.15.0 before 0.24.5. | 2025-08-07 | not yet calculated | CVE-2025-7054 |
| Concrete CMS--Concrete CMS | Concrete CMS 9 to 9.4.2 and versions below 8.5.21 are vulnerable to Reflected Cross-Site Scripting (XSS) in the Conversation Messages Dashboard Page. Unsanitized input could cause theft of session cookies or tokens, defacement of web content, redirection to malicious sites, and (if victim is an admin), the execution of unauthorized actions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 4.8 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N. Thanks Fortbridge https://fortbridge.co.uk/ for performing a penetration test and vulnerability assessment on Concrete CMS and reporting this issue. | 2025-08-05 | not yet calculated | CVE-2025-8571 |
| Concrete CMS--Concrete CMS | Concrete CMS versions 9 through 9.4.2 are vulnerable to Stored XSS from Home Folder on Members Dashboard page. Version 8 was not affected. A rogue admin could set up a malicious folder containing XSS to which users could be directed upon login. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 2.0 with vector CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. Thanks sealldev for reporting via HackerOne. | 2025-08-05 | not yet calculated | CVE-2025-8573 |
| CPUID--cpuz.sys | An issue was discovered in CPUID cpuz.sys 1.0.5.4. An attacker can use DeviceIoControl with the unvalidated parameters 0x9C402440 and 0x9C402444 as IoControlCodes to perform RDMSR and WRMSR, respectively. Through this process, the attacker can modify MSR_LSTAR and hook KiSystemCall64. Afterward, using Return-Oriented Programming (ROP), the attacker can manipulate the stack with pre-prepared gadgets, disable the SMAP flag in the CR4 register, and execute a user-mode syscall handler in the kernel context. It has not been confirmed whether this works on 32-bit Windows, but it functions on 64-bit Windows if the core isolation feature is either absent or disabled. | 2025-08-05 | not yet calculated | CVE-2025-51060 |
| craftcms--cms | Craft is a platform for creating digital experiences. Versions 4.13.8 through 4.16.2 and 5.5.8 through 5.8.3 contain a vulnerability that can bypass CVE-2025-23209: "Craft CMS has a potential RCE with a compromised security key". To exploit this vulnerability, the project must meet these requirements: have a compromised security key and create an arbitrary file in Craft's /storage/backups folder. With those criteria in place, attackers could create a specific, malicious request to the /updater/restore-db endpoint and execute CLI commands remotely. This issue is fixed in versions 4.16.3 and 5.8.4. | 2025-08-09 | not yet calculated | CVE-2025-54417 |
| CuteFlow.org--CuteFlow | CuteFlow version 2.11.2 and earlier contains an arbitrary file upload vulnerability in the restart_circulation_values_write.php script. The application fails to validate or restrict uploaded file types, allowing unauthenticated attackers to upload arbitrary PHP files to the upload/___1/ directory. These files are then accessible via the web server, enabling remote code execution. | 2025-08-08 | not yet calculated | CVE-2012-10050 |
| Cyclope-Series--Cyclope Employee Surveillance Solution | Cyclope Employee Surveillance Solution versions 6.x is vulnerable to a SQL injection flaw in its login mechanism. The username parameter in the auth-login POST request is not properly sanitized, allowing attackers to inject arbitrary SQL statements. This can be leveraged to write and execute a malicious PHP file on disk, resulting in remote code execution under the SYSTEM user context. | 2025-08-08 | not yet calculated | CVE-2012-10047 |
| D-Link--DIR-600 rev B | The web interface of multiple D-Link routers, including DIR-600 rev B (≤2.14b01) and DIR-300 rev B (≤2.13), contains an unauthenticated OS command injection vulnerability in command.php, which improperly handles the cmd POST parameter. A remote attacker can exploit this flaw without authentication to spawn a Telnet service on a specified port, enabling persistent interactive shell access as root. | 2025-08-05 | not yet calculated | CVE-2013-10069 |
| DavidOsipov--Vision-ui | Vision UI is a collection of enterprise-grade, dependency-free modules for modern web projects. In versions 1.4.0 and below, the getSecureRandomInt function in security-kit versions prior to 3.5.0 (packaged in Vision-ui <= 1.4.0) contains a critical cryptographic weakness. Due to a silent 32-bit integer overflow in its internal masking logic, the function fails to produce a uniform distribution of random numbers when the requested range between min and max is larger than 2³². The root cause is the use of a 32-bit bitwise left-shift operation (<<) to generate a bitmask for the rejection sampling algorithm. This causes the mask to be incorrect for any range requiring 32 or more bits of entropy. This issue is fixed in version 1.5.0. | 2025-08-05 | not yet calculated | CVE-2025-54883 |
| DavidOsipov--Vision-ui | Vision UI is a collection of enterprise-grade, dependency-free modules for modern web projects. In versions 1.4.0 and below, the generateSecureId and getSecureRandomInt functions in security-kit versions prior to 3.5.0 (packaged in Vision UI 1.4.0 and below) are vulnerable to Denial of Service (DoS) attacks. The generateSecureId(length) function directly used the length parameter to size a Uint8Array buffer, allowing attackers to exhaust server memory through repeated requests for large IDs since the previous 1024 limit was insufficient. The getSecureRandomInt(min, max) function calculated buffer size based on the range between min and max, where large ranges caused excessive memory allocation and CPU-intensive rejection-sampling loops that could hang the thread. This issue is fixed in version 1.5.0. | 2025-08-05 | not yet calculated | CVE-2025-54884 |
| Dell/Quest--KACE K1000 Systems Management Appliance | An unrestricted file upload vulnerability exists in Dell (acquired by Quest) KACE K1000 System Management Appliance version 5.0 - 5.3, 5.4 prior to 5.4.76849, and 5.5 prior to 5.5.90547 in the download_agent.php endpoint. An attacker can upload arbitrary PHP files to a temporary web-accessible directory, which are later executed through inclusion in backend code that loads files under attacker-controlled paths. | 2025-08-05 | not yet calculated | CVE-2014-125113 |
| Delta Electronics--DIAView | DIAView (v4.2.0 and prior) - Directory Traversal Information Disclosure Vulnerability | 2025-08-05 | not yet calculated | CVE-2025-53417 |
| DENX Software Engineering GmbH--U-Boot | A lack of signature verification in the bootloader of DENX Software Engineering Das U-Boot (U-Boot) v1.1.3 allows attackers to install crafted firmware files, leading to arbitrary code execution. | 2025-08-05 | not yet calculated | CVE-2025-45512 |
| Draytek--AP903, AP912C, AP918R | Certain Draytek products are affected by Insecure Configuration. This affects AP903 v1.4.18 and AP912C v1.4.9 and AP918R v1.4.9. The setting of the password property in the ripd.conf configuration file sets a hardcoded weak password, posing a security risk. An attacker with network access could exploit this to gain unauthorized control over the routing daemon, potentially altering network routes or intercepting traffic. | 2025-08-04 | not yet calculated | CVE-2025-44643 |
| Easy Hosting Control Panel--EHCP | A reflected cross-site scripting (XSS) vulnerability in the List All FTP User Function in EHCP v20.04.1.b allows authenticated attackers to execute arbitrary JavaScript via injecting a crafted payload into the ftpusername parameter. | 2025-08-08 | not yet calculated | CVE-2025-50927 |
| Easy Hosting Control Panel--EHCP | Easy Hosting Control Panel EHCP v20.04.1.b was discovered to contain a SQL injection vulnerability via the id parameter in the Change Settings function. | 2025-08-08 | not yet calculated | CVE-2025-50928 |
| EGallery--EGallery | EGallery version 1.2 contains an unauthenticated arbitrary file upload vulnerability in the uploadify.php script. The application fails to validate file types or enforce authentication, allowing remote attackers to upload malicious PHP files directly into the web-accessible egallery/ directory. This results in full remote code execution under the web server context. | 2025-08-08 | not yet calculated | CVE-2012-10052 |
| Electrolink--Electrolink FM/DAB/TV Transmitter Web Management System | Electrolink FM/DAB/TV Transmitter Web Management System Unauthorized access vulnerability via the /FrameSetCore.html endpoint in Electrolink 500W, 1kW, 2kW Medium DAB Transmitter Web v01.09, v01.08, v01.07, and Display v1.4, v1.2. | 2025-08-06 | not yet calculated | CVE-2025-51040 |
| Elgato--Key Light | A Cross-Site Request Forgery (CSRF) in Elgato's Key Lights and related light products allows an attacker to host a malicious webpage that remotely controlles the victim's lights. | 2025-08-06 | not yet calculated | CVE-2025-7202 |
| Emsisoft--Emsisoft Anti-Malware | A vulnerability affecting the scanning module in Emsisoft Anti-Malware prior to 2024.12 allows attackers on a remote server to obtain Net-NTLMv2 hash information via a specially created A2S (Emsisoft Custom Scan) extension file. | 2025-08-05 | not yet calculated | CVE-2025-29745 |
| ESVA-Project--E-Mail Security Virtual Appliance | The E-Mail Security Virtual Appliance (ESVA) (tested on version ESVA_2057) contains an unauthenticated command injection vulnerability in the learn-msg.cgi script. The CGI handler fails to sanitize user-supplied input passed via the id parameter, allowing attackers to inject arbitrary shell commands. Exploitation requires no authentication and results in full command execution on the underlying system. | 2025-08-08 | not yet calculated | CVE-2012-10046 |
| fedify-dev--fedify | Fedify is a TypeScript library for building federated server apps powered by ActivityPub. In versions below 1.3.20, 1.4.0-dev.585 through 1.4.12, 1.5.0-dev.636 through 1.5.4, 1.6.0-dev.754 through 1.6.7, 1.7.0-pr.251.885 through 1.7.8 and 1.8.0-dev.909 through 1.8.4, an authentication bypass vulnerability allows any unauthenticated attacker to impersonate any ActivityPub actor by sending forged activities signed with their own keys. Activities are processed before verifying the signing key belongs to the claimed actor, enabling complete actor impersonation across all Fedify instances. This is fixed in versions 1.3.20, 1.4.13, 1.5.5, 1.6.8, 1.7.9 and 1.8.5. | 2025-08-09 | not yet calculated | CVE-2025-54888 |
| FIRSTNUM--JC21A-04 LTE Router | An issue was discovered on FIRSTNUM JC21A-04 devices through 2.01ME/FN that allows authenticated attackers to execute arbitrary OS system commands with root privileges via crafted payloads to the xml_action.cgi?method= endpoint. | 2025-08-05 | not yet calculated | CVE-2025-43979 |
| FIRSTNUM--JC21A-04 LTE Router | An issue was discovered on FIRSTNUM JC21A-04 devices through 2.01ME/FN. They enable the SSH service by default with the credentials of root/admin. The GUI doesn't offer a way to disable the account. | 2025-08-05 | not yet calculated | CVE-2025-43980 |
| Flexibits--Fantastical | A vulnerability was identified in the XPC services of Fantastical. The services failed to implement proper client authorization checks in its listener:shouldAcceptNewConnection method, unconditionally accepting requests from any local process. As a result, any local, unprivileged process could connect to the XPC service and access its methods. This issue has been resolved in version 4.0.16. | 2025-08-07 | not yet calculated | CVE-2025-8533 |
| Foxit--Foxit Reader | Foxit Reader Plugin version 2.2.1.530, bundled with Foxit Reader 5.4.4.11281, contains a stack-based buffer overflow vulnerability in the npFoxitReaderPlugin.dll module. When a PDF file is loaded from a remote host, an overly long query string in the URL can overflow a buffer, allowing remote attackers to execute arbitrary code. | 2025-08-05 | not yet calculated | CVE-2013-10068 |
| freedesktop--poppler | An issue in the pdfseparate utility of freedesktop poppler v25.04.0 allows attackers to cause an infinite recursion via supplying a crafted PDF file. This can lead to a Denial of Service (DoS). | 2025-08-04 | not yet calculated | CVE-2025-50420 |
| FreeFloat--FTP Server | A stack-based buffer overflow vulnerability exists in FreeFloat FTP Server version 1.0.0. The server fails to properly validate input passed to the USER command, allowing remote attackers to overwrite memory and potentially execute arbitrary code. The flaw is triggered by sending an overly long username string, which overflows the buffer allocated for user authentication. | 2025-08-05 | not yet calculated | CVE-2012-10023 |
| FreeFloat--FTP Server | FreeFloat FTP Server contains multiple critical design flaws that allow unauthenticated remote attackers to upload arbitrary files to sensitive system directories. The server accepts empty credentials, defaults user access to the root of the C:\ drive, and imposes no restrictions on file type or destination path. These conditions enable attackers to upload executable payloads and .mof files to locations such as system32 and wbem\mof, where Windows Management Instrumentation (WMI) automatically processes and executes them. This results in remote code execution with SYSTEM-level privileges, without requiring user interaction. | 2025-08-05 | not yet calculated | CVE-2012-10030 |
| Gatling--Gatling Enterprise | In Gatling Enterprise versions below 1.25.0, a user logging-out can still use his session token to continue using the application without expiration, due to incorrect session management. | 2025-08-06 | not yet calculated | CVE-2025-51306 |
| Gatling--Gatling Enterprise | In Gatling Enterprise versions below 1.25.0, a low-privileged user that does not hold the role "admin" could perform a REST API call on read-only endpoints, allowing him to collect some information, due to missing authorization checks. | 2025-08-06 | not yet calculated | CVE-2025-51308 |
| github.com/rs/cors--github.com/rs/cors | Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers (ACRH) header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt to cause a denial of service. | 2025-08-06 | not yet calculated | CVE-2025-47908 |
| Glossword Team--Glossword | Glossword versions 1.8.8 through 1.8.12 contain an authenticated arbitrary file upload vulnerability. When deployed as a standalone application, the administrative interface (gw_admin.php) allows users with administrator privileges to upload files to the gw_temp/a/ directory. Due to insufficient validation of file type and path, attackers can upload and execute PHP payloads, resulting in remote code execution. | 2025-08-05 | not yet calculated | CVE-2013-10067 |
| Go standard library--database/sql | Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error. | 2025-08-07 | not yet calculated | CVE-2025-47907 |
| Go standard library--path/filepath | The filepath.Walk and filepath.WalkDir functions are documented as not following symbolic links, but both functions are susceptible to a TOCTOU (time of check/time of use) race condition where a portion of the path being walked is replaced with a symbolic link while the walk is in progress. | 2025-08-06 | not yet calculated | CVE-2024-8244 |
| go-acme--lego | Let's Encrypt client and ACME library written in Go (Lego). In versions 4.25.1 and below, the github.com/go-acme/lego/v4/acme/api package (thus the lego library and the lego cli as well) don't enforce HTTPS when talking to CAs as an ACME client. Unlike the http-01 challenge which solves an ACME challenge over unencrypted HTTP, the ACME protocol requires HTTPS when a client communicates with the CA to performs ACME functions. However, the library fails to enforce HTTPS both in the original discover URL (configured by the library user) and in the subsequent addresses returned by the CAs in the directory and order objects. If users input HTTP URLs or CAs misconfigure endpoints, protocol operations occur over HTTP instead of HTTPS. This compromises privacy by exposing request/response details like account and request identifiers to network attackers. This was fixed in version 4.25.2. | 2025-08-07 | not yet calculated | CVE-2025-54799 |
| gofiber--fiber | Fiber is an Express inspired web framework written in Go. In versions 2.52.8 and below, when using Fiber's Ctx.BodyParser to parse form data containing a large numeric key that represents a slice index (e.g., test.18446744073704), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder. The root cause is that the decoder attempts to allocate a slice of length idx + 1 without validating whether the index is within a safe or reasonable range. If the idx is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash. This is fixed in version 2.52.9. | 2025-08-05 | not yet calculated | CVE-2025-54801 |
| Google--Chrome | Use after free in Extensions in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium) | 2025-08-07 | not yet calculated | CVE-2025-8576 |
| Google--Chrome | Inappropriate implementation in Picture In Picture in Google Chrome prior to 139.0.7258.66 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2025-08-07 | not yet calculated | CVE-2025-8577 |
| Google--Chrome | Use after free in Cast in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 2025-08-07 | not yet calculated | CVE-2025-8578 |
| Google--Chrome | Inappropriate implementation in Picture In Picture in Google Chrome prior to 139.0.7258.66 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2025-08-07 | not yet calculated | CVE-2025-8579 |
| Google--Chrome | Inappropriate implementation in Filesystems in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2025-08-07 | not yet calculated | CVE-2025-8580 |
| Google--Chrome | Inappropriate implementation in Extensions in Google Chrome prior to 139.0.7258.66 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | 2025-08-07 | not yet calculated | CVE-2025-8581 |
| Google--Chrome | Insufficient validation of untrusted input in Core in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low) | 2025-08-07 | not yet calculated | CVE-2025-8582 |
| Google--Chrome | Inappropriate implementation in Permissions in Google Chrome prior to 139.0.7258.66 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2025-08-07 | not yet calculated | CVE-2025-8583 |
| Grav CMS--Grav CMS | A Remote Code Execution (RCE) vulnerability in Grav CMS v1.7.48 allows an authenticated admin to upload a malicious plugin via the /admin/tools/direct-install interface. Once uploaded, the plugin is automatically extracted and loaded, allowing arbitrary PHP code execution and reverse shell access. | 2025-08-06 | not yet calculated | CVE-2025-50286 |
| GStreamer--GStreamer gst-plugins-base, gst-plugins-good | In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_tree function may read past the end of a heap buffer while parsing an MP4 file, leading to information disclosure. | 2025-08-07 | not yet calculated | CVE-2025-47183 |
| GStreamer--GStreamer gst-plugins-base, gst-plugins-good | In GStreamer through 1.26.1, the isomp4 plugin's qtdemux_parse_trak function may read past the end of a heap buffer while parsing an MP4 file, possibly leading to information disclosure. | 2025-08-07 | not yet calculated | CVE-2025-47219 |
| GStreamer--GStreamer gst-plugins-base, gst-plugins-good | In GStreamer through 1.26.1, the subparse plugin's parse_subrip_time function may write data past the bounds of a stack buffer, leading to a crash. | 2025-08-07 | not yet calculated | CVE-2025-47806 |
| GStreamer--GStreamer gst-plugins-base, gst-plugins-good | In GStreamer through 1.26.1, the subparse plugin's subrip_unescape_formatting function may dereference a NULL pointer while parsing a subtitle file, leading to a crash. | 2025-08-07 | not yet calculated | CVE-2025-47807 |
| GStreamer--GStreamer gst-plugins-base, gst-plugins-good | In GStreamer through 1.26.1, the subparse plugin's tmplayer_parse_line function may dereference a NULL pointer while parsing a subtitle file, leading to a crash. | 2025-08-07 | not yet calculated | CVE-2025-47808 |
| halo--halo | The reconcile method in the AttachmentReconciler class of the Halo system v.2.20.18LTS and before is vulnerable to XSS attacks. | 2025-08-05 | not yet calculated | CVE-2025-51857 |
| huggingface--huggingface/transformers | A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Hugging Face Transformers library, specifically in the `convert_tf_weight_name_to_pt_weight_name()` function. This function, responsible for converting TensorFlow weight names to PyTorch format, uses a regex pattern `/[^/]*___([^/]*)/` that can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. The vulnerability affects versions up to 4.51.3 and is fixed in version 4.53.0. This issue can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting model conversion processes between TensorFlow and PyTorch formats. | 2025-08-06 | not yet calculated | CVE-2025-5197 |
| ICT Innovations--ICTBroadcast | The ICTBroadcast application unsafely passes session cookie data to shell processing, allowing an attacker to inject shell commands into a session cookie that get executed on the server. This results in unauthenticated remote code execution in the session handling. Versions 7.4 and below are known to be vulnerable. | 2025-08-05 | not yet calculated | CVE-2025-2611 |
| Imagination Technologies--Graphics DDK | Possible memory leak or kernel exceptions caused by reading kernel heap data after free or NULL pointer dereference kernel exception. | 2025-08-08 | not yet calculated | CVE-2025-46709 |
| Imagination Technologies--Graphics DDK | Kernel software installed and running inside an untrusted/rich execution environment (REE) could leak information from the trusted execution environment (TEE). | 2025-08-08 | not yet calculated | CVE-2025-6573 |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct ptrace system calls to issue writes to GPU origin read only memory. | 2025-08-04 | not yet calculated | CVE-2025-8109 |
| Intelbras--RX1500, RX3000 | A cross-site scripting (XSS) vulnerability in Intelbras RX1500 v2.2.9 and RX3000 v1.0.11 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name of a visiting Wi-Fi network. | 2025-08-04 | not yet calculated | CVE-2025-26065 |
| JanssenProject--jans | The Janssen Project is an open-source identity and access management (IAM) platform. In versions 1.9.0 and below, Janssen stores passwords in plaintext in the local cli_cmd.log file. This is fixed in the nightly prerelease. | 2025-08-05 | not yet calculated | CVE-2025-54876 |
| Jointelli--Jointelli 5G CPE 21H01-Rain | Jointelli 5G CPE 21H01 firmware JY_21H01_A3_v1.36 devices allow (blind) OS command injection. Multiple endpoints are vulnerable, including /ubus/?flag=set_WPS_pin and /ubus/?flag=netAppStar1 and /ubus/?flag=set_wifi_cfgs. This allows an authenticated attacker to execute arbitrary OS commands with root privileges via crafted inputs to the SSID, WPS, Traceroute, and Ping fields. | 2025-08-05 | not yet calculated | CVE-2025-43978 |
| Kenwood--DMX958XR | Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26064. | 2025-08-06 | not yet calculated | CVE-2025-8628 |
| Kenwood--DMX958XR | Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26252. | 2025-08-06 | not yet calculated | CVE-2025-8629 |
| Kenwood--DMX958XR | Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26253. | 2025-08-06 | not yet calculated | CVE-2025-8630 |
| Kenwood--DMX958XR | Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26254. | 2025-08-06 | not yet calculated | CVE-2025-8631 |
| Kenwood--DMX958XR | Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26255. | 2025-08-06 | not yet calculated | CVE-2025-8632 |
| Kenwood--DMX958XR | Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26256. | 2025-08-06 | not yet calculated | CVE-2025-8633 |
| Kenwood--DMX958XR | Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26257. | 2025-08-06 | not yet calculated | CVE-2025-8634 |
| Kenwood--DMX958XR | Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26258. | 2025-08-06 | not yet calculated | CVE-2025-8635 |
| Kenwood--DMX958XR | Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26259. | 2025-08-06 | not yet calculated | CVE-2025-8636 |
| Kenwood--DMX958XR | Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26260. | 2025-08-06 | not yet calculated | CVE-2025-8637 |
| Kenwood--DMX958XR | Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26261. | 2025-08-06 | not yet calculated | CVE-2025-8638 |
| Kenwood--DMX958XR | Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26262. | 2025-08-06 | not yet calculated | CVE-2025-8639 |
| Kenwood--DMX958XR | Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26263. | 2025-08-06 | not yet calculated | CVE-2025-8640 |
| Kenwood--DMX958XR | Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26264. | 2025-08-06 | not yet calculated | CVE-2025-8641 |
| Kenwood--DMX958XR | Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26265. | 2025-08-06 | not yet calculated | CVE-2025-8642 |
| Kenwood--DMX958XR | Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26266. | 2025-08-06 | not yet calculated | CVE-2025-8643 |
| Kenwood--DMX958XR | Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26267. | 2025-08-06 | not yet calculated | CVE-2025-8644 |
| Kenwood--DMX958XR | Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26268. | 2025-08-06 | not yet calculated | CVE-2025-8645 |
| Kenwood--DMX958XR | Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26269. | 2025-08-06 | not yet calculated | CVE-2025-8646 |
| Kenwood--DMX958XR | Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26270. | 2025-08-06 | not yet calculated | CVE-2025-8647 |
| Kenwood--DMX958XR | Kenwood DMX958XR Firmware Update Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26271. | 2025-08-06 | not yet calculated | CVE-2025-8648 |
| Kenwood--DMX958XR | Kenwood DMX958XR JKWifiService Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the JKWifiService. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26305. | 2025-08-06 | not yet calculated | CVE-2025-8649 |
| Kenwood--DMX958XR | Kenwood DMX958XR libSystemLib Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26306. | 2025-08-06 | not yet calculated | CVE-2025-8650 |
| Kenwood--DMX958XR | Kenwood DMX958XR JKWifiService Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the JKWifiService. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26307. | 2025-08-06 | not yet calculated | CVE-2025-8651 |
| Kenwood--DMX958XR | Kenwood DMX958XR JKWifiService Command Injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the JKWifiService. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26311. | 2025-08-06 | not yet calculated | CVE-2025-8652 |
| Kenwood--DMX958XR | Kenwood DMX958XR JKRadioService Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Kenwood DMX958XR. Authentication is not required to exploit this vulnerability. The specific flaw exists within the JKRadioService. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26312. | 2025-08-06 | not yet calculated | CVE-2025-8653 |
| Kenwood--DMX958XR | Kenwood DMX958XR ReadMVGImage Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ReadMVGImage function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26313. | 2025-08-06 | not yet calculated | CVE-2025-8654 |
| Kenwood--DMX958XR | Kenwood DMX958XR libSystemLib Command injection Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26314. | 2025-08-06 | not yet calculated | CVE-2025-8655 |
| Kenwood--DMX958XR | Kenwood DMX958XR Protection Mechanism Failure Software Downgrade Vulnerability. This vulnerability allows physically present attackers to downgrade software on affected installations of Kenwood DMX958XR devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the libSystemLib library. The issue results from the lack of proper validation of version information before performing an update. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-26355. | 2025-08-06 | not yet calculated | CVE-2025-8656 |
| Kordil--EDMS | An unauthenticated arbitrary file upload vulnerability exists in Kordil EDMS v2.2.60rc3. The application exposes an upload endpoint (users_add.php) that allows attackers to upload files to the /userpictures/ directory without authentication. This flaw enables remote code execution by uploading a PHP payload and invoking it via a direct HTTP request. | 2025-08-05 | not yet calculated | CVE-2013-10066 |
| leakingmemory--vtun-ng | VTun-ng is a Virtual Tunnel over TCP/IP network. In versions 3.0.17 and below, failure to initialize encryption modules might cause reversion to plaintext due to insufficient error handling. The bug was first introduced in VTun-ng version 3.0.12. This is fixed in version 3.0.18. To workaround this issue, avoid blowfish-256. | 2025-08-05 | not yet calculated | CVE-2025-54870 |
| LibrettoCMS--LibrettoCMS | An unauthenticated arbitrary file upload vulnerability exists in LibrettoCMS version 1.1.7 (and possibly earlier) contains an unauthenticated arbitrary file upload vulnerability in its File Manager plugin. The upload handler located at adm/ui/js/ckeditor/plugins/pgrfilemanager/php/upload.php fails to properly validate file extensions, allowing attackers to upload files with misleading extensions and subsequently rename them to executable .php scripts. This enables remote code execution on the server without authentication. | 2025-08-04 | not yet calculated | CVE-2013-10054 |
| Liferay--Portal | A reflected cross-site scripting (XSS) vulnerability in the Liferay Portal 7.4.0 through 7.4.3.133, and Liferay DXP 2025.Q1.0 through 2025.Q1.4 ,2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 allows an remote non-authenticated attacker to inject JavaScript into the modules/apps/blogs/blogs-web/src/main/resources/META-INF/resources/blogs/entry_cover_image_caption.jsp | 2025-08-08 | not yet calculated | CVE-2025-4576 |
| Liferay--Portal | Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.4 ,2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 allows a pre-authentication blind SSRF vulnerability in the portal-settings-authentication-opensso-web due to improper validation of user-supplied URLs. An attacker can exploit this issue to force the server to make arbitrary HTTP requests to internal systems, potentially leading to internal network enumeration or further exploitation. | 2025-08-09 | not yet calculated | CVE-2025-4581 |
| Liferay--Portal | The fragment preview functionality in Liferay Portal 7.4.3.61 through 7.4.3.132, and Liferay DXP 2024.Q4.1 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.13 and 7.4 update 61 through update 92 was found to be vulnerable to postMessage-based XSS because it allows a remote non-authenticated attacker to inject JavaScript into the fragment portlet URL. | 2025-08-04 | not yet calculated | CVE-2025-4599 |
| Liferay--Portal | The vulnerable code can bypass the Captcha check in Liferay Portal 7.4.3.80 through 7.4.3.132, and Liferay DXP 2024.Q1.1 through 2024.Q1.19, 2024.Q2.0 through 2024.Q2.13, 2024.Q3.0 through 2024.Q3.13, 2024.Q4.0 through 2024.Q4.7, 2025.Q1.0 through 2025.Q1.15 and 7.4 update 80 through update 92 and then attackers can run scripts in the Gogo shell | 2025-08-04 | not yet calculated | CVE-2025-4604 |
| Liferay--Portal | SSRF vulnerability in FreeMarker templates in Liferay Portal 7.4.0 through 7.4.3.132, and Liferay DXP 2025.Q1.0 through 2025.Q1.5, 2024.Q4.0 through 2024.Q4.7, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.15, 7.4 GA through update 92 allows template editors to bypass access validations via crafted URLs. | 2025-08-09 | not yet calculated | CVE-2025-4655 |
| Lighthouse Data--GPMAW | GPMAW 14, a bioinformatics software, has a critical vulnerability related to insecure file permissions in its installation directory. The directory is accessible with full read, write, and execute permissions for all users, allowing unprivileged users to manipulate files within the directory, including executable files like GPMAW3.exe, Fragment.exe, and the uninstaller GPsetup64_17028.exe. An attacker with user-level access can exploit this misconfiguration by replacing or modifying the uninstaller (GPsetup64_17028.exe) with a malicious version. While the application itself runs in the user's context, the uninstaller is typically executed with administrative privileges when an administrator attempts to uninstall the software. By exploiting this flaw, an attacker could gain administrative privileges and execute arbitrary code in the context of the admin, resulting in privilege escalation. | 2025-08-07 | not yet calculated | CVE-2025-50675 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: eir: Fix using strlen with hdev->{dev_name,short_name} Both dev_name and short_name are not guaranteed to be NULL terminated so this instead use strnlen and then attempt to determine if the resulting string needs to be truncated or not. | 2025-08-09 | not yet calculated | CVE-2022-50233 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Resolve TX timeout error in power save stress test This fixes the tx timeout issue seen while running a stress test on btnxpuart for couple of hours, such that the interval between two HCI commands coincide with the power save timeout value of 2 seconds. Test procedure using bash script: <load btnxpuart.ko> hciconfig hci0 up //Enable Power Save feature hcitool -i hci0 cmd 3f 23 02 00 00 while (true) do hciconfig hci0 leadv sleep 2 hciconfig hci0 noleadv sleep 2 done Error log, after adding few more debug prints: Bluetooth: btnxpuart_queue_skb(): 01 0A 20 01 00 Bluetooth: hci0: Set UART break: on, status=0 Bluetooth: hci0: btnxpuart_tx_wakeup() tx_work scheduled Bluetooth: hci0: btnxpuart_tx_work() dequeue: 01 0A 20 01 00 Can't set advertise mode on hci0: Connection timed out (110) Bluetooth: hci0: command 0x200a tx timeout When the power save mechanism turns on UART break, and btnxpuart_tx_work() is scheduled simultaneously, psdata->ps_state is read as PS_STATE_AWAKE, which prevents the psdata->work from being scheduled, which is responsible to turn OFF UART break. This issue is fixed by adding a ps_lock mutex around UART break on/off as well as around ps_state read/write. btnxpuart_tx_wakeup() will now read updated ps_state value. If ps_state is PS_STATE_SLEEP, it will first schedule psdata->work, and then it will reschedule itself once UART break has been turned off and ps_state is PS_STATE_AWAKE. Tested above script for 50,000 iterations and TX timeout error was not observed anymore. | 2025-08-09 | not yet calculated | CVE-2024-58238 |
| Marbella--KR8s Dashcam | An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. Once access is gained either by default, common, or cracked passwords, the video recordings (containing sensitive routes, conversations, and footage) are open for downloading by creating a socket to command port 7777, and then downloading video via port 7778 and audio via port 7779. | 2025-08-06 | not yet calculated | CVE-2025-30127 |
| Maxthon International Ltd.--Maxthon3 Browser | Maxthon3 versions prior to 3.3 are vulnerable to cross context scripting (XCS) via the about:history page. The browser's trusted zone improperly handles injected script content, allowing attackers to execute arbitrary JavaScript in a privileged context. This flaw enables modification of browser configuration and execution of arbitrary code through Maxthon's exposed DOM APIs, including maxthon.program.Program.launch() and maxthon.io.writeDataURL(). Exploitation requires user interaction, typically by visiting a malicious webpage that triggers the injection. | 2025-08-05 | not yet calculated | CVE-2012-10032 |
| MediaTek, Inc.--MT2718, MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT8186, MT8196, MT8391, MT8676, MT8678, MT8775, MT8786, MT8788E, MT8792, MT8796, MT8873, MT8883, MT8893 | In Power HAL, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS09915400; Issue ID: MSV-3793. | 2025-08-04 | not yet calculated | CVE-2025-20698 |
| MediaTek, Inc.--MT2718, MT6761, MT6765, MT6768, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6889, MT6893, MT6897, MT6989, MT6991, MT8186, MT8196, MT8391, MT8678, MT8775, MT8786, MT8788E, MT8792, MT8796, MT8873, MT8883, MT8893 | In Power HAL, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS09915681; Issue ID: MSV-3795. | 2025-08-04 | not yet calculated | CVE-2025-20697 |
| MediaTek, Inc.--MT6739, MT6761, MT6765, MT6768, MT6781, MT6789, MT6813, MT6833, MT6835, MT6853, MT6855, MT6877, MT6878, MT6879, MT6883, MT6885, MT6886, MT6889, MT6893, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6990, MT6991, MT8188, MT8196, MT8370, MT8390, MT8676 | In DA, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is needed for exploitation. Patch ID: ALPS09915215; Issue ID: MSV-3801. | 2025-08-04 | not yet calculated | CVE-2025-20696 |
| Meta Platforms, Inc--ExecuTorch | An integer overflow vulnerability in the loading of ExecuTorch models can cause overlapping allocations, potentially resulting in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit d158236b1dc84539c1b16843bc74054c9dcba006. | 2025-08-07 | not yet calculated | CVE-2025-30404 |
| Meta Platforms, Inc--ExecuTorch | An integer overflow vulnerability in the loading of ExecuTorch models can cause objects to be placed outside their allocated memory area, potentially resulting in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 0830af8207240df8d7f35b984cdf8bc35d74fa73. | 2025-08-07 | not yet calculated | CVE-2025-30405 |
| Meta Platforms, Inc--ExecuTorch | A heap buffer overflow vulnerability in the loading of ExecuTorch models can potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit ede82493dae6d2d43f8c424e7be4721abe5242be | 2025-08-07 | not yet calculated | CVE-2025-54949 |
| Meta Platforms, Inc--ExecuTorch | An out-of-bounds access vulnerability in the loading of ExecuTorch models can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit b6b7a16df5e7852d976d8c34c8a7e9a1b6f7d005. | 2025-08-07 | not yet calculated | CVE-2025-54950 |
| Meta Platforms, Inc--ExecuTorch | A group of related buffer overflow vulnerabilities in the loading of ExecuTorch models can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit cea9b23aa8ff78aff92829a466da97461cc7930c. | 2025-08-07 | not yet calculated | CVE-2025-54951 |
| Meta Platforms, Inc--ExecuTorch | An integer overflow vulnerability in the loading of ExecuTorch models can cause smaller-than-expected memory regions to be allocated, potentially resulting in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 8f062d3f661e20bb19b24b767b9a9a46e8359f2b. | 2025-08-07 | not yet calculated | CVE-2025-54952 |
| Mitel-- 6800 Series, 6900 Series, and 6900w Series SIP Phones | A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit through 6.4 SP4, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit could allow an attacker to execute arbitrary commands within the context of the phone, leading to disclosure or modification of sensitive configuration data or affecting device availability and operation. | 2025-08-07 | not yet calculated | CVE-2025-47188 |
| Mitel--MiCollab | A vulnerability in the NuPoint Unified Messaging (NPM) component of Mitel MiCollab through 9.8 SP2 (9.8.2.12) could allow an unauthenticated attacker to conduct a path traversal attack due to insufficient input validation. A successful exploit could allow unauthorized access, enabling the attacker to view, corrupt, or delete users' data and system configurations. | 2025-08-08 | not yet calculated | CVE-2025-52913 |
| Mitel--MiCollab | A vulnerability in the Suite Applications Services component of Mitel MiCollab 10.0 through SP1 FP1 (10.0.1.101) could allow an authenticated attacker to conduct a SQL Injection attack due to insufficient validation of user input. A successful exploit could allow an attacker to execute arbitrary SQL database commands. | 2025-08-08 | not yet calculated | CVE-2025-52914 |
| MobileCartly--MobileCartly | MobileCartly version 1.0 contains an arbitrary file creation vulnerability in the savepage.php script. The application fails to perform authentication or authorization checks before invoking file_put_contents() on attacker-controlled input. An unauthenticated attacker can exploit this flaw by sending crafted HTTP GET requests to savepage.php, specifying both the filename and content. This allows arbitrary file creation within the pages/ directory or any writable path on the server, allowing remote code execution. | 2025-08-08 | not yet calculated | CVE-2012-10044 |
| Mubit co.,ltd.--Powered BLUE 870 | Powered BLUE 870 versions 0.20130927 and prior contain an OS command injection vulnerability. If this vulnerability is exploited, arbitrary OS commands may be executed on the affected product. | 2025-08-08 | not yet calculated | CVE-2025-54958 |
| Mubit co.,ltd.--Powered BLUE 870 | Powered BLUE Server versions 0.20130927 and prior contain a path traversal vulnerability. If this vulnerability is exploited, an arbitrary file in the affected product may be disclosed. | 2025-08-08 | not yet calculated | CVE-2025-54959 |
| n/a--AutoConnect | AutoConnect 1.4.2, an Arduino library, is vulnerable to a cross site scripting (xss) vulnerability. The AutoConnect web interface /_ac/config allows HTML/JS code to be executed via a crafted network SSID. | 2025-08-06 | not yet calculated | CVE-2025-50740 |
| n/a--CMS Platform v5 | Unisite CMS version 5.0 contains a stored Cross-Site Scripting (XSS) vulnerability in the "Report" functionality. A malicious script submitted by an attacker is rendered in the admin panel when viewed by an administrator. This allows attackers to hijack the admin session and, by leveraging the template editor, upload and execute a PHP web shell on the server, leading to full remote code execution. | 2025-08-04 | not yet calculated | CVE-2025-50754 |
| n/a--CyberGhostVPNSetup.exe | CyberGhostVPNSetup.exe (Windows installer) is signed using the weak cryptographic hash algorithm SHA-1, which is vulnerable to collision attacks. This allows a malicious actor to craft a fake installer with a forged SHA-1 certificate that may still be accepted by Windows signature verification mechanisms, particularly on systems without strict SmartScreen or trust policy enforcement. Additionally, the installer lacks High Entropy Address Space Layout Randomization (ASLR), as confirmed by BinSkim (BA2015 rule) and repeated WinDbg analysis. The binary consistently loads into predictable memory ranges, increasing the success rate of memory corruption exploits. These two misconfigurations, when combined, significantly lower the bar for successful supply-chain style attacks or privilege escalation through fake installers. | 2025-08-04 | not yet calculated | CVE-2025-51726 |
| n/a--eyouCMS | EyouCMS 1.6.7 is vulnerable to Cross Site Scripting (XSS) in /login.php?m=admin&c=System&a=web&lang=cn. | 2025-08-07 | not yet calculated | CVE-2024-52680 |
| n/a--FoxCMS | FoxCMS <=v1.2.5 is vulnerable to Code Execution in admin/template_file/editFile.html. | 2025-08-07 | not yet calculated | CVE-2025-50692 |
| n/a--GitKraken Desktop | The GitKraken Desktop 10.8.0 and 11.1.0 is susceptible to code injection due to misconfigured Electron Fuses. Specifically, the following insecure settings were observed: RunAsNode is enabled and EnableNodeCliInspectArguments is not disabled. These configurations allow the application to be executed in Node.js mode, enabling attackers to pass arguments that result in arbitrary code execution. | 2025-08-04 | not yet calculated | CVE-2025-51387 |
| n/a--Hospital Management System | Hospital Management System 4 is vulnerable to a SQL injection in /Hospital-Management-System-master/func.php via the password2 parameter. | 2025-08-07 | not yet calculated | CVE-2023-40992 |
| n/a--Hospital Management System | Hospital Management System v4 was discovered to contain a SQL injection vulnerability via the patient_contact parameter in patientsearch.php. | 2025-08-07 | not yet calculated | CVE-2023-41525 |
| n/a--Hospital Management System | Hospital Management System v4 was discovered to contain multiple SQL injection vulnerabilities in func1.php via the username3 and password3 parameters. | 2025-08-07 | not yet calculated | CVE-2023-41526 |
| n/a--Hospital Management System | Hospital Management System v4 was discovered to contain a SQL injection vulnerability via the password2 parameter in func.php. | 2025-08-07 | not yet calculated | CVE-2023-41527 |
| n/a--Hospital Management System | Hospital Management System v4 was discovered to contain multiple SQL injection vulnerabilities in contact.php via the txtname, txtphone, and txtmail parameters. | 2025-08-07 | not yet calculated | CVE-2023-41528 |
| n/a--Hospital Management System | Hospital Management System v4 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities in func2.php via the fname and lname parameters. | 2025-08-07 | not yet calculated | CVE-2023-41529 |
| n/a--Hospital Management System | Hospital Management System v4 was discovered to contain a SQL injection vulnerability via the app_contact parameter in appsearch.php. | 2025-08-07 | not yet calculated | CVE-2023-41530 |
| n/a--Hospital Management System | Hospital Management System v4 was discovered to contain multiple SQL injection vulnerabilities in func3.php via the username1 and password2 parameters. | 2025-08-07 | not yet calculated | CVE-2023-41531 |
| n/a--Hospital Management System | Hospital Management System v4 was discovered to contain a SQL injection vulnerability via the doctor_contact parameter in doctorsearch.php. | 2025-08-07 | not yet calculated | CVE-2023-41532 |
| n/a--MCCMS | MCCMS v2.7.0 has an SSRF vulnerability located in the index() method of the sys\apps\controllers\api\Gf.php file, where the pic parameter is processed. The pic parameter is decrypted using the sys_auth($pic, 1) function, which utilizes a hard-coded key Mc_Encryption_Key (bD2voYwPpNuJ7B8), defined in the db.php file. The decrypted URL is passed to the geturl() method, which uses cURL to make a request to the URL without proper security checks. An attacker can craft a malicious encrypted pic parameter, which, when decrypted, points to internal addresses or local file paths (such as http://127.0.0.1 or file://). By using the file:// protocol, the attacker can access arbitrary files on the local file system (e.g., file:///etc/passwd, file:///C:/Windows/System32/drivers/etc/hosts), allowing them to read sensitive configuration files, log files, and more, leading to information leakage or system exposure. The danger of this SSRF vulnerability includes accessing internal services and local file systems through protocols like http://, ftp://, and file://, which can result in sensitive data leakage, remote code execution, privilege escalation, or full system compromise, severely affecting the system's security and stability. | 2025-08-06 | not yet calculated | CVE-2025-50234 |
| n/a--Ollama | An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull. | 2025-08-07 | not yet calculated | CVE-2025-44779 |
| n/a--openjpeg | openjpeg v 2.5.0 was discovered to contain a NULL pointer dereference via the component /openjp2/dwt.c. | 2025-08-07 | not yet calculated | CVE-2025-50952 |
| n/a--OpenOrange Business Framework | OpenOrange Business Framework 1.15.5 provides unprivileged users with write access to the installation directory. | 2025-08-07 | not yet calculated | CVE-2024-42048 |
| n/a--poco | poco v1.14.1-release was discovered to contain weak encryption. | 2025-08-06 | not yet calculated | CVE-2025-45766 |
| n/a--QCMS | A vulnerability in QCMS version 6.0.5 allows authenticated users to read arbitrary files from the server due to insufficient validation of the "Name" parameter in the backend template editor. By manipulating the parameter, attackers can perform directory traversal and access sensitive files outside the intended template directory, potentially exposing system configuration, PHP source code, or other sensitive information. | 2025-08-06 | not yet calculated | CVE-2025-50233 |
| n/a--ruby-jwt | ruby-jwt v3.0.0.beta1 was discovered to contain weak encryption. NOTE: the Supplier's perspective is "keysize is not something that is enforced by this library. Currently more recent versions of OpenSSL are enforcing some key sizes and those restrictions apply to the users of this gem also." | 2025-08-07 | not yet calculated | CVE-2025-45765 |
| n/a--Sage DPW | A reflected cross-site scripting (XSS) vulnerability in Sage DPW v2024.12.003 allows attackers to execute arbitrary JavaScript in the context of a victim's browser via injcting a crafted payload into the tabfields parameter at /dpw/scripts/cgiip.exe/WService. This is fixed in Halbjahresversion 2024_12_004. | 2025-08-06 | not yet calculated | CVE-2025-51531 |
| n/a--SeaCMS | Cross site scripting vulnerability in seacms before 13.2 via the vid parameter to Upload/js/player/dmplayer/player. | 2025-08-05 | not yet calculated | CVE-2025-50592 |
| n/a--SOGo | An Insecure Direct Object Reference (IDOR) vulnerability was discovered in SOGo Webmail thru 5.6.0, allowing an authenticated user to send emails on behalf of other users by manipulating a user-controlled identifier in the email-sending request. The server fails to verify whether the authenticated user is authorized to use the specified sender identity, resulting in unauthorized message delivery as another user. This can lead to impersonation, phishing, or unauthorized communication within the system. | 2025-08-04 | not yet calculated | CVE-2025-50340 |
| n/a--SSCMS | An issue in the component /stl/actions/download?filePath of SSCMS v7.3.1 allows attackers to execute a directory traversal. | 2025-08-05 | not yet calculated | CVE-2025-52237 |
| n/a--Student Attendance Management System | Student Attendance Management System v1 was discovered to contain a cross-site scripting (XSS) vulnerability via the sessionName parameter at createSessionTerm.php. | 2025-08-07 | not yet calculated | CVE-2023-41519 |
| n/a--Student Attendance Management System | Student Attendance Management System v1 was discovered to contain multiple SQL injection vulnerabilities in createClassArms.php via the classId and classArmName parameters. | 2025-08-07 | not yet calculated | CVE-2023-41520 |
| n/a--Student Attendance Management System | Student Attendance Management System v1 was discovered to contain multiple SQL injection vulnerabilities in createSessionTerm.php via the id, termId, and sessionName parameters. | 2025-08-07 | not yet calculated | CVE-2023-41521 |
| n/a--Student Attendance Management System | Student Attendance Management System v1 was discovered to contain multiple SQL injection vulnerabilities in createStudents.php via the Id, firstname, and admissionNumber parameters. | 2025-08-07 | not yet calculated | CVE-2023-41522 |
| n/a--Student Attendance Management System | Student Attendance Management System v1 was discovered to contain a SQL injection vulnerability via the emailAddress parameter at createClassTeacher.php. | 2025-08-07 | not yet calculated | CVE-2023-41523 |
| n/a--Student Attendance Management System | Student Attendance Management System v1 was discovered to contain a SQL injection vulnerability via the username parameter at index.php. | 2025-08-07 | not yet calculated | CVE-2023-41524 |
| n/a--thinkphp | An issue in thinkphp v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function | 2025-08-05 | not yet calculated | CVE-2025-50706 |
| n/a--thinkphp | An issue in thinkphp3 v.3.2.5 allows a remote attacker to execute arbitrary code via the index.php component | 2025-08-05 | not yet calculated | CVE-2025-50707 |
| n/a--Writebot – AI Content Generator SaaS React Template | File upload vulnerability in Writebot AI Content Generator SaaS React Template thru 4.0.0, allowing remote attackers to gain escalated privileges via a crafted POST request to the /file-upload endpoint. | 2025-08-05 | not yet calculated | CVE-2025-52078 |
| n/a--ZKEACMS | An arbitrary file upload vulnerability in ZKEACMS v4.1 allows attackers to execute arbitrary code via a crafted file. | 2025-08-04 | not yet calculated | CVE-2025-52239 |
| Nagios Enterprises--Nagios XI Graph Explorer | Nagios XI Network Monitor prior to Graph Explorer component version 1.3 contains a command injection vulnerability in `visApi.php`. An authenticated user can inject system commands via unsanitized parameters such as `host`, resulting in remote code execution. | 2025-08-05 | not yet calculated | CVE-2012-10029 |
| Netwin--SurgeFTP | Netwin SurgeFTP version 23c8 and prior contains a vulnerability in its web-based administrative console that allows authenticated users to execute arbitrary system commands via crafted POST requests to `surgeftpmgr.cgi`. This can lead to full remote code execution on the underlying system. | 2025-08-05 | not yet calculated | CVE-2012-10028 |
| Netwrix--Directory Manager | Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 allows XSS for authentication error data, a different vulnerability than CVE-2025-47189. | 2025-08-07 | not yet calculated | CVE-2025-54392 |
| Netwrix--Directory Manager | Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 allows Static Code Injection. Authenticated users can obtain administrative access. | 2025-08-07 | not yet calculated | CVE-2025-54393 |
| Netwrix--Directory Manager | Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 has Insufficiently Protected Credentials for requests to remote Excel resources. | 2025-08-07 | not yet calculated | CVE-2025-54394 |
| Netwrix--Directory Manager | Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 allows XSS for authentication configuration data. | 2025-08-07 | not yet calculated | CVE-2025-54395 |
| Netwrix--Directory Manager | Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 allows SQL Injection. Authenticated users can exploit this. | 2025-08-07 | not yet calculated | CVE-2025-54396 |
| Netwrix--Directory Manager | Netwrix Directory Manager (formerly Imanami GroupID) 11.0.0.0 before 11.1.25162.02 inserts Sensitive Information Into Sent Data to authenticated users. | 2025-08-07 | not yet calculated | CVE-2025-54397 |
| ngstrm Distribution Project--Narcissus | Narcissus is vulnerable to remote code execution via improper input handling in its image configuration workflow. Specifically, the backend.php script fails to sanitize the release parameter before passing it to the configure_image() function. This function invokes PHP's passthru() with the unsanitized input, allowing attackers to inject arbitrary system commands. Exploitation occurs via a crafted POST request, resulting in command execution under the web server's context. | 2025-08-05 | not yet calculated | CVE-2012-10033 |
| open-metadata--OpenMetadata | OpenMetadata <=1.4.4 is vulnerable to SQL Injection. An attacker can extract information from the database in function listCount in the TestDefinitionDAO interface. The supportedDataTypeParam parameter can be used to build a SQL query. | 2025-08-08 | not yet calculated | CVE-2025-50467 |
| open-metadata--OpenMetadata | OpenMetadata <=1.4.4 is vulnerable to SQL Injection. An attacker can extract information from the database in function listCount in the DocStoreDAO interface. The entityType parameters can be used to build a SQL query. | 2025-08-08 | not yet calculated | CVE-2025-50468 |
| OpenText--Advanced Authentication | A weakness identified in OpenText Advanced Authentication where a Malicious browser plugin can record and replay the user authentication process to bypass Authentication. This issue affects Advanced Authentication on or before 6.5.0. | 2025-08-06 | not yet calculated | CVE-2025-8616 |
| owasp-modsecurity--ModSecurity | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response's Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrated the potential for XSS and arbitrary script source code disclosure in the latest version of mod_security2. This issue is fixed in version 2.9.12. | 2025-08-05 | not yet calculated | CVE-2025-54571 |
| Photodex Corporation--ProShow Producer | Photodex ProShow Producer version 5.0.3256 contains a stack-based buffer overflow vulnerability in the handling of plugin load list files. When a specially crafted load file is placed in the installation directory, the application fails to properly validate its contents, leading to a buffer overflow when the file is parsed during startup. Exploitation requires local access to place the file and user interaction to launch the application. | 2025-08-08 | not yet calculated | CVE-2012-10051 |
| PHP-Charts--PHP-Charts | PHP-Charts v1.0 contains a PHP code execution vulnerability in wizard/url.php, where user-supplied GET parameter names are passed directly to eval() without sanitization. A remote attacker can exploit this flaw by crafting a request that injects arbitrary PHP code, resulting in command execution under the web server's context. The vulnerability allows unauthenticated attackers to execute system-level commands via base64-encoded payloads embedded in parameter names, leading to full compromise of the host system. | 2025-08-05 | not yet calculated | CVE-2013-10070 |
| PMSoftware--Simple Web Server | Simple Web Server 2.2 rc2 contains a stack-based buffer overflow vulnerability in its handling of the Connection HTTP header. When a remote attacker sends an overly long string in this header, the server uses vsprintf() without proper bounds checking, leading to a buffer overflow on the stack. This flaw allows remote attackers to execute arbitrary code with the privileges of the web server process. The vulnerability is triggered before authentication. | 2025-08-08 | not yet calculated | CVE-2012-10053 |
| ProjectPier--ProjectPier | Project Pier 0.8.8 and earlier contains an unauthenticated arbitrary file upload vulnerability in tools/upload_file.php. The upload handler fails to validate the file type or enforce authentication, allowing remote attackers to upload malicious PHP files directly into a web-accessible directory. The uploaded file is stored with a predictable suffix and can be executed by requesting its URL, resulting in remote code execution. | 2025-08-08 | not yet calculated | CVE-2012-10036 |
| risc0--risc0 | RISC Zero is a zero-knowledge verifiable general computing platform based on zk-STARKs and the RISC-V microarchitecture. RISC packages risc0-zkvm versions 2.0.0 through 2.1.0 and risc0-circuit-rv32im and risc0-circuit-rv32im-sys versions 2.0.0 through 2.0.4 contain vulnerabilities where signed integer division allows multiple outputs for certain inputs with only one being valid, and division by zero results are underconstrained. This issue is fixed in risc0-zkvm version 2.2.0 and version 3.0.0 for the risc0-circuit-rv32im and risc0-circuit-rv32im-sys packages. | 2025-08-05 | not yet calculated | CVE-2025-54873 |
| Roche Diagnostics--navify Monitoring | Improper Input Validation vulnerability in Roche Diagnostics navify Monitoring allows an attacker to manipulate input data, which may lead to a denial of service (DoS) due to negatively impacting the server's performance. This vulnerability has no impact on data confidentiality or integrity. This issue affects navify Monitoring before 1.08.00. | 2025-08-05 | not yet calculated | CVE-2025-7674 |
| Rockwell Automation--Arena Simulation | A memory abuse issue exists in the Rockwell Automation Arena® Simulation. A custom file can force Arena Simulation to read and write past the end of memory space. Successful use requires user action, such as opening a bad file or webpage. If used, a threat actor could execute code or disclose information. | 2025-08-05 | not yet calculated | CVE-2025-7025 |
| Rockwell Automation--Arena Simulation | A memory abuse issue exists in the Rockwell Automation Arena® Simulation. A custom file can force Arena Simulation to read and write past the end of memory space. Successful use requires user action, such as opening a bad file or webpage. If used, a threat actor could execute code or disclose information. | 2025-08-05 | not yet calculated | CVE-2025-7032 |
| Rockwell Automation--Arena Simulation | A memory abuse issue exists in the Rockwell Automation Arena® Simulation. A custom file can force Arena Simulation to read and write past the end of memory space. Successful use requires user action, such as opening a bad file or webpage. If used, a threat actor could execute code or disclose information. | 2025-08-05 | not yet calculated | CVE-2025-7033 |
| Samsung--Samsung Mobile Processor Exynos | An issue was discovered in Samsung Mobile Processor Exynos 2100, 1280, 2200, 1330, 1380, 1480, and 2400. A lack of a JPEG length check leads to an out-of-bound write. | 2025-08-04 | not yet calculated | CVE-2024-45183 |
| SATO Corporation--CL4/6NX Plus | OS command injection vulnerability exists in CL4/6NX Plus and CL4/6NX-J Plus (Japan model) with the firmware versions prior to 1.15.5-r1. An arbitrary OS command may be executed on the system with a certain non-administrative user privilege. | 2025-08-06 | not yet calculated | CVE-2025-22469 |
| SATO Corporation--CL4/6NX Plus | CL4/6NX Plus and CL4/6NX-J Plus (Japan model) with the firmware versions prior to 1.15.5-r1 allow crafted dangerous files to be uploaded. An arbitrary Lua script may be executed on the system with the root privilege. | 2025-08-06 | not yet calculated | CVE-2025-22470 |
| Setasign--FPDI | FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. In versions 2.6.2 and below, any application that uses FPDI to process user-supplied PDF files is at risk, causing a Denial of Service (DoS) vulnerability. An attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion. Repeated attacks can lead to sustained service unavailability. This issue is fixed in version 2.6.3. | 2025-08-05 | not yet calculated | CVE-2025-54869 |
| Sflog!--Sflog! CMS | Sflog! CMS 1.0 contains an authenticated arbitrary file upload vulnerability in the blog management interface. The application ships with default credentials (admin:secret) and allows authenticated users to upload files via manage.php. The upload mechanism fails to validate file types, enabling attackers to upload a PHP backdoor into a web-accessible directory (blogs/download/uploads/). Once uploaded, the file can be executed remotely, resulting in full remote code execution. | 2025-08-08 | not yet calculated | CVE-2012-10042 |
| Shenzhen Aitemi E Commerce Co. Ltd.--M300 Wi-Fi Repeater | An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in Extender mode via its captive portal, the extap2g SSID field is inserted unescaped into a reboot-time shell script. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands that execute as root during device reboot, leading to full system compromise. | 2025-08-04 | not yet calculated | CVE-2025-34147 |
| Shenzhen Aitemi E Commerce Co. Ltd.--M300 Wi-Fi Repeater | An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in WISP mode, the 'ssid' parameter is passed unsanitized to system-level scripts. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands that execute as root, resulting in full device compromise. | 2025-08-07 | not yet calculated | CVE-2025-34148 |
| Shenzhen Aitemi E Commerce Co. Ltd.--M300 Wi-Fi Repeater | A command injection vulnerability affects the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) during WPA2 configuration. The 'key' parameter is interpreted directly by the system shell, enabling attackers to execute arbitrary commands as root. Exploitation requires no authentication and can be triggered during wireless setup. | 2025-08-07 | not yet calculated | CVE-2025-34149 |
| Shenzhen Aitemi E Commerce Co. Ltd.--M300 Wi-Fi Repeater | The PPPoE configuration interface of the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) is vulnerable to command injection via the 'user' parameter. Input is processed unsafely during network setup, allowing attackers to execute arbitrary system commands with root privileges. | 2025-08-07 | not yet calculated | CVE-2025-34150 |
| Shenzhen Aitemi E Commerce Co. Ltd.--M300 Wi-Fi Repeater | A command injection vulnerability exists in the 'passwd' parameter of the PPPoE setup process on the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). The input is passed directly to system-level commands without sanitation, enabling unauthenticated attackers to achieve root-level code execution. | 2025-08-07 | not yet calculated | CVE-2025-34151 |
| Shenzhen Aitemi E Commerce Co. Ltd.--M300 Wi-Fi Repeater | An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02) via the 'time' parameter of the '/protocol.csp?' endpoint. The input is processed by the internal date '-s' command without rebooting or disrupting HTTP service. Unlike other injection points, this vector allows remote compromise without triggering visible configuration changes. | 2025-08-07 | not yet calculated | CVE-2025-34152 |
| Shopware--Shopware | A stored cross-site scripting (XSS) vulnerability exists in the Shopware 6 installation interface at /recovery/install/database-configuration/. The c_database_schema field fails to properly sanitize user-supplied input before rendering it in the browser, allowing an attacker to inject malicious JavaScript. This vulnerability can be exploited via a Cross-Site Request Forgery (CSRF) attack due to the absence of CSRF protections on the POST request. An unauthenticated remote attacker can craft a malicious web page that, when visited by a victim, stores the payload persistently in the installation configuration. As a result, the payload executes whenever any user subsequently accesses the vulnerable installation page, leading to persistent client-side code execution. | 2025-08-05 | not yet calculated | CVE-2025-51541 |
| Shopware--Shopware | A race condition vulnerability has been identified in Shopware's voucher system of Shopware v6.6.10.4 that allows attackers to bypass intended voucher restrictions and exceed usage limitations. | 2025-08-06 | not yet calculated | CVE-2025-7954 |
| simbo1905--thinbus-srp-npm | Thinbus Javascript Secure Remote Password is a browser SRP6a implementation for zero-knowledge password authentication. In versions 2.0.0 and below, a protocol compliance bug causes the client to generate a fixed 252 bits of entropy instead of the intended bit length of the safe prime (defaulted to 2048 bits). The client public value is being generated from a private value that is 4 bits below the specification. This reduces the protocol's designed security margin it is now practically exploitable. The servers full sized 2048 bit random number is used to create the shared session key and password proof. This is fixed in version 2.0.1. | 2025-08-07 | not yet calculated | CVE-2025-54885 |
| Statamic--Statamic Core | The /users endpoint in Statamic Core before 2.11.8 allows XSS to add an administrator user. This can be exploited via CSRF. Stored XSS can occur via a JavaScript payload in a username during account registration. Reflected XSS can occur via the /users PATH_INFO. | 2025-08-08 | not yet calculated | CVE-2020-9322 |
| SuiteCRM--SuiteCRM | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Versions 7.14.6 and below have a Reflected Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to execute JavaScript code by modifying the HTTP Referer header to include some arbitrary domain with malicious JavaScript code at the end. The server will attempt to block the arbitrary domain but allow the JavaScript code to execute. This is fixed in version 7.14.7. | 2025-08-07 | not yet calculated | CVE-2025-54783 |
| SuiteCRM--SuiteCRM | SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. There is a Cross Site Scripting (XSS) vulnerability in the email viewer in versions 7.14.0 through 7.14.6. An external attacker could send a prepared message to the inbox of the SuiteCRM-instance. By simply viewing emails as the logged-in user, the payload can be triggered. With that, an attacker is able to run arbitrary actions as the logged-in user - like extracting data, or if it is an admin executing the payload, takeover the instance. This is fixed in versions 7.14.7. | 2025-08-07 | not yet calculated | CVE-2025-54784 |
| sunnyadn--js-toml | js-toml is a TOML parser for JavaScript, fully compliant with the TOML 1.0.0 Spec. In versions below 1.0.2, a prototype pollution vulnerability in js-toml allows a remote attacker to add or modify properties of the global Object.prototype by parsing a maliciously crafted TOML input. This is fixed in version 1.0.2. | 2025-08-05 | not yet calculated | CVE-2025-54803 |
| Sysax Software--Multi-Server | A denial-of-service vulnerability exists in Sysax Multi-Server version 6.10 via its SSH daemon. A specially crafted SSH key exchange packet can trigger a crash in the service, resulting in loss of availability. The flaw is triggered during the handling of malformed key exchange data, including a non-standard byte (\x28) in place of the expected SSH protocol delimiter. | 2025-08-05 | not yet calculated | CVE-2013-10065 |
| TAGFREE--X-Free Uploader | : Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in TAGFREE X-Free Uploader XFU allows Path Traversal.This issue affects X-Free Uploader: from 1.0.1.0084 before 1.0.1.0085, from 2.0.1.0034 before 2.0.1.0035. | 2025-08-07 | not yet calculated | CVE-2025-29865 |
| TAGFREE--X-Free Uploader | : External Control of File Name or Path vulnerability in TAGFREE X-Free Uploader XFU allows : Parameter Injection.This issue affects X-Free Uploader: from 1.0.1.0084 before 1.0.1.0085, from 2.0.1.0034 before 2.0.1.0035. | 2025-08-07 | not yet calculated | CVE-2025-29866 |
| TechPowerUp--ThrottleStop | ThrottleStop.sys, a legitimate driver, exposes two IOCTL interfaces that allow arbitrary read and write access to physical memory via the MmMapIoSpace function. This insecure implementation can be exploited by a malicious user-mode application to patch the running Windows kernel and invoke arbitrary kernel functions with ring-0 privileges. The vulnerability enables local attackers to execute arbitrary code in kernel context, resulting in privilege escalation and potential follow-on attacks, such as disabling security software or bypassing kernel-level protections. ThrottleStop.sys version 3.0.0.0 and possibly others are affected. Apply updates per vendor instructions. | 2025-08-06 | not yet calculated | CVE-2025-7771 |
| Tigo Energy--Cloud Connect Advanced | Tigo Energy's Cloud Connect Advanced (CCA) device contains hard-coded credentials that allow unauthorized users to gain administrative access. This vulnerability enables attackers to escalate privileges and take full control of the device, potentially modifying system settings, disrupting solar energy production, and interfering with safety mechanisms. | 2025-08-06 | not yet calculated | CVE-2025-7768 |
| Tigo Energy--Cloud Connect Advanced | Tigo Energy's CCA is vulnerable to a command injection vulnerability in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called, allowing remote code execution due to improper handling of user input. When used with default credentials, this enables attackers to execute arbitrary commands on the device that could cause potential unauthorized access, service disruption, and data exposure. | 2025-08-06 | not yet calculated | CVE-2025-7769 |
| Tigo Energy--Cloud Connect Advanced | Tigo Energy's CCA device is vulnerable to insecure session ID generation in their remote API. The session IDs are generated using a predictable method based on the current timestamp, allowing attackers to recreate valid session IDs. When combined with the ability to circumvent session ID requirements for certain commands, this enables unauthorized access to sensitive device functions on connected solar optimization systems. | 2025-08-06 | not yet calculated | CVE-2025-7770 |
| tnb-labs--panel | RatPanel is a server operation and maintenance management panel. In versions 2.3.19 through 2.5.5, when an attacker obtains the backend login path of RatPanel (including but not limited to weak default paths, brute-force cracking, etc.), they can execute system commands or take over hosts managed by the panel without logging in. In addition to this remote code execution (RCE) vulnerability, the flawed code also leads to unauthorized access. RatPanel uses the CleanPath middleware provided by github.com/go-chi/chi package to clean URLs, but but the middleware does not process r.URL.Path, which can cause the paths to be misinterpreted. This is fixed in version 2.5.6. | 2025-08-05 | not yet calculated | CVE-2025-53534 |
| TOTOLINK--N600R | TOTOLINK N600R V4.3.0cu.7647_B20210106 was discovered to contain a command injection vulnerability via the pin parameter in the setWiFiWpsConfig function. | 2025-08-04 | not yet calculated | CVE-2025-51390 |
| TurboSoft, Inc.--TurboFTP Server | Turbo FTP Server versions 1.30.823 and 1.30.826 contain a buffer overflow vulnerability in the handling of the PORT command. By sending a specially crafted payload, an unauthenticated remote attacker can overwrite memory structures and execute arbitrary code with SYSTEM privileges. | 2025-08-05 | not yet calculated | CVE-2012-10035 |
| Twisted Matrix Labs--TwistedWeb | A command injection vulnerability exists in TwistedWeb (version 14.0.0) due to improper input sanitization in the file upload functionality. An attacker can exploit this vulnerability by sending a specially crafted HTTP PUT request to upload a malicious file (e.g., a reverse shell script). Once uploaded, the attacker can trigger the execution of arbitrary commands on the target system, allowing for remote code execution. This could lead to escalation of privileges depending on the privileges of the web server process. The attack does not require physical access and can be conducted remotely, posing a significant risk to the confidentiality and integrity of the system. | 2025-08-05 | not yet calculated | CVE-2025-50688 |
| Ubiquiti Inc--EdgeMAX EdgeSwitch | An Improper Input Validation in EdgeMAX EdgeSwitch (Version 1.10.4 and earlier) could allow a Command Injection by a malicious actor with access to EdgeSwitch adjacent network. | 2025-08-04 | not yet calculated | CVE-2025-27211 |
| Ubiquiti Inc--UniFi Access Reader Pro | An Improper Input Validation in certain UniFi Access devices could allow a Command Injection by a malicious actor with access to UniFi Access management network. Affected Products: UniFi Access Reader Pro (Version 2.14.21 and earlier) UniFi Access G2 Reader Pro (Version 1.10.32 and earlier) UniFi Access G3 Reader Pro (Version 1.10.30 and earlier) UniFi Access Intercom (Version 1.7.28 and earlier) UniFi Access G3 Intercom (Version 1.7.29 and earlier) UniFi Access Intercom Viewer (Version 1.3.20 and earlier) Mitigation: Update UniFi Access Reader Pro Version 2.15.9 or later Update UniFi Access G2 Reader Pro Version 1.11.23 or later Update UniFi Access G3 Reader Pro Version 1.11.22 or later Update UniFi Access Intercom Version 1.8.22 or later Update UniFi Access G3 Intercom Version 1.8.22 or later Update UniFi Access Intercom Viewer Version 1.4.39 or later | 2025-08-04 | not yet calculated | CVE-2025-27212 |
| uclouvain--openjpeg | OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG 2.5.3 and earlier, a call to opj_jp2_read_header may lead to OOB heap memory write when the data stream p_stream is too short and p_image is not initialized. | 2025-08-05 | not yet calculated | CVE-2025-54874 |
| ulab-uiuc--tiny-scientist | Tiny-Scientist is a lightweight framework for automating the entire lifecycle of scientific research-from ideation to implementation, writing, and review. In versions 0.1.1 and below, a critical path traversal vulnerability has been identified in the review_paper function in backend/app.py. The vulnerability allows malicious users to access arbitrary PDF files on the server by providing crafted file paths that bypass the intended security restrictions. This vulnerability allows attackers to: read any PDF file accessible to the server process, potentially access sensitive documents outside the intended directory and perform reconnaissance on the server's file system structure. This issue does not currently have a fix. | 2025-08-09 | not yet calculated | CVE-2025-55149 |
| unjs--ipx | IPX is an image optimizer powered by sharp and svgo. In versions 1.3.1 and below, 2.0.0-0 through 2.1.0, and 3.0.0 through 3.1.0, the approach used to check whether a path is within allowed directories is vulnerable to path prefix bypass when the allowed directories do not end with a path separator. This occurs because the check relies on a raw string prefix comparison. This is fixed in versions 1.3.2, 2.1.1 and 3.1.1. | 2025-08-05 | not yet calculated | CVE-2025-54387 |
| Unknown--OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer) | The OpenStreetMap for Gutenberg and WPBakery Page Builder (formerly Visual Composer) WordPress plugin through 1.2.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 2025-08-08 | not yet calculated | CVE-2025-6572 |
| Vessel9817--onion-site-template | onion-site-template is a complete, scalable tor hidden service self-hosting sample. Versions which include commit 3196bd89 contain a baked-in tor image if the secrets were copied from an existing onion domain. A website could be compromised if a user shared the baked-in image, or if someone were able to acquire access to the user's device outside of a containerized environment. This is fixed by commit bc9ba0fd. | 2025-08-05 | not yet calculated | CVE-2025-54872 |
| WAN Emulator--WAN Emulator | WAN Emulator v2.3 contains two unauthenticated command execution vulnerabilities. The result.php script calls shell_exec() with unsanitized input from the pc POST parameter, allowing remote attackers to execute arbitrary commands as the www-data user. The system also includes a SUID-root binary named dosu, which is vulnerable to command injection via its first argument. An attacker can exploit both flaws in sequence to achieve full remote code execution and escalate privileges to root. | 2025-08-08 | not yet calculated | CVE-2012-10041 |
| win.rar GmbH--WinRAR | A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter KoÅ¡inár, and Peter StrýÄek from ESET. | 2025-08-08 | not yet calculated | CVE-2025-8088 |
| withastro--astro | Astro is a web framework for content-driven websites. In versions 5.2.0 through 5.12.7, there is an Open Redirect vulnerability in the trailing slash redirection logic when handling paths with double slashes. This allows an attacker to redirect users to arbitrary external domains by crafting URLs such as https://mydomain.com//malicious-site.com/. This increases the risk of phishing and other social engineering attacks. This affects sites that use on-demand rendering (SSR) with the Node or Cloudflare adapters. It does not affect static sites, or sites deployed to Netlify or Vercel. This issue is fixed in version 5.12.8. To work around this issue at the network level, block outgoing redirect responses with a Location header value that starts with `//`. | 2025-08-08 | not yet calculated | CVE-2025-54793 |
| wolfSSL Inc.--wolfTPM | Exporting a TPM based RSA key larger than 2048 bits from the TPM could overrun a stack buffer if the default `MAX_RSA_KEY_BITS=2048` is used. If your TPM 2.0 module supports RSA key sizes larger than 2048 bit and your applications supports creating or importing an RSA private or public key larger than 2048 bits and your application calls `wolfTPM2_RsaKey_TpmToWolf` on that key, then a stack buffer could be overrun. If the `MAX_RSA_KEY_BITS` build-time macro is set correctly (RSA bits match what TPM hardware is capable of) for the hardware target, then a stack overrun is not possible. | 2025-08-04 | not yet calculated | CVE-2025-7844 |
| WP-Property--WordPress Plugin | WP-Property plugin for WordPress through version 1.35.0 contains an unauthenticated file upload vulnerability in the third-party `uploadify.php` script. A remote attacker can upload arbitrary PHP files to a temporary directory without authentication, leading to remote code execution. | 2025-08-05 | not yet calculated | CVE-2012-10027 |
| WPEngine, Inc.--Advanced Custom Fields | An HTML injection vulnerability exists in WordPress plugin "Advanced Custom Fields" prior to 6.4.3. If this vulnerability is exploited, crafted HTML code may be rendered and page display may be tampered. | 2025-08-08 | not yet calculated | CVE-2025-54940 |
| WPO Foundation--WebPageTest | WebPageTest version 2.6 and earlier contains an arbitrary file upload vulnerability in the resultimage.php script. The application fails to validate or sanitize user-supplied input before saving uploaded files to a publicly accessible directory. This flaw allows remote attackers to upload and execute arbitrary PHP code, resulting in full remote code execution under the web server context. | 2025-08-08 | not yet calculated | CVE-2012-10049 |
| XBMC--Media Center | XBMC version 11, including builds up to the 2012-11-04 nightly release, contains a path traversal vulnerability in its embedded HTTP server. When accessed via HTTP Basic Authentication, the server fails to properly sanitize URI input, allowing authenticated users to request files outside the intended document root. An attacker can exploit this flaw to read arbitrary files from the host filesystem, including sensitive configuration or credential files. | 2025-08-05 | not yet calculated | CVE-2012-10024 |
| XODA--XODA | XODA version 0.4.5 contains an unauthenticated file upload vulnerability that allows remote attackers to execute arbitrary PHP code on the server. The flaw resides in the upload functionality, which fails to properly validate or restrict uploaded file types. By crafting a multipart/form-data POST request, an attacker can upload a .php file directly into the web-accessible files/ directory and trigger its execution via a subsequent GET request. | 2025-08-08 | not yet calculated | CVE-2012-10045 |
| xwiki--xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 4.2-milestone-3 through 16.4.7, 16.5.0-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, two templates contain reflected XSS vulnerabilities, allowing an attacker to execute malicious JavaScript code in the context of the victim's session by getting the victim to visit an attacker-controlled URL. This permits the attacker to perform arbitrary actions using the permissions of the victim. This issue is fixed in versions 16.4.8, 16.10.6 and 17.3.0-rc-1. To workaround the issue, manually patch the WAR with the same changes as the original patch. | 2025-08-05 | not yet calculated | CVE-2025-32430 |
| xwiki--xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 9.8-rc-1 through 16.4.6, 16.5.0-rc-1 through 16.10.4, and 17.0.0-rc-1 through 17.1.0, any user with editing rights can create an XClass with a database list property that references a password property. When adding an object of that XClass, the content of that password property is displayed. In practice, with a standard rights setup, this means that any user with an account on the wiki can access password hashes of all users, and possibly other password properties (with hashed or plain storage) that are on pages that the user can view. This issue is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. | 2025-08-05 | not yet calculated | CVE-2025-54124 |
| xwiki--xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform Legacy Old Core and XWiki Platform Old Core versions 1.1 through 16.4.6, 16.5.0-rc-1 through 16.10.4 and 17.0.0-rc-1 through 17.1.0, the XML export of a page in XWiki that can be triggered by any user with view rights on a page by appending ?xpage=xml to the URL includes password and email properties stored on a document that aren't named password or email. This is fixed in versions 16.4.7, 16.10.5 and 17.2.0-rc-1. To work around this issue, the file templates/xml.vm in the deployed WAR can be deleted if the XML isn't needed. There isn't any feature in XWiki itself that depends on the XML export. | 2025-08-05 | not yet calculated | CVE-2025-54125 |
| Zenoss, Inc.--Zenoss Core | Zenoss Core 3.x contains a command injection vulnerability in the showDaemonXMLConfig endpoint. The daemon parameter is passed directly to a Popen() call in ZenossInfo.py without proper sanitation, allowing authenticated users to execute arbitrary commands on the server as the zenoss user. | 2025-08-08 | not yet calculated | CVE-2012-10048 |
| Zone--Zone Bitaqati | Cross-site scripting (XSS) vulnerability in Zone Bitaqati thru 3.4.0. | 2025-08-06 | not yet calculated | CVE-2025-51624 |
| ZPanel Project--ZPanel | ZPanel includes a helper binary named zsudo, intended to allow restricted privilege escalation for administrative tasks. However, when misconfigured in /etc/sudoers, zsudo can be invoked by low-privileged users to execute arbitrary commands as root. This flaw enables local attackers with shell access to escalate privileges by writing a payload to a writable directory and executing it via zsudo. The vulnerability is particularly impactful in post-exploitation scenarios following web server compromise, where the attacker inherits access to zsudo. | 2025-08-04 | not yet calculated | CVE-2013-10052 |
Vulnerability Summary for the Week of July 28, 2025
Posted on Monday August 04, 2025
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 0x676e67--vproxy | vproxy is an HTTP/HTTPS/SOCKS5 proxy server. In versions 2.3.3 and below, untrusted data is extracted from the user-controlled HTTP Proxy-Authorization header and passed to Extension::try_from and flows into parse_ttl_extension where it is parsed as a TTL value. If an attacker supplies a TTL of zero (e.g. by using a username such as 'configuredUser-ttl-0'), the modulo operation 'timestamp % ttl' will cause a division by zero panic, causing the server to crash causing a denial-of-service. This is fixed in version 2.4.0. | 2025-07-30 | 7.5 | CVE-2025-54581 |
| 1Panel-dev--1Panel | 1Panel is a web interface and MCP Server that manages websites, files, containers, databases, and LLMs on a Linux server. In versions 2.0.5 and below, the HTTPS protocol used for communication between the Core and Agent endpoints has incomplete certificate verification during certificate validation, leading to unauthorized interface access. Due to the presence of numerous command execution or high-privilege interfaces in 1Panel, this results in Remote Code Execution (RCE). This is fixed in version 2.0.6. The CVE has been translated from Simplified Chinese using GitHub Copilot. | 2025-08-01 | 8.1 | CVE-2025-54424 |
| 9001--copyparty | Copyparty is a portable file server. Versions prior to 1.18.9, the filter parameter for the "Recent Uploads" page allows arbitrary RegExes. If this feature is enabled (which is the default), an attacker can craft a filter which deadlocks the server. This is fixed in version 1.18.9. | 2025-08-01 | 7.5 | CVE-2025-54796 |
| Alfasado Inc.--PowerCMS | A path traversal issue exists in backup and restore feature of multiple versions of PowerCMS. A product administrator may execute arbitrary code by restoring a crafted backup file. | 2025-07-31 | 7.2 | CVE-2025-46359 |
| alienator88--Pearcleaner | Pearcleaner is a free, source-available and fair-code licensed mac app cleaner. The PearcleanerHelper is a privileged helper tool bundled with the Pearcleaner application. It is registered and activated only after the user approves a system prompt to allow privileged operations. Upon approval, the helper is configured as a LaunchDaemon and runs with root privileges. In versions 4.4.0 through 4.5.1, the helper registers an XPC service (com.alienator88.Pearcleaner.PearcleanerHelper) and accepts unauthenticated connections from any local process. It exposes a method that executes arbitrary shell commands. This allows any local unprivileged user to escalate privileges to root once the helper is approved and active. This issue is fixed in version 4.5.2. | 2025-08-01 | 7.3 | CVE-2025-54595 |
| aonetheme--Service Finder Bookings | The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. This is due to the plugin not properly validating a user's cookie value prior to logging them in through the service_finder_switch_back() function. This makes it possible for unauthenticated attackers to login as any user including admins. | 2025-08-01 | 9.8 | CVE-2025-5947 |
| aonetheme--Service Finder SMS System | The Service Finder SMS System plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.0.0. This is due to the plugin not restricting user role selection at the time of registration through the aonesms_fn_savedata_after_signup() function. This makes it possible for unauthenticated attackers to register as an administrator user. | 2025-08-01 | 9.8 | CVE-2025-5954 |
| Autodesk--Shared Components | A maliciously crafted X_T file, when parsed through certain Autodesk products, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-07-29 | 7.8 | CVE-2025-5038 |
| Autodesk--Shared Components | A maliciously crafted 3DM file, when linked or imported into certain Autodesk products, can force a Heap-Based Overflow vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-07-29 | 7.8 | CVE-2025-5043 |
| Autodesk--Shared Components | A maliciously crafted PRT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. | 2025-07-29 | 7.8 | CVE-2025-6631 |
| Autodesk--Shared Components | A maliciously crafted PRT file, when linked or imported into certain Autodesk products, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-07-29 | 7.8 | CVE-2025-6635 |
| Autodesk--Shared Components | A maliciously crafted PRT file, when parsed through certain Autodesk products, can force a Use-After-Free vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-07-29 | 7.8 | CVE-2025-6636 |
| Autodesk--Shared Components | A maliciously crafted PRT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. | 2025-07-29 | 7.8 | CVE-2025-6637 |
| Autodesk--Shared Components | A maliciously crafted PRT file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. | 2025-07-29 | 7.8 | CVE-2025-7497 |
| Autodesk--Shared Components | A maliciously crafted 3DM file, when parsed through certain Autodesk products, can force an Out-of-Bounds Write vulnerability. A malicious actor may leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. | 2025-07-29 | 7.8 | CVE-2025-7675 |
| Beamsec--PhishPro | Incorrect Use of Privileged APIs vulnerability in Beamsec PhishPro allows Privilege Abuse.This issue affects PhishPro: before 7.5.4.2. | 2025-07-28 | 8.8 | CVE-2025-5997 |
| bentoml--BentoML | BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.0 until 1.4.19, the file upload processing system contains an SSRF vulnerability that allows unauthenticated remote attackers to force the server to make arbitrary HTTP requests. The vulnerability stems from the multipart form data and JSON request handlers, which automatically download files from user-provided URLs without validating whether those URLs point to internal network addresses, cloud metadata endpoints, or other restricted resources. The documentation explicitly promotes this URL-based file upload feature, making it an intended design that exposes all deployed services to SSRF attacks by default. Version 1.4.19 contains a patch for the issue. | 2025-07-29 | 9.9 | CVE-2025-54381 |
| berqwp--BerqWP Automated All-In-One Page Speed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript | The BerqWP - Automated All-In-One Page Speed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and JavaScript plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the store_javascript_cache.php file in all versions up to, and including, 2.2.42. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-08-01 | 8.1 | CVE-2025-7443 |
| Brave--Brave Conversion Engine (PRO) | The Brave Conversion Engine (PRO) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 0.7.7. This is due to the plugin not properly restricting a claimed identity while authenticating with Facebook. This makes it possible for unauthenticated attackers to log in as other users, including administrators. | 2025-08-02 | 9.8 | CVE-2025-7710 |
| Bricks Builder--Bricks | The Bricks theme for WordPress is vulnerable to blind SQL Injection via the 'p' parameter in all versions up to, and including, 1.12.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-07-29 | 7.5 | CVE-2025-6495 |
| Campcodes--Online Hotel Reservation System | A vulnerability was found in Campcodes Online Hotel Reservation System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/index.php of the component Login. The manipulation of the argument username/password leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-31 | 7.3 | CVE-2025-8378 |
| Campcodes--Online Recruitment Management System | A vulnerability classified as critical was found in Campcodes Online Recruitment Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/ajax.php?action=save_recruitment_status. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-28 | 7.3 | CVE-2025-8274 |
| Campcodes--Online Recruitment Management System | A vulnerability was found in Campcodes Online Recruitment Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/ajax.php?action=delete_recruitment_status. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-30 | 7.3 | CVE-2025-8334 |
| Campcodes--Online Recruitment Management System | A vulnerability classified as critical was found in Campcodes Online Recruitment Management System 1.0. This vulnerability affects unknown code of the file /admin/ajax.php?action=save_user. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-30 | 7.3 | CVE-2025-8336 |
| ceph--ceph | Ceph is a distributed object, block, and file storage platform. In versions 19.2.3 and below, it is possible to send an JWT that has "none" as JWT alg. And by doing so the JWT signature is not checked. The vulnerability is most likely in the RadosGW OIDC provider. As of time of publication, a known patched version has yet to be published. | 2025-07-30 | 8.1 | CVE-2024-48916 |
| code-projects--Exam Form Submission | A vulnerability, which was classified as critical, has been found in code-projects Exam Form Submission 1.0. This issue affects some unknown processing of the file /admin/update_s3.php. The manipulation of the argument credits leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-28 | 7.3 | CVE-2025-8249 |
| code-projects--Exam Form Submission | A vulnerability, which was classified as critical, was found in code-projects Exam Form Submission 1.0. Affected is an unknown function of the file /admin/update_s4.php. The manipulation of the argument credits leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-28 | 7.3 | CVE-2025-8250 |
| code-projects--Exam Form Submission | A vulnerability has been found in code-projects Exam Form Submission 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/delete_s4.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-28 | 7.3 | CVE-2025-8251 |
| code-projects--Exam Form Submission | A vulnerability was found in code-projects Exam Form Submission 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/delete_s5.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-28 | 7.3 | CVE-2025-8252 |
| code-projects--Exam Form Submission | A vulnerability was found in code-projects Exam Form Submission 1.0. It has been classified as critical. This affects an unknown part of the file /admin/delete_s6.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-28 | 7.3 | CVE-2025-8253 |
| code-projects--Exam Form Submission | A vulnerability was found in code-projects Exam Form Submission 1.0. It has been rated as critical. This issue affects some unknown processing of the file /register.php. The manipulation of the argument image leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-28 | 7.3 | CVE-2025-8255 |
| code-projects--Exam Form Submission | A vulnerability was found in code-projects Exam Form Submission 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/delete_s1.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-28 | 7.3 | CVE-2025-8269 |
| code-projects--Exam Form Submission | A vulnerability was found in code-projects Exam Form Submission 1.0. It has been classified as critical. This affects an unknown part of the file /admin/delete_s2.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-28 | 7.3 | CVE-2025-8270 |
| code-projects--Exam Form Submission | A vulnerability was found in code-projects Exam Form Submission 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/delete_s3.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-28 | 7.3 | CVE-2025-8271 |
| code-projects--Exam Form Submission | A vulnerability was found in code-projects Exam Form Submission 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/update_fst.php. The manipulation of the argument credits leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-28 | 7.3 | CVE-2025-8272 |
| code-projects--Exam Form Submission | A vulnerability classified as critical has been found in code-projects Exam Form Submission 1.0. Affected is an unknown function of the file /admin/update_s8.php. The manipulation of the argument credits leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-28 | 7.3 | CVE-2025-8273 |
| code-projects--Exam Form Submission | A vulnerability classified as critical has been found in code-projects Exam Form Submission 1.0. Affected is an unknown function of the file /admin/delete_s7.php. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-30 | 7.3 | CVE-2025-8326 |
| code-projects--Exam Form Submission | A vulnerability classified as critical was found in code-projects Exam Form Submission 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/delete_s8.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-30 | 7.3 | CVE-2025-8327 |
| code-projects--Exam Form Submission | A vulnerability, which was classified as critical, has been found in code-projects Exam Form Submission 1.0. Affected by this issue is some unknown functionality of the file /register.php. The manipulation of the argument USN leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 2025-07-30 | 7.3 | CVE-2025-8328 |
| code-projects--Exam Form Submission | A vulnerability has been found in code-projects Exam Form Submission 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/update_s5.php. The manipulation of the argument credits leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-31 | 7.3 | CVE-2025-8371 |
| code-projects--Exam Form Submission | A vulnerability was found in code-projects Exam Form Submission 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/update_s7.php. The manipulation of the argument credits leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-31 | 7.3 | CVE-2025-8372 |
| code-projects--Intern Membership Management System | A vulnerability was found in code-projects Intern Membership Management System 1.0. It has been classified as critical. This affects an unknown part of the file /student_login.php. The manipulation of the argument user_name/password leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-31 | 7.3 | CVE-2025-8339 |
| code-projects--Intern Membership Management System | A vulnerability classified as critical was found in code-projects Intern Membership Management System 1.0. This vulnerability affects unknown code of the file /admin/edit_student_query.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-02 | 7.3 | CVE-2025-8493 |
| code-projects--Intern Membership Management System | A vulnerability, which was classified as critical, has been found in code-projects Intern Membership Management System 1.0. This issue affects some unknown processing of the file /admin/delete_student.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-02 | 7.3 | CVE-2025-8494 |
| code-projects--Intern Membership Management System | A vulnerability, which was classified as critical, was found in code-projects Intern Membership Management System 1.0. Affected is an unknown function of the file /admin/edit_admin_query.php. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-03 | 7.3 | CVE-2025-8495 |
| code-projects--Kitchen Treasure | A vulnerability classified as critical has been found in code-projects Kitchen Treasure 1.0. This affects an unknown part of the file /userregistration.php. The manipulation of the argument email leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-01 | 7.3 | CVE-2025-8437 |
| code-projects--Online Farm System | A vulnerability was found in code-projects Online Farm System 1.0 and classified as critical. This issue affects some unknown processing of the file /forgot_pass.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-30 | 7.3 | CVE-2025-8331 |
| code-projects--Online Farm System | A vulnerability was found in code-projects Online Farm System 1.0. It has been classified as critical. Affected is an unknown function of the file /register.php. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-30 | 7.3 | CVE-2025-8332 |
| code-projects--Online Farm System | A vulnerability was found in code-projects Online Farm System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /categoryvalue.php. The manipulation of the argument Value leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-30 | 7.3 | CVE-2025-8333 |
| code-projects--Online Farm System | A vulnerability was found in code-projects Online Farm System 1.0. It has been classified as critical. Affected is an unknown function of the file /forgot_passfarmer.php. The manipulation of the argument email leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-02 | 7.3 | CVE-2025-8466 |
| code-projects--Online Medicine Guide | A vulnerability, which was classified as critical, was found in code-projects Online Medicine Guide 1.0. Affected is an unknown function of the file /pharsignup.php. The manipulation of the argument phuname leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-01 | 7.3 | CVE-2025-8441 |
| code-projects--Online Medicine Guide | A vulnerability has been found in code-projects Online Medicine Guide 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /cussignup.php. The manipulation of the argument uname leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-01 | 7.3 | CVE-2025-8442 |
| code-projects--Online Medicine Guide | A vulnerability was found in code-projects Online Medicine Guide 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /login.php. The manipulation of the argument uname leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-01 | 7.3 | CVE-2025-8443 |
| code-projects--Online Medicine Guide | A vulnerability was found in code-projects Online Medicine Guide 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /cusfindphar2.php. The manipulation of the argument Search leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-03 | 7.3 | CVE-2025-8497 |
| code-projects--Online Medicine Guide | A vulnerability was found in code-projects Online Medicine Guide 1.0. It has been classified as critical. This affects an unknown part of the file /cart/index.php. The manipulation of the argument uname leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-03 | 7.3 | CVE-2025-8498 |
| code-projects--Online Medicine Guide | A vulnerability was found in code-projects Online Medicine Guide 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /cusfindambulence2.php. The manipulation of the argument Search leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-03 | 7.3 | CVE-2025-8499 |
| code-projects--Online Medicine Guide | A vulnerability classified as critical was found in code-projects Online Medicine Guide 1.0. Affected by this vulnerability is an unknown functionality of the file /changepass.php. The manipulation of the argument ups leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-03 | 7.3 | CVE-2025-8502 |
| code-projects--Online Medicine Guide | A vulnerability, which was classified as critical, has been found in code-projects Online Medicine Guide 1.0. Affected by this issue is some unknown functionality of the file /adaddmed.php. The manipulation of the argument mname leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-03 | 7.3 | CVE-2025-8503 |
| code-projects--Online Movie Streaming | A vulnerability was found in code-projects Online Movie Streaming 1.0. It has been classified as critical. Affected is an unknown function of the file /admin.php. The manipulation of the argument ID leads to missing authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-01 | 7.3 | CVE-2025-8434 |
| code-projects--Online Movie Streaming | A vulnerability was found in code-projects Online Movie Streaming 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin-control.php. The manipulation of the argument ID leads to missing authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-01 | 7.3 | CVE-2025-8435 |
| code-projects--Online Ordering System | A vulnerability classified as critical was found in code-projects Online Ordering System 1.0. This vulnerability affects unknown code of the file /signup.php. The manipulation of the argument firstname leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 2025-07-28 | 7.3 | CVE-2025-8248 |
| code-projects--Vehicle Management | A vulnerability, which was classified as critical, was found in code-projects Vehicle Management 1.0. This affects an unknown part of the file /filter3.php. The manipulation of the argument company leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 2025-07-30 | 7.3 | CVE-2025-8329 |
| code-projects--Vehicle Management | A vulnerability has been found in code-projects Vehicle Management 1.0 and classified as critical. This vulnerability affects unknown code of the file /edit1.php. The manipulation of the argument sno leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-30 | 7.3 | CVE-2025-8330 |
| code-projects--Vehicle Management | A vulnerability was found in code-projects Vehicle Management 1.0. It has been classified as critical. This affects an unknown part of the file /print.php. The manipulation of the argument sno leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-31 | 7.3 | CVE-2025-8373 |
| code-projects--Vehicle Management | A vulnerability was found in code-projects Vehicle Management 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /addcompany.php. The manipulation of the argument company leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-31 | 7.3 | CVE-2025-8374 |
| code-projects--Vehicle Management | A vulnerability was found in code-projects Vehicle Management 1.0. It has been rated as critical. This issue affects some unknown processing of the file /addvehicle.php. The manipulation of the argument vehicle leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-31 | 7.3 | CVE-2025-8375 |
| code-projects--Vehicle Management | A vulnerability classified as critical has been found in code-projects Vehicle Management 1.0. Affected is an unknown function of the file /updatebal.php. The manipulation of the argument company leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-31 | 7.3 | CVE-2025-8376 |
| code-projects--Vehicle Management | A vulnerability, which was classified as critical, has been found in code-projects Vehicle Management 1.0. This issue affects some unknown processing of the file /filter2.php. The manipulation of the argument from leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-31 | 7.3 | CVE-2025-8407 |
| code-projects--Vehicle Management | A vulnerability, which was classified as critical, was found in code-projects Vehicle Management 1.0. Affected is an unknown function of the file /filter1.php. The manipulation of the argument vehicle leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-31 | 7.3 | CVE-2025-8408 |
| code-projects--Vehicle Management | A vulnerability has been found in code-projects Vehicle Management 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /filter.php. The manipulation of the argument from leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-31 | 7.3 | CVE-2025-8409 |
| code-projects--Wazifa System | A vulnerability classified as critical was found in code-projects Wazifa System 1.0. This vulnerability affects unknown code of the file /controllers/postpublish.php. The manipulation of the argument post leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-01 | 7.3 | CVE-2025-8438 |
| code-projects--Wazifa System | A vulnerability, which was classified as critical, has been found in code-projects Wazifa System 1.0. This issue affects some unknown processing of the file /controllers/updatesettings.php. The manipulation of the argument Password leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-01 | 7.3 | CVE-2025-8439 |
| code-projects--Wazifa System | A vulnerability was found in code-projects Wazifa System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /controllers/regcontrol.php. The manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-02 | 7.3 | CVE-2025-8467 |
| code-projects--Wazifa System | A vulnerability was found in code-projects Wazifa System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /controllers/reset.php. The manipulation of the argument email leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-02 | 7.3 | CVE-2025-8468 |
| codeigniter4--CodeIgniter4 | CodeIgniter is a PHP full-stack web framework. A command injection vulnerability present in versions prior to 4.6.2 affects applications that use the ImageMagick handler for image processing (`imagick` as the image library) and either allow file uploads with user-controlled filenames and process uploaded images using the `resize()` method or use the `text()` method with user-controlled text content or options. An attacker can upload a file with a malicious filename containing shell metacharacters that get executed when the image is processed or provide malicious text content or options that get executed when adding text to images Users should upgrade to v4.6.2 or later to receive a patch. As a workaround, switch to the GD image handler (`gd`, the default handler), which is not affected by either vulnerability. For file upload scenarios, instead of using user-provided filenames, generate random names to eliminate the attack vector with `getRandomName()` when using the `move()` method, or use the `store()` method, which automatically generates safe filenames. For text operations, if one must use ImageMagick with user-controlled text, sanitize the input to only allow safe characters and validate/restrict text options. | 2025-07-28 | 9.8 | CVE-2025-54418 |
| contest-gallery--Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI | The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery - Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment feature in all versions up to, and including, 26.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-01 | 7.2 | CVE-2025-7725 |
| cursor--cursor | Cursor is a code editor built for programming with AI. In versions 1.2.4 and below, attackers can achieve remote and persistent code execution by modifying an already trusted MCP configuration file inside a shared GitHub repository or editing the file locally on the target's machine. Once a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt. If an attacker has write permissions on a user's active branches of a source repository that contains existing MCP servers the user has previously approved, or allows an attacker has arbitrary file-write locally, the attacker can achieve arbitrary code execution. This is fixed in version 1.3. | 2025-08-01 | 7.2 | CVE-2025-54136 |
| DECE Software--Geodi | Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in DECE Software Geodi allows HTTP Request Splitting.This issue affects Geodi: before GEODI Setup 9.0.146. | 2025-07-29 | 7.2 | CVE-2025-6175 |
| dedupeio--dedupe | dedupe is a python library that uses machine learning to perform fuzzy matching, deduplication and entity resolution quickly on structured data. Before commit 3f61e79, a critical severity vulnerability has been identified within the .github/workflows/benchmark-bot.yml workflow, where a issue_comment can be triggered using the @benchmark body. This workflow is susceptible to exploitation as it checkout the ${{ github.event.issue.number }}, which correspond to the branch of the PR manipulated by potentially malicious actors, and where untrusted code may be executed. Running untrusted code may lead to the exfiltration of GITHUB_TOKEN, which in this workflow has write permissions on most of the scopes - in particular the contents one - and could lead to potential repository takeover. This is fixed by commit 3f61e79. | 2025-07-30 | 9.1 | CVE-2025-54430 |
| Dell--Encryption | Dell Encryption and Dell Security Management Server, versions prior to 11.11.0, contain an Improper Link Resolution Before File Access ('Link Following') Vulnerability. A local malicious user could potentially exploit this vulnerability, leading to privilege escalation. | 2025-07-30 | 7.3 | CVE-2025-36611 |
| Dell--TechAdvisor | TechAdvisor versions 2.6 through 3.37-30 for Dell XtremIO X2, contain(s) an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. | 2025-07-30 | 8.8 | CVE-2025-26332 |
| Dell--XtremIO | Dell XtremIO, version(s) 6.4.0-22, contain(s) an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. | 2025-07-30 | 8.8 | CVE-2025-30105 |
| Elastic--APM Server | An uncontrolled search path element vulnerability can lead to local privilege Escalation (LPE) via Insecure Directory Permissions. The vulnerability arises from improper handling of directory permissions. An attacker with local access may exploit this flaw to move and delete arbitrary files, potentially gaining SYSTEM privileges. | 2025-07-30 | 7 | CVE-2025-0712 |
| Elastic--Beats | An uncontrolled search path element vulnerability can lead to local privilege Escalation (LPE) via Insecure Directory Permissions. The vulnerability arises from improper handling of directory permissions. An attacker with local access may exploit this flaw to move and delete arbitrary files, potentially gaining SYSTEM privileges. | 2025-07-30 | 7 | CVE-2025-25011 |
| ES--iperf3 | In iperf before 3.19.1, net.c has a buffer overflow when --skip-rx-copy is used (for MSG_TRUNC in recv). | 2025-08-03 | 8.9 | CVE-2025-54351 |
| finos--git-proxy | GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can inject extra commits into the pack sent to GitHub, commits that aren't pointed to by any branch. Although these "hidden" commits never show up in the repository's visible history, GitHub still serves them at their direct commit URLs. This lets an attacker exfiltrate sensitive data without ever leaving a trace in the branch view. We rate this a High‑impact vulnerability because it completely compromises repository confidentiality. This is fixed in version 1.19.2. | 2025-07-30 | 7.1 | CVE-2025-54586 |
| FreshRSS--FreshRSS | FreshRSS is a free, self-hostable RSS aggregator. In versions 1.26.1 and below, an authenticated administrator user can execute arbitrary code on the FreshRSS server by modifying the update URL to one they control, and gain code execution after running an update. After successfully executing code, user data including hashed passwords can be exfiltrated, the instance can be defaced when file permissions allow. Malicious code can be inserted into the instance to steal plaintext passwords, among others. This is fixed in version 1.26.2. | 2025-08-01 | 7.2 | CVE-2025-54593 |
| Genetec Inc.--Genetec Security Center | SQL Injection affecting the Archiver role. | 2025-07-29 | 7.2 | CVE-2025-2928 |
| GitLab--GitLab Language Server | Insufficient input validation within GitLab Language Server 7.6.0 and later before 7.30.0 allows arbitrary GraphQL query execution | 2025-07-28 | 8.7 | CVE-2025-8279 |
| Gralp Systems--Gralp FMUS Series Seismic Monitoring Devices | Güralp FMUS series seismic monitoring devices expose an unauthenticated Telnet-based command line interface that could allow an attacker to modify hardware configurations, manipulate data, or factory reset the device. | 2025-07-31 | 9.8 | CVE-2025-8286 |
| HashiCorp--Vault | A privileged Vault operator within the root namespace with write permission to {{sys/audit}} may obtain code execution on the underlying host if a plugin directory is set in Vault's configuration. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. | 2025-08-01 | 9.1 | CVE-2025-6000 |
| HashiCorp--Vault | A privileged Vault operator with write permissions to the root namespace's identity endpoint could escalate their own or another user's token privileges to Vault's root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22. | 2025-08-01 | 7.2 | CVE-2025-5999 |
| HCL Software--BigFix Remote Control | Improper access restrictions in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0248 and lower) allow non-admin users to view unauthorized information on certain web pages. | 2025-07-29 | 8.2 | CVE-2025-31965 |
| IBM--Db2 | IBM Db2 for Linux 12.1.0, 12.1.1, and 12.1.2 is vulnerable to a stack-based buffer overflow in db2fm, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system. | 2025-07-29 | 7.8 | CVE-2025-33092 |
| IBM--Informix Dynamic Server | IBM Informix Dynamic Server 12.10 and 14.10 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. | 2025-07-28 | 7.5 | CVE-2024-49342 |
| IBM--Operational Decision Manager | IBM Operational Decision Manager 8.11.0.1, 8.11.1.0, 8.12.0.1, 9.0.0.1, and 9.5.0 could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. | 2025-08-01 | 7.4 | CVE-2025-2824 |
| Insyde Software--InsydeH2O | The vulnerability was identified in the code developed specifically for Lenovo. Please visit "Lenovo Product Security Advisories and Announcements" webpage for more information about the vulnerability. https://support.lenovo.com/us/en/product_security/home | 2025-07-30 | 8.2 | CVE-2025-4421 |
| Insyde Software--InsydeH2O | The vulnerability was identified in the code developed specifically for Lenovo. Please visit "Lenovo Product Security Advisories and Announcements" webpage for more information about the vulnerability. https://support.lenovo.com/us/en/product_security/home | 2025-07-30 | 8.2 | CVE-2025-4422 |
| Insyde Software--InsydeH2O | The vulnerability was identified in the code developed specifically for Lenovo. Please visit "Lenovo Product Security Advisories and Announcements" webpage for more information about the vulnerability. https://support.lenovo.com/us/en/product_security/home | 2025-07-30 | 8.2 | CVE-2025-4423 |
| Insyde Software--InsydeH2O | The vulnerability was identified in the code developed specifically for Lenovo. Please visit "Lenovo Product Security Advisories and Announcements" webpage for more information about the vulnerability. https://support.lenovo.com/us/en/product_security/home | 2025-07-30 | 8.2 | CVE-2025-4425 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.07 privilege escalation was possible due to incorrect directory permissions | 2025-07-28 | 7.5 | CVE-2025-54530 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.07 path traversal was possible via plugin unpacking on Windows | 2025-07-28 | 7.7 | CVE-2025-54531 |
| Kehua--Charging Pile Cloud Platform | A vulnerability has been found in Kehua Charging Pile Cloud Platform 1.0 and classified as critical. This vulnerability affects unknown code of the file /home. The manipulation leads to improper authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-31 | 7.3 | CVE-2025-8348 |
| Linux--kernel | A flaw was found in the Linux kernel's ksmbd component. A race condition between smb2 close operation and logoff in multichannel connections could result in a use-after-free issue. | 2025-08-01 | 7.5 | CVE-2023-32256 |
| MB connect line--mbNET HW1 | A high privileged remote attacker can execute arbitrary OS commands using an undocumented method allowing to escape the implemented LUA sandbox. | 2025-07-31 | 7.2 | CVE-2025-41688 |
| MedDream--MedDream PACS Premium | An incorrect default permissions vulnerability exists in the CServerSettings::SetRegistryValues functionality of MedDream PACS Premium 7.3.3.840. A specially crafted application can decrypt credentials stored in a configuration-related registry key. An attacker can execute a malicious script or application to exploit this vulnerability. | 2025-07-28 | 9.3 | CVE-2025-26469 |
| MedDream--MedDream PACS Premium | A privilege escalation vulnerability exists in the login.php functionality of meddream MedDream PACS Premium 7.3.3.840. A specially crafted .php file can lead to elevated capabilities. An attacker can upload a malicious file to trigger this vulnerability. | 2025-07-28 | 9.3 | CVE-2025-27724 |
| musombi123--RevelaCode-Backend | RevelaCode is an AI-powered faith-tech project that decodes biblical verses, prophecies and global events into accessible language. In versions below 1.0.1, a valid MongoDB Atlas URI with embedded username and password was accidentally committed to the public repository. This could allow unauthorized access to production or staging databases, potentially leading to data exfiltration, modification, or deletion. This is fixed in version 1.0.1. Workarounds include: immediately rotating credentials for the exposed database user, using a secret manager (like Vault, Doppler, AWS Secrets Manager, etc.) instead of storing secrets directly in code, or auditing recent access logs for suspicious activity. | 2025-07-28 | 9.8 | CVE-2025-54428 |
| n/a--ssrfcheck | Versions of the package ssrfcheck before 1.2.0 are vulnerable to Server-Side Request Forgery (SSRF) due to an incomplete denylist of IP address ranges. Specifically, the package fails to classify the reserved IP address space 224.0.0.0/4 (Multicast) as invalid. This oversight allows attackers to craft requests targeting these multicast addresses. | 2025-07-28 | 8.2 | CVE-2025-8267 |
| n/a--Vaelsys | A vulnerability, which was classified as critical, was found in Vaelsys 4.1.0. This affects the function execute_DataObjectProc of the file /grid/vgrid_server.php. The manipulation of the argument xajaxargs leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-28 | 7.3 | CVE-2025-8259 |
| n/a--Vaelsys | A vulnerability was found in Vaelsys 4.1.0 and classified as critical. This issue affects some unknown processing of the file /grid/vgrid_server.php of the component User Creation Handler. The manipulation leads to improper authorization. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-28 | 7.3 | CVE-2025-8261 |
| n/a--z-push/z-push-dev | Versions of the package z-push/z-push-dev before 2.7.6 are vulnerable to SQL Injection due to unparameterized queries in the IMAP backend. An attacker can inject malicious commands by manipulating the username field in basic authentication. This allows the attacker to access and potentially modify or delete sensitive data from a linked third-party database. **Note:** This vulnerability affects Z-Push installations that utilize the IMAP backend and have the IMAP_FROM_SQL_QUERY option configured. Mitigation Change configuration to use the default or LDAP in backend/imap/config.php php define('IMAP_DEFAULTFROM', ''); or php define('IMAP_DEFAULTFROM', 'ldap'); | 2025-07-29 | 9 | CVE-2025-8264 |
| Ncvav--Virtual PBX Software | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ncvav Virtual PBX Software allows SQL Injection.This issue affects Virtual PBX Software: before 09.07.2025. | 2025-07-28 | 9.8 | CVE-2025-6918 |
| NI--LabVIEW | A code injection vulnerability due to an improper initialization check exists in NI LabVIEW that may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI using a CIN node. This vulnerability affects 32-bit NI LabVIEW 2025 Q1 and prior versions. LabVIEW 64-bit versions do not support CIN nodes and are not affected. | 2025-07-29 | 7.8 | CVE-2025-7361 |
| NI--LabVIEW | A memory corruption vulnerability due to improper input validation in lvpict.cpp exists in NI LabVIEW that may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q1 and prior versions. | 2025-07-29 | 7.8 | CVE-2025-7848 |
| NI--LabVIEW | A memory corruption vulnerability due to improper error handling when a VILinkObj is null exists in NI LabVIEW that may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q1 and prior versions. | 2025-07-29 | 7.8 | CVE-2025-7849 |
| nintechnet--NinjaScanner Virus & Malware scan | The NinjaScanner - Virus & Malware scan plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'nscan_ajax_quarantine' and 'nscan_quarantine_select' functions in all versions up to, and including, 3.2.5. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, including files outside the WordPress root directory. | 2025-07-31 | 7.2 | CVE-2025-8213 |
| node-saml--node-saml | A SAML library not dependent on any frameworks that runs in Node. In version 5.0.1, Node-SAML loads the assertion from the (unsigned) original response document. This is different than the parts that are verified when checking signature. This allows an attacker to modify authentication details within a valid SAML assertion. For example, in one attack it is possible to remove any character from the SAML assertion username. To conduct the attack an attacker would need a validly signed document from the identity provider (IdP). This is fixed in version 5.1.0. | 2025-07-28 | 10 | CVE-2025-54419 |
| NVIDIA--GPU Display Drivers | NVIDIA Display Driver for Linux and Windows contains a vulnerability in the kernel mode driver, where an attacker could access memory outside bounds permitted under normal use cases. A successful exploit of this vulnerability might lead to denial of service, data tampering, or information disclosure. | 2025-08-02 | 7.3 | CVE-2025-23277 |
| NVIDIA--GPU Display Drivers | NVIDIA Display Driver for Windows and Linux contains a vulnerability where an attacker might cause an improper index validation by issuing a call with crafted parameters. A successful exploit of this vulnerability might lead to data tampering or denial of service. | 2025-08-02 | 7.1 | CVE-2025-23278 |
| NVIDIA--GPU Display Drivers | NVIDIA .run Installer for Linux and Solaris contains a vulnerability where an attacker could use a race condition to escalate privileges. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, denial of service, or data tampering. | 2025-08-02 | 7 | CVE-2025-23279 |
| NVIDIA--GPU Display Drivers | NVIDIA GPU Display Driver for Windows contains a vulnerability where an attacker with local unprivileged access that can win a race condition might be able to trigger a use-after-free error. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure. | 2025-08-02 | 7 | CVE-2025-23281 |
| NVIDIA--GPU Display Drivers | NVIDIA vGPU software for Linux-style hypervisors contains a vulnerability in the Virtual GPU Manager, where a malicious guest could cause stack buffer overflow. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, or data tampering. | 2025-08-02 | 7.8 | CVE-2025-23283 |
| NVIDIA--GPU Display Drivers | NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager, where a malicious guest could cause a stack buffer overflow. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, or data tampering. | 2025-08-02 | 7.8 | CVE-2025-23284 |
| NVIDIA--NVIDIA GPU Display Drivers | NVIDIA Installer for Windows contains a vulnerability where an attacker may be able to escalate privileges. A successful exploit of this vulnerability may lead to escalation of privileges, denial of service, code execution, information disclosure and data tampering. | 2025-08-02 | 7.8 | CVE-2025-23276 |
| oauth2-proxy--oauth2-proxy | OAuth2-Proxy is an open-source tool that can act as either a standalone reverse proxy or a middleware component integrated into existing reverse proxy or load balancer setups. In versions 7.10.0 and below, oauth2-proxy deployments are vulnerable when using the skip_auth_routes configuration option with regex patterns. Attackers can bypass authentication by crafting URLs with query parameters that satisfy configured regex patterns, allowing unauthorized access to protected resources. The issue stems from skip_auth_routes matching against the full request URI. Deployments using skip_auth_routes with regex patterns containing wildcards or broad matching patterns are most at risk. This issue is fixed in version 7.11.0. Workarounds include: auditing all skip_auth_routes configurations for overly permissive patterns, replacing wildcard patterns with exact path matches where possible, ensuring regex patterns are properly anchored (starting with ^ and ending with $), or implementing custom validation that strips query parameters before regex matching. | 2025-07-30 | 9.1 | CVE-2025-54576 |
| OpenNebula--OpenNebula | OpenNebula Community Edition (CE) before 7.0.0 and Enterprise Edition (EE) before 6.10.3 have a critical FireEdge race condition that can lead to full account takeover. By exploiting this, an unauthenticated attacker can obtain a valid JSON Web Token (JWT) belonging to a legitimate user without knowledge of their credentials. | 2025-08-02 | 8.1 | CVE-2025-54955 |
| Phoenix Contact--AXL F BK PN TPS | An unauthenticated remote attacker can cause a Denial of Service by sending a large number of requests to the http service on port 80. | 2025-07-31 | 7.5 | CVE-2025-2813 |
| PHPGurukul--Boat Booking System | A vulnerability has been found in PHPGurukul Boat Booking System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/add-boat.php. The manipulation of the argument boatname leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-01 | 7.3 | CVE-2025-8431 |
| Progress Software--Hybrid Data Pipeline | In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header. Since XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofed IP matched a whitelisted range. This vulnerability could be exploited to bypass IP restrictions, though valid user credentials would still be required for resource access. | 2025-07-29 | 8.4 | CVE-2025-6504 |
| Progress Software--Hybrid Data Pipeline | Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software's Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access. When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters. | 2025-07-29 | 8.1 | CVE-2025-6505 |
| projectworlds--Online Admission System | A vulnerability was found in projectworlds Online Admission System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /adminac.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-30 | 7.3 | CVE-2025-8338 |
| projectworlds--Online Admission System | A vulnerability was found in projectworlds Online Admission System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /viewdoc.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-01 | 7.3 | CVE-2025-8436 |
| projectworlds--Online Admission System | A vulnerability, which was classified as critical, has been found in projectworlds Online Admission System 1.0. This issue affects some unknown processing of the file /adminlogin.php. The manipulation of the argument a_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-02 | 7.3 | CVE-2025-8471 |
| projectworlds--Online Admission System | A vulnerability has been found in projectworlds Online Admission System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /viewform.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-08-03 | 7.3 | CVE-2025-8496 |
| Python Software Foundation--CPython | There is a defect in the CPython "tarfile" module affecting the "TarFile" extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the "tarfile" module: https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1 | 2025-07-28 | 7.5 | CVE-2025-8194 |
| Samsung Electronics--Data Management Server | Deserialization of Untrusted Data in Samsung DMS(Data Management Server) allows attackers to execute arbitrary code via write file to system | 2025-07-29 | 8 | CVE-2025-53078 |
| Samsung Electronics--Data Management Server | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Samsung DMS(Data Management Server) allows authenticated attackers to create arbitrary files in unintended locations on the filesystem | 2025-07-29 | 7.1 | CVE-2025-53080 |
| seometricsplugin--SEO Metrics | The SEO Metrics plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks in both the seo_metrics_handle_connect_button_click() AJAX handler and the seo_metrics_handle_custom_endpoint() function in versions 1.0.5 through 1.0.15. Because the AJAX action only verifies a nonce, without checking the caller's capabilities, a subscriber-level user can retrieve the token and then access the custom endpoint to obtain full administrator cookies. | 2025-08-02 | 8.8 | CVE-2025-6754 |
| Significant-Gravitas--AutoGPT | AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents. In v0.6.15 and below, the external API's get_graph_execution_results endpoint has an authorization bypass vulnerability. While it correctly validates user access to the graph_id, it fails to verify ownership of the graph_exec_id parameter, allowing authenticated users to access any execution results by providing arbitrary execution IDs. The internal API implements proper validation for both parameters. This is fixed in v0.6.16. | 2025-07-30 | 7.7 | CVE-2025-53944 |
| SourceCodester--Online Hotel Reservation System | A vulnerability classified as critical has been found in SourceCodester Online Hotel Reservation System 1.0. This affects an unknown part of the file /admin/deletegallery.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-02 | 7.3 | CVE-2025-8469 |
| SourceCodester--Online Hotel Reservation System | A vulnerability classified as critical was found in SourceCodester Online Hotel Reservation System 1.0. This vulnerability affects unknown code of the file /admin/deleteroom.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-02 | 7.3 | CVE-2025-8470 |
| squid-cache--squid | Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management. This has been fixed in version 6.4. To work around this issue, disable URN access permissions. | 2025-08-01 | 9.3 | CVE-2025-54574 |
| SUSE--Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1 | A Missing Authentication for Critical Function vulnerability in SUSE Manager allows anyone with access to the websocket at /rhn/websocket/minion/remote-commands to execute arbitrary commands as root. This issue affects Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: from ? before 0.3.7-150600.3.6.2; Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: from ? before 5.0.14-150600.4.17.1; Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: from ? before 5.0.14-150600.4.17.1; Image SLES15-SP4-Manager-Server-4-3-BYOS: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE: from ? before 4.3.33-150400.3.55.2; SUSE Manager Server Module 4.3: from ? before 0.3.7-150400.3.39.4; SUSE Manager Server Module 4.3: from ? before 4.3.33-150400.3.55.2; SUSE Manager Server Module 4.3: from ? before 4.3.33-150400.3.55.2. | 2025-07-30 | 9.8 | CVE-2025-46811 |
| themefic--Hydra Booking All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings | The Hydra Booking plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the tfhb_reset_password_callback() function in versions 1.1.0 to 1.1.18. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the password of an Administrator user, achieving full privilege escalation. | 2025-07-29 | 8.8 | CVE-2025-7689 |
| tigroumeow--AI Engine | The AI Engine plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the rest_simpleFileUpload() function in versions 2.9.3 and 2.9.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server when the REST API is enabled, which may make remote code execution possible. | 2025-07-31 | 8.8 | CVE-2025-7847 |
| Ventem--e-School | The e-School from Ventem has a Missing Authorization vulnerability, allowing remote attackers with regular privilege to access administrator functions, including creating, modifying, and deleting accounts. They can even escalate any account to system administrator privilege. | 2025-07-30 | 8.8 | CVE-2025-8322 |
| Ventem--e-School | The e-School from Ventem has a Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2025-07-30 | 8.8 | CVE-2025-8323 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 299Ko--CMS | A vulnerability classified as critical has been found in 299Ko CMS 2.0.0. This affects an unknown part of the file /admin/filemanager/view of the component File Management. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-28 | 4.7 | CVE-2025-8265 |
| 495300897--wx-shop | A vulnerability has been found in 495300897 wx-shop up to de1b66331368695779cfc6e4d11a64caddf8716e and classified as problematic. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-08-03 | 4.3 | CVE-2025-8505 |
| 9001--copyparty | Copyparty is a portable file server. In versions 1.18.6 and below, when accessing the recent uploads page at `/?ru`, users can filter the results using an input field at the top. This field appends a filter parameter to the URL, which reflects its value directly into a `<script>` block without proper escaping, allowing for reflected Cross-Site Scripting (XSS) and can be exploited against both authenticated and unauthenticated users. This is fixed in version 1.18.7. | 2025-07-31 | 6.3 | CVE-2025-54589 |
| 9001--copyparty | copyparty is a portable file server. In versions up to and including versions 1.18.4, an unauthenticated attacker is able to execute arbitrary JavaScript code in a victim's browser due to improper sanitization of multimedia tags in music files, including m3u files. This is fixed in version 1.18.5. | 2025-07-28 | 5.4 | CVE-2025-54423 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-07-30 | 5.4 | CVE-2025-47001 |
| Alfasado Inc.--PowerCMS | Reflected cross-site scripting vulnerability exists in multiple versions of PowerCMS. If a product administrator accesses a crafted URL, an arbitrary script may be executed on the browser. | 2025-07-31 | 6.1 | CVE-2025-36563 |
| Alfasado Inc.--PowerCMS | Multiple versions of PowerCMS improperly neutralize formula elements in a CSV file. If a product user creates a malformed entry and a victim user downloads it as a CSV file and opens it in the user's environment, the embedded code may be executed. | 2025-07-31 | 6.5 | CVE-2025-54752 |
| Alfasado Inc.--PowerCMS | Multiple versions of PowerCMS allow unrestricted upload of dangerous files. If a product administrator accesses a malicious file uploaded by a product user, an arbitrary script may be executed on the browser. | 2025-07-31 | 6.5 | CVE-2025-54757 |
| Alfasado Inc.--PowerCMS | Stored cross-site scripting vulnerability exists in multiple versions of PowerCMS. If a product user accesses a malicious page, an arbitrary script may be executed on the browser. | 2025-07-31 | 5.4 | CVE-2025-41391 |
| Alfasado Inc.--PowerCMS | A path traversal issue exists in file uploading feature of multiple versions of PowerCMS. Arbitrary files may be overwritten by a product user. | 2025-07-31 | 5.4 | CVE-2025-41396 |
| amans2k--Bonanza WooCommerce Free Gifts Lite | The Bonanza - WooCommerce Free Gifts Lite plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the xlo_optin_call() function in all versions up to, and including, 1.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to set the opt in status to success. | 2025-07-29 | 4.3 | CVE-2025-6730 |
| Amazon--Q Developer VS Code Extension | The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which prevents it from making a successful API call to the Q Developer CLI. To mitigate this issue, users should upgrade to version v1.85.0. All installations of v1.84.0 should be removed from use. | 2025-07-30 | 4 | CVE-2025-8217 |
| asterisk--asterisk | Asterisk is an open source private branch exchange and telephony toolkit. In versions up to and including 18.26.2, between 20.00.0 and 20.15.0, 20.7-cert6, 21.00.0, 22.00.0 through 22.5.0, there is a remote DoS and possible RCE condition in `asterisk/res/res_stir_shaken /verification.c` that can be exploited when an attacker can set an arbitrary Identity header, or STIR/SHAKEN is enabled, with verification set in the SIP profile associated with the endpoint to be attacked. This is fixed in versions 18.26.3, 20.7-cert6, 20.15.1, 21.10.1 and 22.5.1. | 2025-08-01 | 6.5 | CVE-2025-49832 |
| aumsrini--Image Gallery | The Image Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-02 | 6.1 | CVE-2025-8400 |
| awssoft--Magic Edge Lite | The Magic Edge - Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'height' parameter in all versions up to, and including, 1.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-02 | 6.4 | CVE-2025-8391 |
| bitslip6--BitFire Security Firewall, WAF, Bot/Spam Blocker, Login Security | The BitFire Security - Firewall, WAF, Bot/Spam Blocker, Login Security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.5 via the bitfire_* directory that automatically gets created and stores potentially sensitive files without any access restrictions. This makes it possible for unauthenticated attackers to extract sensitive data from various files like config.ini, debug.log, and more. | 2025-08-02 | 5.3 | CVE-2025-6722 |
| blendmedia--WP CTA | The WP CTA - Call To Action Plugin, Sticky CTA, Sticky Buttons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_cta_status' and 'change_sticky_sidebar_name' functions in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to update the status of a sticky and update the name displayed in the back-end WP CTA Dashboard. | 2025-08-02 | 5.3 | CVE-2025-8152 |
| blockspare--BlockSpare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed | The BlockSpare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites - Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTML attributes of Image Carousel and Image Slider widgets in all versions up to, and including, 3.2.13.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-01 | 6.4 | CVE-2025-4684 |
| bnielsen--Custom Word Cloud | The Custom Word Cloud plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'angle' parameter in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-02 | 6.4 | CVE-2025-8317 |
| brainstormforce--Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) | The Ultimate Addons for Elementor (Formerly Elementor Header & Footer Builder) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_hfe_compatibility_option_callback ()function in all versions up to, and including, 2.4.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the compatibility option setting. | 2025-08-02 | 4.3 | CVE-2025-8488 |
| bsc--Peru Cocktails App | A vulnerability, which was classified as problematic, has been found in bsc Peru Cocktails App 1.0.0 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component bsc.devy.peru_cocktails. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. | 2025-07-28 | 5.3 | CVE-2025-8275 |
| Caixin--News App | A vulnerability, which was classified as problematic, was found in Caixin News App 8.0.1 on Android. Affected is an unknown function of the file AndroidManifest.xml of the component com.caixin.news. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-03 | 5.3 | CVE-2025-8513 |
| Campcodes--Courier Management System | A vulnerability was found in Campcodes Courier Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /view_parcel.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-28 | 6.3 | CVE-2025-8254 |
| Campcodes--Online Hotel Reservation System | A vulnerability, which was classified as critical, has been found in Campcodes Online Hotel Reservation System 1.0. This issue affects some unknown processing of the file /add_reserve.php. The manipulation of the argument room_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-31 | 6.3 | CVE-2025-8381 |
| Campcodes--Online Hotel Reservation System | A vulnerability, which was classified as critical, was found in Campcodes Online Hotel Reservation System 1.0. Affected is an unknown function of the file /admin/edit_room.php. The manipulation of the argument room_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-31 | 6.3 | CVE-2025-8382 |
| Campcodes--Online Hotel Reservation System | A vulnerability classified as critical has been found in Campcodes Online Hotel Reservation System 1.0. This affects an unknown part of the file /admin/edit_room.php. The manipulation of the argument photo leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-31 | 4.7 | CVE-2025-8379 |
| code-projects--Document Management System | A vulnerability was found in code-projects Document Management System 1.0 and classified as critical. This issue affects the function unlink of the file /dell.php. The manipulation of the argument ID leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-01 | 5.4 | CVE-2025-8433 |
| code-projects--Human Resource Integrated System | A vulnerability was found in code-projects Human Resource Integrated System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /insert-and-view/action.php. The manipulation of the argument content leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-08-03 | 6.3 | CVE-2025-8500 |
| code-projects--Intern Membership Management System | A vulnerability was found in code-projects Intern Membership Management System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file fill_details.php of the component Error Message Handler. The manipulation of the argument email leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-31 | 4.3 | CVE-2025-8340 |
| code-projects--Kitchen Treasure | A vulnerability, which was classified as critical, was found in code-projects Kitchen Treasure 1.0. This affects an unknown part of the file /userregistration.php. The manipulation of the argument photo leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-03 | 6.3 | CVE-2025-8504 |
| code-projects--Online Ordering System | A vulnerability classified as critical has been found in code-projects Online Ordering System 1.0. Affected is an unknown function of the file /admin/product.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-28 | 6.3 | CVE-2025-8256 |
| code-projects--Simple Car Rental System | A vulnerability classified as problematic has been found in code-projects Simple Car Rental System 1.0. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-30 | 4.3 | CVE-2025-8335 |
| codebangers--All in One Time Clock Lite Tracking Employee Time Has Never Been Easier | The All in One Time Clock Lite - Tracking Employee Time Has Never Been Easier plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'nonce' parameter in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-08-02 | 6.1 | CVE-2025-6832 |
| Cool Mo--Maigcal Number App | A vulnerability, which was classified as problematic, has been found in Cool Mo Maigcal Number App up to 1.0.3 on Android. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.sdmagic.number. The manipulation leads to improper export of android application components. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. | 2025-07-28 | 5.3 | CVE-2025-8258 |
| cursor--cursor | Cursor is a code editor built for programming with AI. In versions below 1.3, an attacker can bypass the allow list in auto-run mode with a backtick (`) or $(cmd). If a user has swapped Cursor from its default settings (requiring approval for every terminal call) to an allowlist, an attacker can execute arbitrary command execution outside of the allowlist without user approval. An attacker can trigger this vulnerability if chained with indirect prompt injection. This is fixed in version 1.3. | 2025-08-01 | 6.4 | CVE-2025-54131 |
| cursor--cursor | Cursor is a code editor built for programming with AI. In versions below 1.3, Mermaid (which is used to render diagrams) allows embedding images which then get rendered by Cursor in the chat box. An attacker can use this to exfiltrate sensitive information to a third-party attacker controlled server through an image fetch after successfully performing a prompt injection. A malicious model (or hallucination/backdoor) might also trigger this exploit at will. This issue requires prompt injection from malicious data (web, image upload, source code) in order to exploit. In that case, it can send sensitive information to an attacker-controlled external server. This is fixed in version 1.3. | 2025-08-01 | 4.4 | CVE-2025-54132 |
| cvat-ai--cvat | CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.1.0 through 2.41.0, email verification was not enforced when using Basic HTTP Authentication. As a result, users could create accounts using fake email addresses and use the product as verified users. Additionally, the missing email verification check leaves the system open to bot signups and further usage. CVAT 2.42.0 and later versions contain a fix for the issue. CVAT Enterprise customers have a workaround available; those customers may disable registration to prevent this issue. | 2025-07-30 | 4.3 | CVE-2025-54573 |
| dalek-cryptography--ed25519-dalek | The ed25519-dalek crate before 2 for Rust allows a double public key signing function oracle attack. The Keypair implementation leads to a simple computation for extracting a private key. | 2025-07-28 | 5.9 | CVE-2022-50237 |
| DECE Software--Geodi | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in DECE Software Geodi allows Cross-Site Scripting (XSS).This issue affects Geodi: before GEODI Setup 9.0.146. | 2025-07-29 | 5.4 | CVE-2025-6060 |
| Dell--PowerProtect Data Manager | Dell PowerProtect Data Manager, versions prior to 19.19, contain(s) an Improper Input Validation vulnerability in PowerProtect Data Manager. A low privileged attacker with remote access could potentially exploit this vulnerability to read arbitrary files. | 2025-07-30 | 6.5 | CVE-2025-30480 |
| Dell--SmartFabric OS10 Software | Dell SmartFabric OS10 Software, versions prior to 10.6.0.5, contains an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access. | 2025-07-30 | 6.5 | CVE-2025-36608 |
| Dell--SmartFabric OS10 Software | Dell SmartFabric OS10 Software, versions prior to 10.6.0.5 contains a Files or Directories Accessible to External Parties vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Filesystem access for attacker. | 2025-07-30 | 5.5 | CVE-2025-30103 |
| delower186--Fan Page | The Fan Page plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-29 | 6.4 | CVE-2025-6681 |
| devitemsllc--HT Mega Absolute Addons For Elementor | The HT Mega - Absolute Addons For Elementor plugin for WordPress is vulnerable to unauthorized modification and loss of data due to an improper capability check on the 'ajax_trash_templates' function in all versions up to, and including, 2.9.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary attachment files, and move arbitrary posts, pages, and templates to the Trash. | 2025-07-31 | 4.3 | CVE-2025-8068 |
| devitemsllc--HT Mega Absolute Addons For Elementor | The HT Mega - Absolute Addons For Elementor plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.9.1 via the 'save_block_css' function. This makes it possible for authenticated attackers, with Author-level access and above, to create CSS files in any directory, and delete CSS files in any directory in a Windows environment. | 2025-07-31 | 4.3 | CVE-2025-8151 |
| devitemsllc--HT Mega Absolute Addons For Elementor | The HT Mega - Absolute Addons For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.1 via the 'get_post_data' function. This makes it possible for authenticated attackers, with Author-level access and above, to extract sensitive data including the content of private, password-protected, and draft posts and pages. | 2025-07-31 | 4.3 | CVE-2025-8401 |
| elemntor--Elementor Website Builder More Than Just a Page Builder | The Elementor Website Builder - More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'elementor-element' shortcode in all versions up to, and including, 3.29.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts sites with 'Element Caching' enabled. | 2025-07-29 | 6.4 | CVE-2025-3075 |
| elemntor--Elementor Website Builder More Than Just a Page Builder | The Elementor Website Builder - More Than Just a Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-text DOM element attribute in Text Path widget in all versions up to, and including, 3.30.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This attack affects only Chrome/Edge browsers | 2025-07-29 | 6.4 | CVE-2025-4566 |
| Enalean--tuleap | Tuleap is an Open Source Suite created to facilitate management of software development and collaboration. In Tuleap Community Edition prior to version 16.9.99.1750843170 and Tuleap Enterprise Edition prior to 16.8-4 and 16.9-2, the forgot password form allows for user enumeration. This is fixed in Tuleap Community Edition version 16.9.99.1750843170 and Tuleap Enterprise Edition 16.8-4 and 16.9-2. | 2025-07-29 | 5.3 | CVE-2025-52899 |
| Enalean--tuleap | Tuleap is an Open Source Suite created to facilitate management of software development and collaboration. In Tuleap Community Edition prior to version 16.9.99.1751892857 and Tuleap Enterprise Edition prior to 16.8-5 and 16.9-3, malicious users with some control over certain artifacts could insert malicious code when displaying the children of a parent artifact to force victims to execute the uncontrolled code. This is fixed in version Tuleap Community Edition prior to version 16.9.99.1751892857 and Tuleap Enterprise Edition prior to 16.8-5 and 16.9-3. | 2025-07-29 | 5.4 | CVE-2025-53541 |
| Enalean--tuleap | Tuleap is an Open Source Suite created to facilitate management of software development and collaboration. In Tuleap Community Edition prior to version 16.9.99.1752585665 and Tuleap Enterprise Edition prior to 16.8-6 and 16.9-5, users may potentially access confidential information from artifacts that they are not authorized to view. This is fixed in Tuleap Community Edition prior to version 16.9.99.1752585665 and Tuleap Enterprise Edition prior to 16.8-6 and 16.9-5. | 2025-07-29 | 4.3 | CVE-2025-53902 |
| ES--iperf3 | In iperf before 3.19.1, iperf_auth.c has an off-by-one error and resultant heap-based buffer overflow. | 2025-08-03 | 6.5 | CVE-2025-54349 |
| GitoxideLabs--gix-transport | The gix-transport crate before 0.36.1 for Rust allows command execution via the "gix clone 'ssh://-oProxyCommand=open$IFS" substring. NOTE: this was discovered before CVE-2024-32884, a similar vulnerability (involving a username field) that is more difficult to exploit. | 2025-07-28 | 4.1 | CVE-2023-53158 |
| givewp--GiveWP Donation Plugin and Fundraising Platform | The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the donor notes parameter in all versions up to, and including, 4.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with GiveWP worker-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Additionally, they need to trick an administrator into visiting the legacy version of the site. | 2025-07-31 | 5.4 | CVE-2025-7205 |
| glpi-project--glpi | GLPI is a Free Asset and IT Management Software package. In versions 9.1.0 through 10.0.18, an unauthenticated user can send a malicious link to attempt a phishing attack from the planning feature. This is fixed in version 10.0.19. | 2025-07-30 | 6.5 | CVE-2025-52897 |
| glpi-project--glpi | GLPI stands for Gestionnaire Libre de Parc Informatique is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.3.1 through 10.0.19, a connected user can use a malicious payload to steal mail receiver credentials. This is fixed in version 10.0.19. | 2025-07-30 | 6.5 | CVE-2025-53008 |
| glpi-project--glpi | GLPI is a Free Asset and IT Management Software package. In versions 0.80 through 10.0.18, a lack of permission checks can result in unauthorized access to some resources. This is fixed in version 10.0.19. | 2025-07-30 | 6.5 | CVE-2025-53111 |
| glpi-project--glpi | GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.78 through 10.0.18, a connected user can alter the reservations of another user. This is fixed in version 10.0.19. | 2025-07-30 | 5.4 | CVE-2025-53357 |
| glpi-project--glpi | GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 9.5.0 through 10.0.18, a technician can use a malicious payload to trigger a stored XSS on the project's kanban. This is fixed in version 10.0.19. | 2025-07-29 | 4.5 | CVE-2025-27514 |
| glpi-project--glpi | GLPI is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 9.1.0 through 10.0.18, a lack of permission checks can result in unauthorized removal of some specific resources. This is fixed in version 10.0.19. | 2025-07-30 | 4.3 | CVE-2025-53112 |
| hanucodes--YouTube Embed YouTube Gallery, Vimeo Gallery WordPress Plugin | The YouTube Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'instance' parameter in all versions up to, and including, 10.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-29 | 6.4 | CVE-2025-6692 |
| HashiCorp--Vault | Vault and Vault Enterprise's ("Vault") TOTP Secrets Engine code validation endpoint is susceptible to code reuse within its validity period. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. | 2025-08-01 | 6.5 | CVE-2025-6014 |
| HashiCorp--Vault | Vault and Vault Enterprise ("Vault") TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as [+trusted certificate+|https://developer.hashicorp.com/vault/api-docs/auth/cert#certificate]. In this configuration, an attacker may be able to craft a malicious certificate that could be used to impersonate another user. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. | 2025-08-01 | 6.8 | CVE-2025-6037 |
| HashiCorp--Vault | Vault and Vault Enterprise's ("Vault") user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. | 2025-08-01 | 5.3 | CVE-2025-6004 |
| HashiCorp--Vault | Vault and Vault Enterprise's ("Vault") login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. | 2025-08-01 | 5.7 | CVE-2025-6015 |
| Hewlett Packard Enterprise--HPE Telco Network Function Virtual Orchestrator | A vulnerability was discovered in the storage policy for certain sets of sensitive credential information in the HPE Telco Network Function Virtual Orchestrator. Successful Exploitation could lead to unauthorized parties gaining access to sensitive system information. | 2025-07-31 | 6 | CVE-2025-37110 |
| Hewlett Packard Enterprise--HPE Telco Network Function Virtual Orchestrator | A vulnerability was discovered in the storage policy for certain sets of authentication keys in the HPE Telco Network Function Virtual Orchestrator. Successful Exploitation could lead to unauthorized parties gaining access to sensitive system information. | 2025-07-31 | 6 | CVE-2025-37111 |
| Hewlett Packard Enterprise--HPE Telco Network Function Virtual Orchestrator | A vulnerability was discovered in the storage policy for certain sets of encryption keys in the HPE Telco Network Function Virtual Orchestrator. Successful Exploitation could lead to unauthorized parties gaining access to sensitive system information. | 2025-07-31 | 6 | CVE-2025-37112 |
| IBM--Aspera Faspex | IBM Aspera Faspex 5.0.0 through 5.0.12.1 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms, | 2025-07-30 | 6.5 | CVE-2025-36039 |
| IBM--Aspera Faspex | IBM Aspera Faspex 5.0.0 through 5.0.12.1 could allow an authenticated user to perform unauthorized actions due to client-side enforcement of sever side security mechanisms. | 2025-07-30 | 6.5 | CVE-2025-36040 |
| IBM--Db2 | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5.0.0 through 10.5.0.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.2 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query. | 2025-07-29 | 6.5 | CVE-2024-49828 |
| IBM--Db2 | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5.0.0 through 10.5.0.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.2 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query. | 2025-07-29 | 6.5 | CVE-2024-51473 |
| IBM--Db2 | IBM Db2 for Linux 12.1.0, 12.1.1, and 12.1.2 could allow an unauthenticated user to cause a denial of service due to executable segments that are waiting for each other to release a necessary lock. | 2025-07-29 | 6.5 | CVE-2025-36010 |
| IBM--Db2 | IBM Db2 for Linux 12.1.0, 12.1.1, and 12.1.2 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query. | 2025-07-29 | 5.3 | CVE-2025-2533 |
| IBM--Db2 | IBM Db2 for Linux 12.1.0, 12.1.1, and 12.1.2 is vulnerable to denial of service with a specially crafted query under certain non-default conditions. | 2025-07-29 | 5.3 | CVE-2025-33114 |
| IBM--Db2 | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 10.5.0.0 through 10.5.0.11, 11.1.0 through 11.1.4.7, 11.5.0 through 11.5.9, and 12.1.0 through 12.1.2 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query. | 2025-07-29 | 4.9 | CVE-2024-52894 |
| IBM--IBM Db2 | IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 through 11.5.9 and 12.1.0 through 12.1.2 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query due to improper release of memory resources. | 2025-07-29 | 6.5 | CVE-2025-36071 |
| IBM--Informix Dynamic Server | IBM Informix Dynamic Server 12.10 and 14.10 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. | 2025-07-28 | 5.4 | CVE-2024-49343 |
| IBM--QRadar SIEM | IBM QRadar SIEM 7.5 through 7.5.0 Update Pack 12 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2025-08-01 | 6.4 | CVE-2025-33118 |
| Insyde Software--InsydeH2O | The vulnerability was identified in the code developed specifically for Lenovo. Please visit "Lenovo Product Security Advisories and Announcements" webpage for more information about the vulnerability. https://support.lenovo.com/us/en/product_security/home | 2025-07-30 | 6 | CVE-2025-4424 |
| Insyde Software--InsydeH2O | The vulnerability was identified in the code developed specifically for Lenovo. Please visit "Lenovo Product Security Advisories and Announcements" webpage for more information about the vulnerability. https://support.lenovo.com/us/en/product_security/home | 2025-07-30 | 6 | CVE-2025-4426 |
| ivole--Customer Reviews for WooCommerce | The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author' parameter in all versions up to, and including, 5.80.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-31 | 6.4 | CVE-2025-5720 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.07 a CSRF was possible in GitHub App connection flow | 2025-07-28 | 5.4 | CVE-2025-54528 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.07 password reset and email verification tokens were using weak hashing algorithms | 2025-07-28 | 5.8 | CVE-2025-54535 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.07 a CSRF was possible on GraphQL endpoint | 2025-07-28 | 5.4 | CVE-2025-54536 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.07 user credentials were stored in plain text in memory snapshots | 2025-07-28 | 5.5 | CVE-2025-54537 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.07 password exposure was possible via command line in the "hg pull" command | 2025-07-28 | 5.5 | CVE-2025-54538 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.07 improper access control allowed disclosure of build settings via snapshot dependencies | 2025-07-28 | 4.3 | CVE-2025-54532 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.07 improper access control allowed disclosure of build settings via VCS configuration | 2025-07-28 | 4.3 | CVE-2025-54533 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.07 reflected XSS was possible on the agentpushPreset page | 2025-07-28 | 4.8 | CVE-2025-54534 |
| JetBrains--YouTrack | In JetBrains YouTrack before 2025.2.86935, 2025.2.87167, 2025.3.87341, 2025.3.87344 improper iframe configuration in widget sandbox allows popups to bypass security restrictions | 2025-07-28 | 6.1 | CVE-2025-54527 |
| jetmonsters--Stratum Elementor Widgets | The Stratum - Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Advanced Google Maps and Image Hotspot widgets in all versions up to, and including, 1.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-01 | 6.4 | CVE-2025-7845 |
| Kehua--Charging Pile Cloud Platform | A vulnerability, which was classified as critical, was found in Kehua Charging Pile Cloud Platform 1.0. This affects an unknown part of the file /sys/task/findAllTask. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-31 | 6.3 | CVE-2025-8347 |
| Linux--kernel | A flaw exists within the Linux kernel's handling of new TCP connections. The issue results from the lack of memory release after its effective lifetime. This vulnerability allows an unauthenticated attacker to create a denial of service condition on the system. | 2025-07-30 | 5.9 | CVE-2023-2593 |
| Linux--kernel | A flaw was found in the Linux kernel's ksmbd component. A deadlock is triggered by sending multiple concurrent session setup requests, possibly leading to a denial of service. | 2025-08-02 | 5.9 | CVE-2023-32253 |
| Linux--kernel | A flaw was found in the Linux kernel's ksmbd component. A memory leak can occur if a client sends a session setup request with an unknown NTLMSSP message type, potentially leading to resource exhaustion. | 2025-08-02 | 5.3 | CVE-2023-32255 |
| litespeedtech--LSQUIC | LiteSpeed QUIC (LSQUIC) Library before 4.3.1 has an lsquic_engine_packet_in memory leak. | 2025-08-01 | 5.3 | CVE-2025-54939 |
| Lobby Universe--Lobby App | A vulnerability classified as problematic was found in Lobby Universe Lobby App up to 2.8.0 on Android. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.maverick.lobby. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. | 2025-07-28 | 5.3 | CVE-2025-8257 |
| Malwarebytes--Binisoft Windows Firewall Control | In Malwarebytes Binisoft Windows Firewall Control before 6.16.0.0, the installer is vulnerable to local privilege escalation. | 2025-07-28 | 4.5 | CVE-2025-54569 |
| MedDream--MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the radiationDoseReport.php functionality of meddream MedDream PACS Premium 7.3.5.860. A specially crafted malicious url can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2025-07-28 | 6.1 | CVE-2025-32731 |
| MedDream--MedDream PACS Premium | A server-side request forgery vulnerability exists in the cecho.php functionality of MedDream PACS Premium 7.3.5.860. A specially crafted HTTP request can lead to SSRF. An attacker can make an unauthenticated HTTP request to trigger this vulnerability. | 2025-07-28 | 5.8 | CVE-2025-24485 |
| mmanifesto--Mmm Unity Loader | The Mmm Unity Loader plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'attributes' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-02 | 6.4 | CVE-2025-8399 |
| mrgoodfellow--360 Photo Spheres | The 360 Photo Spheres plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sphere' shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-02 | 6.4 | CVE-2025-4588 |
| nalam-1--Magical Addons For Elementor ( Header Footer Builder, Free Elementor Widgets, Elementor Templates Library ) | The Magical Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Custom Attributes in all versions up to, and including, 1.3.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-29 | 6.4 | CVE-2025-8196 |
| nextendweb--Smart Slider 3 | The Smart Slider 3 plugin for WordPress is vulnerable to time-based SQL Injection via the 'sliderid' parameter in all versions up to, and including, 3.5.1.28 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-07-30 | 4.9 | CVE-2025-6348 |
| nicheaddons--Medical Addon for Elementor | The Medical Addon for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Typewriter widget in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-02 | 6.4 | CVE-2025-8212 |
| NVIDIA--GPU Display Drivers | NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager, where it allows a guest to access global resources. A successful exploit of this vulnerability might lead to denial of service. | 2025-08-02 | 5.5 | CVE-2025-23285 |
| NVIDIA--GPU Display Drivers | NVIDIA GPU Display Driver for Windows and Linux contains a vulnerability where an attacker could read invalid memory. A successful exploit of this vulnerability might lead to information disclosure. | 2025-08-02 | 4.4 | CVE-2025-23286 |
| NVIDIA--NVIDIA Omniverse Launcher | NVIDIA Omniverse Launcher for Windows and Linux contains a vulnerability in the launcher logs, where a user could cause sensitive information to be written to the log files through proxy servers. A successful exploit of this vulnerability might lead to information disclosure. | 2025-07-31 | 5.5 | CVE-2025-23289 |
| oceanwp--Ocean Social Sharing | The Ocean Social Sharing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via social icon titles in all versions up to, and including, 2.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-02 | 6.4 | CVE-2025-7500 |
| openviglet--shio | A vulnerability classified as critical has been found in openviglet shio up to 0.3.8. Affected is the function shStaticFileUpload of the file shio-app/src/main/java/com/viglet/shio/api/staticfile/ShStaticFileAPI.java. The manipulation of the argument filename leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-31 | 6.3 | CVE-2025-8344 |
| openviglet--shio | A vulnerability was found in openviglet shio up to 0.3.8. It has been rated as critical. This issue affects the function shStaticFilePreUpload of the file shio-app/src/main/java/com/viglet/shio/api/staticfile/ShStaticFileAPI.java. The manipulation of the argument fileName leads to path traversal. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-31 | 4.3 | CVE-2025-8343 |
| OPEXUS--FOIAXpress Public Access Link (PAL) | OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows attackers to bypass account-lockout and CAPTCHA protections. Unauthenticated remote attackers can more easily brute force passwords. | 2025-07-31 | 5.3 | CVE-2025-54833 |
| OPEXUS--FOIAXpress Public Access Link (PAL) | OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows an unauthenticated, remote attacker to query the /App/CreateRequest.aspx endpoint to check for the existence of valid usernames. There are no rate-limiting mechanisms in place. | 2025-07-31 | 5.3 | CVE-2025-54834 |
| OPEXUS--FOIAXpress Public Access Link (PAL) | OPEXUS FOIAXpress Public Access Link (PAL), version v11.1.0, allows an authenticated user to add entries to the list of states and territories. | 2025-07-31 | 4.3 | CVE-2025-54832 |
| Optimizely--Episerver Content Management System (CMS) | The Episerver Content Management System (CMS) by Optimizely was affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. This allowed an authenticated attacker to execute malicious JavaScript code in the victim's browser. The Admin dashboard offered the functionality to add gadgets to the dashboard. This included the "Notes" gadget. An authenticated attacker with the corresponding access rights (such as "WebAdmin") that was impersonating the victim could insert malicious JavaScript code in these notes that would be executed if the victim visited the dashboard. Affected products: Version 11.X: EPiServer.CMS.Core (<11.21.4) with EPiServer.CMS.UI (<11.37.5), Version 12.X: EPiServer.CMS.Core (<12.22.1) with EPiServer.CMS.UI (<11.37.3) | 2025-07-28 | 4.8 | CVE-2025-27800 |
| Optimizely--Episerver Content Management System (CMS) | The Episerver Content Management System (CMS) by Optimizely was affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. This allowed an authenticated attacker to execute malicious JavaScript code in the victim's browser. ContentReference properties, which could be used in the "Edit" section of the CMS, offered an upload functionality for documents. These documents could later be used as displayed content on the page. It was possible to upload SVG files that include malicious JavaScript code that would be executed if a user visited the direct URL of the preview image. Attackers needed at least the role "WebEditor" in order to exploit this issue. Affected products: Version 11.X: EPiServer.CMS.Core (<11.21.4) with EPiServer.CMS.UI (<11.37.5), Version 12.X: EPiServer.CMS.Core (<12.22.1) with EPiServer.CMS.UI (<11.37.3) | 2025-07-28 | 4.8 | CVE-2025-27801 |
| Optimizely--Episerver Content Management System (CMS) | The Episerver Content Management System (CMS) by Optimizely was affected by multiple Stored Cross-Site Scripting (XSS) vulnerabilities. This allowed an authenticated attacker to execute malicious JavaScript code in the victim's browser. RTE properties (text fields), which could be used in the "Edit" section of the CMS, allowed the input of arbitrary text. It was possible to input malicious JavaScript code in these properties that would be executed if a user visits the previewed page. Attackers needed at least the role "WebEditor" in order to exploit this issue. Affected products: Version 11.X: EPiServer.CMS.Core (<11.21.4) with EPiServer.CMS.UI (<11.37.5), Version 12.X: EPiServer.CMS.Core (<12.22.1) with EPiServer.CMS.UI (<11.37.3) | 2025-07-28 | 4.8 | CVE-2025-27802 |
| Portabilis--i-Educar | A vulnerability, which was classified as problematic, has been found in Portabilis i-Educar 2.10. Affected by this issue is some unknown functionality of the file /educar_aluno_lst.php. The manipulation of the argument ref_cod_matricula with the input "><img%20src=x%20onerror=alert(%27CVE-Hunters%27)> leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-31 | 4.3 | CVE-2025-8346 |
| Portabilis--i-Educar | A vulnerability was found in Portabilis i-Educar 2.9. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /intranet/educar_servidor_lst.php. The manipulation of the argument nome/matricula_servidor leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-31 | 4.3 | CVE-2025-8366 |
| Portabilis--i-Educar | A vulnerability classified as problematic has been found in Portabilis i-Educar 2.9. This affects an unknown part of the file /intranet/funcionario_vinculo_lst.php. The manipulation of the argument nome leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-31 | 4.3 | CVE-2025-8367 |
| Portabilis--i-Educar | A vulnerability classified as problematic was found in Portabilis i-Educar 2.9. This vulnerability affects unknown code of the file /intranet/pesquisa_pessoa_lst.php. The manipulation of the argument campo_busca/cpf leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-31 | 4.3 | CVE-2025-8368 |
| Portabilis--i-Educar | A vulnerability, which was classified as problematic, has been found in Portabilis i-Educar 2.9. This issue affects some unknown processing of the file /intranet/educar_avaliacao_desempenho_lst.php. The manipulation of the argument titulo_avaliacao leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-31 | 4.3 | CVE-2025-8369 |
| Portabilis--i-Educar | A vulnerability, which was classified as problematic, was found in Portabilis i-Educar 2.9. Affected is an unknown function of the file /intranet/educar_escolaridade_lst.php. The manipulation of the argument descricao leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-31 | 4.3 | CVE-2025-8370 |
| posimyththemes--The Plus Addons for Elementor Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce | The The Plus Addons for Elementor - Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom script parameter in all versions up to, and including, 6.3.10 even when the user does not have the unfiltered_html capability. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-01 | 6.4 | CVE-2025-7646 |
| qodeinteractive--Qi Addons For Elementor | The Qi Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's TypeOut Text widget in all versions up to, and including, 1.9.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-02 | 6.4 | CVE-2025-8146 |
| Quantum--SuperLoader | Quantum SuperLoader 3 V94.0 005E.0h devices allow attackers to access the hardcoded fa account because there are only 65536 possible passwords. | 2025-08-01 | 5.8 | CVE-2019-19145 |
| Red Hat--Red Hat Ansible Automation Platform 2 | A flaw was found in Ansible Automation Platform (AAP) where the Gateway API returns the client secret for certain GitHub Enterprise authenticators in clear text. This vulnerability affects administrators or auditors accessing authenticator configurations. While access is limited to privileged users, the clear text exposure of sensitive credentials increases the risk of accidental leaks or misuse. | 2025-07-31 | 4.4 | CVE-2025-7738 |
| Samsung Electronics--Data Management Server | An 'Arbitrary File Creation' in Samsung DMS(Data Management Server) allows attackers to create arbitrary files in unintended locations on the filesystem. Exploitation is restricted to specific, authorized private IP addresses. | 2025-07-29 | 6.4 | CVE-2025-53081 |
| Samsung Electronics--Data Management Server | An 'Arbitrary File Deletion' in Samsung DMS(Data Management Server) allows attackers to delete arbitrary files from unintended locations on the filesystem. Exploitation is restricted to specific, authorized private IP addresses. | 2025-07-29 | 6.1 | CVE-2025-53082 |
| Samsung Electronics--Data Management Server | Absolute Path Traversal in Samsung DMS(Data Management Server) allows authenticated attacker (Administrator) to read sensitive files | 2025-07-29 | 4.9 | CVE-2025-53079 |
| Samsung Electronics--DMS(Data Management Server) | An execution after redirect in Samsung DMS(Data Management Server) allows attackers to execute limited functions without permissions. An attacker could compromise the integrity of the platform by executing this vulnerability. | 2025-07-29 | 6.5 | CVE-2025-53077 |
| sfackler--openssl | The openssl crate before 0.10.55 for Rust allows an out-of-bounds read via an empty string to X509VerifyParamRef::set_host. | 2025-07-28 | 4.5 | CVE-2023-53159 |
| Shanghai Lingdang Information Technology--Lingdang CRM | A vulnerability classified as critical was found in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.4.7. Affected by this vulnerability is the function delete_user of the file crm/WeiXinApp/yunzhijia/yunzhijiaApi.php. The manipulation of the argument function leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 8.6.5.2 is able to address this issue. It is recommended to upgrade the affected component. | 2025-07-31 | 6.3 | CVE-2025-8345 |
| shaonsina--Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Table Free Elementor Widgets & Elementor Templates) | The Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Table Free Elementor Widgets & Elementor Templates) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `Sina Posts`, `Sina Blog Post` and `Sina Table` widgets in all versions up to, and including, 3.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-08-01 | 6.4 | CVE-2025-6228 |
| shortpixel--ShortPixel Adaptive Images WebP, AVIF, CDN, Image Optimization | The ShortPixel Adaptive Images - WebP, AVIF, CDN, Image Optimization plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the API URL Setting in all versions up to, and including, 3.10.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-08-02 | 4.4 | CVE-2025-6626 |
| SixLabors--ImageSharp | ImageSharp is a 2D graphics library. In versions below 2.1.11 and 3.0.0 through 3.1.10, a specially crafted GIF file containing a malformed comment extension block (with a missing block terminator) can cause the ImageSharp GIF decoder to enter an infinite loop while attempting to skip the block. This leads to a denial of service. Applications processing untrusted GIF input should upgrade to a patched version. This issue is fixed in versions 2.1.11 and 3.1.11. | 2025-07-30 | 5.3 | CVE-2025-54575 |
| SolarWinds--Web Help Desk | SolarWinds Web Help Desk was reported to be affected by an XML External Entity Injection (XXE) vulnerability that could lead to information disclosure. A valid, low-privilege access is required unless the attacker had access to the local server to modify configuration files. | 2025-07-29 | 5.3 | CVE-2025-26400 |
| sparklewpthemes--Appzend | The Appzend theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'progressbarLayout' parameter in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-29 | 6.4 | CVE-2025-5587 |
| streamweasels--StreamWeasels Kick Integration | The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'data-uuid' attribute in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-29 | 5.4 | CVE-2025-7810 |
| streamweasels--StreamWeasels Twitch Integration | The StreamWeasels Twitch Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'data-uuid' attribute in all versions up to, and including, 1.9.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-29 | 6.4 | CVE-2025-7809 |
| streamweasels--StreamWeasels YouTube Integration | The StreamWeasels YouTube Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'data-uuid' attribute in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-29 | 6.4 | CVE-2025-7811 |
| SUSE--Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1 | A Insertion of Sensitive Information into Log File vulnerability in SUSE Multi Linux Manager exposes the HTTP proxy credentials. This issue affects Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: from ? before 5.0.27-150600.3.33.1; Image SLES15-SP4-Manager-Server-4-3-BYOS: from ? before 4.3.87-150400.3.110.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure: from ? before 4.3.87-150400.3.110.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2: from ? before 4.3.87-150400.3.110.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE: from ? before 4.3.87-150400.3.110.2; SUSE Manager Server Module 4.3: from ? before 4.3.87-150400.3.110.2. | 2025-07-31 | 5.7 | CVE-2025-46809 |
| themeatelier--IDonate Blood Donation, Request And Donor Management System | The IDonate - Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the admin_donor_profile_view() function in versions 2.0.0 to 2.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to expose an administrator's username, email address, and all donor fields. | 2025-08-01 | 6.5 | CVE-2025-4523 |
| themefusecom--Brizy Page Builder | The Brizy - Page Builder plugin for WordPress is vulnerable to limited file uploads due to missing authorization on process_external_asset_urls function as well as missing path validation in store_file function in all versions up to, and including, 2.6.20. This makes it possible for unauthenticated attackers to upload .TXT files on the affected site's server. | 2025-07-29 | 5.3 | CVE-2025-4370 |
| TVB--Big Big Shop App | A vulnerability, which was classified as problematic, has been found in TVB Big Big Shop App 2.9.0 on Android. This issue affects some unknown processing of the file AndroidManifest.xml of the component hk.com.tvb.bigbigshop. The manipulation leads to improper export of android application components. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-03 | 5.3 | CVE-2025-8512 |
| umbraco--Umbraco-CMS | Umbraco is an ASP.NET CMS. In versions 13.0.0 through 13.9.2, 15.0.0 through 15.4.1 and 16.0.0 through 16.1.0, the content delivery API can be restricted from public access where an API key must be provided in a header to authorize the request. It's also possible to configure output caching, such that the delivery API outputs will be cached for a period of time, improving performance. There's an issue when these two things are used together, where caching doesn't vary by the header that contains the API key. As such, it's possible for a user without a valid API key to retrieve a response for a given path and query if it has recently been requested and cached by request with a valid key. This is fixed in versions 13.9.3, 15.4.4 and 16.1.1. | 2025-07-30 | 5.3 | CVE-2025-54425 |
| Unisoc (Shanghai) Technologies Co., Ltd.--SC7731E/SC9832E/SC9863A/T310/T606/T612/T616/T610/T618/T750/T765/T760/T770/T820/S8000 | In bootloader, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service with no additional execution privileges needed. | 2025-08-01 | 5.1 | CVE-2025-31716 |
| VMware--vCenter | VMware vCenter contains a denial-of-service vulnerability. A malicious actor who is authenticated through vCenter and has permission to perform API calls for guest OS customisation may trigger this vulnerability to create a denial-of-service condition. | 2025-07-29 | 4.4 | CVE-2025-41241 |
| WofficeIO--Woffice Core | The Woffice Core plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the woffice_file_manager_delete() function in all versions up to, and including, 5.4.26. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2025-08-02 | 6.8 | CVE-2025-7694 |
| wowdevs--Sky Addons Elementor Addons with Widgets & Templates | The Sky Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Multiple widgets in all versions up to, and including, 3.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-29 | 6.4 | CVE-2025-8216 |
| xpeedstudio--MetForm Contact Form, Survey, Quiz, & Custom Form Builder for Elementor | The MetForm - Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `mf-template` DOM Element in all versions up to, and including, 4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-29 | 6.4 | CVE-2025-5684 |
| xwiki-contrib--Mocca Calendar | The Mocca Calendar application before 2.15 for XWiki allows XSS via the background or text color field. | 2025-08-03 | 6.4 | CVE-2025-52131 |
| xwiki-contrib--Mocca Calendar | The Mocca Calendar application before 2.15 for XWiki allows XSS via a title to the view event page. | 2025-08-03 | 6.4 | CVE-2025-52132 |
| xwiki-contrib--Mocca Calendar | The Mocca Calendar application before 2.15 for XWiki allows XSS via a title upon calendar import. | 2025-08-03 | 6.4 | CVE-2025-52133 |
| yanyutao0402--ChanCMS | A vulnerability has been found in yanyutao0402 ChanCMS up to 3.1.2 and classified as critical. Affected by this vulnerability is the function getArticle of the file app/modules/cms/controller/collect.js. The manipulation of the argument targetUrl leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.3 is able to address this issue. It is recommended to upgrade the affected component. | 2025-07-28 | 6.3 | CVE-2025-8266 |
| yarnpkg--Yarn | A vulnerability was found in yarnpkg Yarn up to 1.22.22. It has been classified as problematic. Affected is the function explodeHostedGitFragment of the file src/resolvers/exotics/hosted-git-resolver.js. The manipulation leads to inefficient regular expression complexity. It is possible to launch the attack remotely. The patch is identified as 97731871e674bf93bcbf29e9d3258da8685f3076. It is recommended to apply a patch to fix this issue. | 2025-07-28 | 4.3 | CVE-2025-8262 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 495300897--wx-shop | A vulnerability was found in 495300897 wx-shop up to de1b66331368695779cfc6e4d11a64caddf8716e and classified as problematic. This issue affects some unknown processing of the file /user/editUI. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | 2025-08-03 | 3.5 | CVE-2025-8506 |
| Campcodes--Online Hotel Reservation System | A vulnerability classified as problematic was found in Campcodes Online Hotel Reservation System 1.0. This vulnerability affects unknown code of the file /admin/add_query_account.php. The manipulation of the argument Name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-31 | 3.5 | CVE-2025-8380 |
| code-projects--Human Resource Integrated System | A vulnerability classified as problematic has been found in code-projects Human Resource Integrated System 1.0. Affected is an unknown function of the file /insert-and-view/action.php. The manipulation of the argument content leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-08-03 | 3.5 | CVE-2025-8501 |
| code-projects--Simple Car Rental System | A vulnerability, which was classified as problematic, has been found in code-projects Simple Car Rental System 1.0. This issue affects some unknown processing of the file /admin/add_vehicles.php. The manipulation of the argument car_name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-30 | 2.4 | CVE-2025-8337 |
| Dell--SmartFabric OS10 Software | Dell SmartFabric OS10 Software, versions prior to 10.6.0.5, contains a Use of Hard-coded Password vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges. | 2025-07-30 | 2.5 | CVE-2025-36609 |
| ES--iperf3 | In iperf before 3.19.1, iperf_auth.c has a Base64Decode assertion failure and application exit upon a malformed authentication attempt. | 2025-08-03 | 3.7 | CVE-2025-54350 |
| glpi-project--glpi | GLPI is a Free Asset and IT Management Software package, Data center management, ITIL Service Desk, licenses tracking and software auditing. In versions 0.84 through 10.0.18, usage of RSS feeds or external calendars when planning is subject to SSRF exploit. The previous security patches provided since GLPI 10.0.4 were not robust enough for certain specific cases. This is fixed in version 10.0.19. | 2025-07-30 | 3.5 | CVE-2025-52567 |
| glpi-project--glpi | GLPI, which stands for Gestionnaire Libre de Parc Informatique, is a Free Asset and IT Management Software package, that provides ITIL Service Desk features, licenses tracking and software auditing. In versions 0.65 through 10.0.18, a technician can use the external links feature to fetch information on items they do not have the right to see. This is fixed in version 10.0.19. | 2025-07-30 | 2.7 | CVE-2025-53113 |
| Hangzhou Shunwang--Rentdrv2 | Hangzhou Shunwang Rentdrv2 before 2024-12-24 allows local users to terminate EDR processes and possibly have unspecified other impact via DeviceIoControl with control code 0x22E010, as exploited in the wild in October 2023. | 2025-08-01 | 3.2 | CVE-2023-44976 |
| HashiCorp--Vault | A timing side channel in Vault and Vault Enterprise's ("Vault") userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault's Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23. | 2025-08-01 | 3.7 | CVE-2025-6011 |
| Hewlett Packard Enterprise (HPE)--HPE Telco Service Activator | Cross-site scripting vulnerability has been identified in HPE Telco Service Activator product | 2025-07-31 | 3.5 | CVE-2025-37108 |
| Hewlett Packard Enterprise (HPE)--HPE Telco Service Activator | Cross-site scripting vulnerability has been identified in HPE Telco Service Activator product | 2025-07-31 | 3.5 | CVE-2025-37109 |
| himmelblau-idm--himmelblau | Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. When debugging is enabled for Himmelblau in version 1.0.0, the himmelblaud_tasks service leaks an Intune service access token to the system journal. This short-lived token can be used to detect the host's Intune compliance status, and may permit additional administrative operations for the Intune host device (though the API for these operations is undocumented). This is fixed in version 1.1.0. To workaround this issue, ensure that Himmelblau debugging is disabled. | 2025-08-01 | 2.8 | CVE-2025-54781 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.07 a CSRF was possible in external OAuth login integration | 2025-07-28 | 3.7 | CVE-2025-54529 |
| Linux--kernel | A vulnerability has been identified in the Linux kernel's ksmbd component (kernel SMB/CIFS server). A security control designed to prevent dictionary attacks, which introduces a 5-second delay during session setup, can be bypassed through the use of asynchronous requests. This bypass negates the intended anti-brute-force protection, potentially allowing attackers to conduct dictionary attacks more efficiently against user credentials or other authentication mechanisms. | 2025-07-31 | 3.7 | CVE-2023-32251 |
| moby--moby | Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. A firewalld vulnerability affects Moby releases before 28.0.0. When firewalld reloads, Docker fails to re-create iptables rules that isolate bridge networks, allowing any container to access all ports on any other container across different bridge networks on the same host. This breaks network segmentation between containers that should be isolated, creating significant risk in multi-tenant environments. Only containers in --internal networks remain protected. Workarounds include reloading firewalld and either restarting the docker daemon, re-creating bridge networks, or using rootless mode. Maintainers anticipate a fix for this issue in version 25.0.13. | 2025-07-30 | 3.3 | CVE-2025-54410 |
| N/A--Glib | A flaw was found in GLib. A denial of service on Windows platforms may occur if an application attempts to spawn a program using long command lines. | 2025-07-28 | 3.7 | CVE-2025-4056 |
| n/a--LibTIFF | A vulnerability was found in LibTIFF up to 4.7.0. It has been declared as problematic. Affected by this vulnerability is the function t2p_read_tiff_init of the file tools/tiff2pdf.c of the component fax2ps. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The complexity of an attack is rather high. The exploitation appears to be difficult. The patch is named 2ebfffb0e8836bfb1cd7d85c059cd285c59761a4. It is recommended to apply a patch to fix this issue. | 2025-08-01 | 2.5 | CVE-2024-13978 |
| n/a--Vaelsys | A vulnerability has been found in Vaelsys 4.1.0 and classified as problematic. This vulnerability affects unknown code of the file /grid/vgrid_server.php of the component MD4 Hash Handler. The manipulation of the argument xajaxargs leads to use of weak hash. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-28 | 3.1 | CVE-2025-8260 |
| NVIDIA--GPU Display Drivers | NVIDIA GPU Display Driver for Windows contains a vulnerability where an attacker may access sensitive system-level information. A successful exploit of this vulnerability may lead to Information disclosure. | 2025-08-02 | 3.3 | CVE-2025-23287 |
| NVIDIA--GPU Display Drivers | NVIDIA GPU Display Driver for Windows contains a vulnerability where an attacker may cause an exposure of sensitive system information with local unprivileged system access. A successful exploit of this vulnerability may lead to Information disclosure. | 2025-08-02 | 3.3 | CVE-2025-23288 |
| NVIDIA--GPU Display Drivers | NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager, where a guest could get global GPU metrics which may be influenced by work in other VMs. A successful exploit of this vulnerability might lead to information disclosure. | 2025-08-02 | 2.5 | CVE-2025-23290 |
| Portabilis--i-Diario | A vulnerability classified as problematic was found in Portabilis i-Diario 1.5.0. This vulnerability affects unknown code of the file /diario-de-observacoes/ of the component Observações. The manipulation of the argument Descrição leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-03 | 3.5 | CVE-2025-8511 |
| Portabilis--i-Educar | A vulnerability was found in Portabilis i-Educar 2.10. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file atendidos_cad.php. The manipulation of the argument nome/nome_social/email leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-31 | 3.5 | CVE-2025-8365 |
| Portabilis--i-Educar | A vulnerability was found in Portabilis i-Educar 2.9. It has been classified as problematic. Affected is an unknown function of the file /intranet/educar_funcao_lst.php. The manipulation of the argument nm_funcao/abreviatura leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-03 | 3.5 | CVE-2025-8507 |
| Portabilis--i-Educar | A vulnerability was found in Portabilis i-Educar 2.9. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /intranet/educar_avaliacao_desempenho_cad.php. The manipulation of the argument titulo_avaliacao/descricao leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-03 | 3.5 | CVE-2025-8508 |
| Portabilis--i-Educar | A vulnerability was found in Portabilis i-Educar 2.9. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /intranet/educar_servidor_cad.php. The manipulation of the argument matricula leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-08-03 | 3.5 | CVE-2025-8509 |
| Portabilis--i-Educar | A vulnerability classified as problematic has been found in Portabilis i-Educar 2.10. This affects the function Gerar of the file ieducar/intranet/educar_matricula_lst.php. The manipulation of the argument ref_cod_aluno leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 82c288b9a4abb084bdfa1c0c4ef777ed45f98b46. It is recommended to apply a patch to fix this issue. The vendor initially closed the original advisory without requesting a CVE. | 2025-08-03 | 3.5 | CVE-2025-8510 |
| r-lib--gh | The gh package before 1.5.0 for R delivers an HTTP response in a data structure that includes the Authorization header from the corresponding HTTP request. | 2025-08-03 | 3.2 | CVE-2025-54956 |
| Red Hat--Red Hat Enterprise Linux 10 | A vulnerability was found in the netavark package, a network stack for containers used with Podman. Due to dns.podman search domain being removed, netavark may return external servers if a valid A/AAAA record is sent as a response. When creating a container with a given name, this name will be used as the hostname for the container itself, as the podman's search domain is not added anymore the container is using the host's resolv.conf, and the DNS resolver will try to look into the search domains contained on it. If one of the domains contain a name with the same hostname as the running container, the connection will forward to unexpected external servers. | 2025-07-28 | 3.7 | CVE-2025-8283 |
| sequoia-pgp--buffered-reader | The buffered-reader crate before 1.1.5 for Rust allows out-of-bounds array access and a panic. | 2025-07-28 | 2.9 | CVE-2023-53161 |
| sequoia-pgp--sequoia | The sequoia-openpgp crate before 1.16.0 for Rust allows out-of-bounds array access and a panic. | 2025-07-28 | 2.9 | CVE-2023-53160 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| A10 Networks--AX Series Loadbalancer | A path traversal vulnerability exists in A10 Networks AX Loadbalancer versions 2.6.1-GR1-P5, 2.7.0, and earlier. The vulnerability resides in the handling of the filename parameter in the /xml/downloads endpoint, which fails to properly sanitize user input. An unauthenticated attacker can exploit this flaw by sending crafted HTTP requests containing directory traversal sequences to read arbitrary files outside the intended directory. The files returned by the vulnerable endpoint are deleted from the system after retrieval. This can lead to unauthorized disclosure of sensitive information such as SSL certificates and private keys, as well as unintended file deletion. | 2025-07-31 | not yet calculated | CVE-2014-125125 |
| Absolute Security--Secure Access | CVE-2025-49082 is a vulnerability in the management console of Absolute Secure Access prior to version 13.56. Attackers with administrative access to the console and who have been assigned a certain set of permissions can bypass those permissions to improperly read other settings. The attack complexity is low, there are no preexisting attack requirements; the privileges required are high, and there is no user interaction required. The impact to system confidentiality is low, there is no impact to system availability or integrity. | 2025-07-30 | not yet calculated | CVE-2025-49082 |
| Absolute Security--Secure Access | CVE-2025-49083 is a vulnerability in the management console of Absolute Secure Access after version 12.00 and prior to version 13.56. Attackers with administrative access to the console can cause unsafe content to be deserialized and executed in the security context of the console. The attack complexity is low and there are no attack requirements. Privileges required are high and there is no user interaction required. The impact to confidentiality is low, impact to integrity is high and there is no impact to availability. The impact to the confidentiality and integrity of subsequent systems is low and there is no subsequent system impact to availability. | 2025-07-30 | not yet calculated | CVE-2025-49083 |
| Absolute Security--Secure Access | CVE-2025-54085 is a vulnerability in the management console of Absolute Secure Access prior to version 13.56. Attackers with administrative access to the console and who have been assigned a certain set of permissions can bypass those permissions to improperly read or change other settings. The attack complexity is low, there are no preexisting attack requirements; the privileges required are high, and there is no user interaction required. The impact to system confidentiality and integrity is low, there is no impact to system availability. | 2025-07-30 | not yet calculated | CVE-2025-54085 |
| Absolutee Security--Secure Access | CVE-2025-49084 is a vulnerability in the management console of Absolute Secure Access prior to version 13.56. Attackers with administrative access can overwrite policy rules without the requisite permissions. The attack complexity is low, attack requirements are present, privileges required are high and no user interaction is required. There is no impact to confidentiality, the impact to integrity is low, and there is no impact to availability. The impact to confidentiality and availability of subsequent systems is high and the impact to the integrity of subsequent systems is low. | 2025-07-30 | not yet calculated | CVE-2025-49084 |
| AcademySoftwareFoundation--MaterialX | MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In versions 1.39.2 and below, when parsing an MTLX file with multiple nested nodegraph implementations, the MaterialX XML parsing logic can potentially crash due to stack exhaustion. An attacker could intentionally crash a target program that uses OpenEXR by sending a malicious MTLX file. This is fixed in version 1.39.3. | 2025-08-01 | not yet calculated | CVE-2025-53009 |
| AcademySoftwareFoundation--MaterialX | MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In version 1.39.2, when parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files. An attacker could intentionally crash a target program that uses OpenEXR by sending a malicious MTLX file. This is fixed in version 1.39.3. | 2025-08-01 | not yet calculated | CVE-2025-53010 |
| AcademySoftwareFoundation--MaterialX | MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In version 1.39.2, when parsing shader nodes in a MTLX file, the MaterialXCore code accesses a potentially null pointer, which can lead to crashes with maliciously crafted files. An attacker could intentionally crash a target program that uses MaterialX by sending a malicious MTLX file. This is fixed in version 1.39.3. | 2025-08-01 | not yet calculated | CVE-2025-53011 |
| AcademySoftwareFoundation--MaterialX | MaterialX is an open standard for the exchange of rich material and look-development content across applications and renderers. In version 1.39.2, nested imports of MaterialX files can lead to a crash via stack memory exhaustion, due to the lack of a limit on the "import chain" depth. When parsing file imports, recursion is used to process nested files; however, there is no limit imposed to the depth of files that can be parsed by the library. By building a sufficiently deep chain of MaterialX files one referencing the next, it is possible to crash the process using the MaterialX library via stack exhaustion. This is fixed in version 1.39.3. | 2025-08-01 | not yet calculated | CVE-2025-53012 |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In versions 3.3.2 through 3.3.0, there is a heap-based buffer overflow during a write operation when decompressing ZIPS-packed deep scan-line EXR files with a maliciously forged chunk header. This is fixed in version 3.3.3. | 2025-07-31 | not yet calculated | CVE-2025-48071 |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. Version 3.3.2 is vulnerable to a heap-based buffer overflow during a read operation due to bad pointer math when decompressing DWAA-packed scan-line EXR files with a maliciously forged chunk. This is fixed in version 3.3.3. | 2025-07-31 | not yet calculated | CVE-2025-48072 |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, when reading a deep scanline image with a large sample count in reduceMemory mode, it is possible to crash a target application with a NULL pointer dereference in a write operation. This is fixed in version 3.3.3. | 2025-07-31 | not yet calculated | CVE-2025-48073 |
| AcademySoftwareFoundation--openexr | OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, applications trust unvalidated dataWindow size values from file headers, which can lead to excessive memory allocation and performance degradation when processing malicious files. This is fixed in version 3.3.3. | 2025-08-01 | not yet calculated | CVE-2025-48074 |
| Agnitum Ltd.--Outpost Internet Security | A local privilege escalation vulnerability exists in Agnitum Outpost Internet Security 8.1 that allows an unprivileged user to execute arbitrary code with SYSTEM privileges. The flaw resides in the acs.exe component, which exposes a named pipe that accepts unauthenticated commands. By exploiting a directory traversal weakness in the pipe protocol, an attacker can instruct the service to load a malicious DLL from a user-controlled location. The DLL is then executed in the context of the privileged service. | 2025-08-01 | not yet calculated | CVE-2013-10046 |
| AK-Nord--USB-Server-LXL | Insecure permissions in the script /etc/init.d/lighttpd in AK-Nord USB-Server-LXL Firmware v0.0.16 Build 2023-03-13 allows a locally authenticated low-privilege user to execute arbitrary commands with root privilege via editing this script which is executed with root-privileges on any interaction and on every system boot. | 2025-08-01 | not yet calculated | CVE-2025-52361 |
| Alpine--iLX-507 | Alpine iLX-507 vCard Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Alpine iLX-507 devices. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device. The specific flaw exists within the parsing of vCard data. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute arbitrary code in the context of root. Was ZDI-CAN-26316. | 2025-08-01 | not yet calculated | CVE-2025-8472 |
| Alpine--iLX-507 | Alpine iLX-507 UPDM_wstpCBCUpdStart Command Injection Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Alpine iLX-507 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the UPDM_wstpCBCUpdStart function. The issue results from the lack of proper validation of user-supplied data before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26317. | 2025-08-01 | not yet calculated | CVE-2025-8473 |
| Alpine--iLX-507 | Alpine iLX-507 CarPlay Stack-based Buffer Overflow Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Alpine iLX-507 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the Apple CarPlay protocol. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26318. | 2025-08-01 | not yet calculated | CVE-2025-8474 |
| Alpine--iLX-507 | Alpine iLX-507 AVRCP Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Alpine iLX-507 devices. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device. The specific flaw exists within the implementation of the AVRCP protocol. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26321. | 2025-08-01 | not yet calculated | CVE-2025-8475 |
| Alpine--iLX-507 | Alpine iLX-507 TIDAL Improper Certificate Validation Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Alpine iLX-507 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the TIDAL music streaming application. The issue results from improper certificate validation. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-26322. | 2025-08-01 | not yet calculated | CVE-2025-8476 |
| Alpine--iLX-507 | Alpine iLX-507 vCard Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected Alpine iLX-507 devices. User interaction is required to exploit this vulnerability in that the target must connect to a malicious Bluetooth device. The specific flaw exists within the parsing of vCard data. The issue results from the lack of proper validation of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-26324. | 2025-08-01 | not yet calculated | CVE-2025-8477 |
| Alpine--iLX-507 | Alpine iLX-507 Command Injection Remote Code Execution. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Alpine iLX-507 devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Tidal music streaming application. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-26357. | 2025-08-01 | not yet calculated | CVE-2025-8480 |
| andisearch--andisearch | andisearch v0.5.249 was discovered to contain a cross-site scripting (XSS) vulnerability. | 2025-07-30 | not yet calculated | CVE-2025-51951 |
| Android--TV | There exists a TOCTOU race condition in TvSettings AppRestrictionsFragment.java that lead to start of attacker supplied activity in Settings' context, i.e. system-uid context, thus lead to launchAnyWhere. The core idea is to utilize the time window between the check of Intent and the use to Intent to change the target component's state, thus bypass the original security sanitize function. | 2025-07-31 | not yet calculated | CVE-2025-8192 |
| AnQiCMS--AnQiCMS | A stored Cross Site Scripting (xss) vulnerability in the "content management" feature in AnQiCMS v.3.4.11 allows a remote attacker to execute arbitrary code via a crafted script to the title, categoryTitle, and tmpTag parameters. | 2025-07-31 | not yet calculated | CVE-2025-50270 |
| Apache Software Foundation--Apache JSPWiki | A carefully crafted request when creating a header link using the wiki markup syntax, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Further research by the JSPWiki team showed that the markdown parser allowed this kind of attack too. Apache JSPWiki users should upgrade to 2.12.3 or later. | 2025-07-31 | not yet calculated | CVE-2025-24853 |
| Apache Software Foundation--Apache JSPWiki | A carefully crafted request using the Image plugin could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.3 or later. | 2025-07-31 | not yet calculated | CVE-2025-24854 |
| Apache Software Foundation--Apache Zeppelin | Incomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin. This issue affects Apache Zeppelin: before 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes the issue. | 2025-08-03 | not yet calculated | CVE-2024-41177 |
| Apache Software Foundation--Apache Zeppelin | Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin. The attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs. This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes the issue. | 2025-08-03 | not yet calculated | CVE-2024-51775 |
| Apache Software Foundation--Apache Zeppelin | Improper Input Validation vulnerability in Apache Zeppelin. The fix for JDBC URL validation in CVE-2024-31864 did not account for URL encoded input. This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes the issue. | 2025-08-03 | not yet calculated | CVE-2024-52279 |
| Apple--iOS and iPadOS | A logic issue was addressed with improved checks. This issue is fixed in iOS 18.6 and iPadOS 18.6. Passcode may be read aloud by VoiceOver. | 2025-07-29 | not yet calculated | CVE-2025-31229 |
| Apple--iPadOS | The issue was addressed with improved checks. This issue is fixed in tvOS 18.5, iOS 18.5 and iPadOS 18.5, iPadOS 17.7.9, macOS Sequoia 15.5, watchOS 11.5, visionOS 2.5, macOS Ventura 13.7.7. A remote attacker may be able to cause unexpected system termination. | 2025-07-29 | not yet calculated | CVE-2025-24224 |
| Apple--iPadOS | This issue was addressed through improved state management. This issue is fixed in iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9. Remote content may be loaded even when the 'Load Remote Images' setting is turned off. | 2025-07-29 | not yet calculated | CVE-2025-31276 |
| Apple--iPadOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6, iPadOS 17.7.9, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to fingerprint the user. | 2025-07-29 | not yet calculated | CVE-2025-31279 |
| Apple--iPadOS | An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in macOS Sequoia 15.6, iPadOS 17.7.9, iOS 18.6 and iPadOS 18.6, tvOS 18.6, macOS Sonoma 14.7.7, watchOS 11.6, visionOS 2.6, macOS Ventura 13.7.7. Processing maliciously crafted web content may lead to an unexpected Safari crash. | 2025-07-29 | not yet calculated | CVE-2025-43209 |
| Apple--iPadOS | The issue was addressed by adding additional logic. This issue is fixed in iPadOS 17.7.9, iOS 18.6 and iPadOS 18.6. Privacy Indicators for microphone or camera access may not be correctly displayed. | 2025-07-29 | not yet calculated | CVE-2025-43217 |
| Apple--iPadOS | This issue was addressed with improved validation of symlinks. This issue is fixed in iPadOS 17.7.9, macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to access protected user data. | 2025-07-29 | not yet calculated | CVE-2025-43220 |
| Apple--iPadOS | A use-after-free issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.6, iPadOS 17.7.9, macOS Ventura 13.7.7, macOS Sonoma 14.7.7. An attacker may be able to cause unexpected app termination. | 2025-07-29 | not yet calculated | CVE-2025-43222 |
| Apple--iPadOS | A denial-of-service issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13.7.7, iPadOS 17.7.9, iOS 18.6 and iPadOS 18.6, macOS Sonoma 14.7.7, watchOS 11.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6. A non-privileged user may be able to modify restricted network settings. | 2025-07-29 | not yet calculated | CVE-2025-43223 |
| Apple--iPadOS | A logging issue was addressed with improved data redaction. This issue is fixed in macOS Sequoia 15.6, iPadOS 17.7.9, macOS Ventura 13.7.7, macOS Sonoma 14.7.7. An app may be able to access sensitive user data. | 2025-07-29 | not yet calculated | CVE-2025-43225 |
| Apple--iPadOS | An out-of-bounds read was addressed with improved input validation. This issue is fixed in watchOS 11.6, iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9, tvOS 18.6, macOS Sequoia 15.6, macOS Sonoma 14.7.7, visionOS 2.6. Processing a maliciously crafted image may result in disclosure of process memory. | 2025-07-29 | not yet calculated | CVE-2025-43226 |
| Apple--iPadOS | The issue was addressed with additional permissions checks. This issue is fixed in iPadOS 17.7.9, watchOS 11.6, visionOS 2.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6. An app may be able to access user-sensitive data. | 2025-07-29 | not yet calculated | CVE-2025-43230 |
| Apple--macOS | This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.3, macOS Ventura 13.7.7, macOS Sonoma 14.7.7. An app may be able to execute arbitrary code out of its sandbox or with certain elevated privileges. | 2025-07-29 | not yet calculated | CVE-2025-24119 |
| Apple--macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sonoma 14.7.7, macOS Ventura 13.7.7, macOS Sequoia 15.6. An app may be able to gain root privileges. | 2025-07-29 | not yet calculated | CVE-2025-31243 |
| Apple--macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6. A sandboxed process may be able to launch any installed app. | 2025-07-29 | not yet calculated | CVE-2025-31275 |
| Apple--macOS | A memory corruption issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.6. Processing a maliciously crafted file may lead to heap corruption. | 2025-07-29 | not yet calculated | CVE-2025-31280 |
| Apple--macOS | An input validation issue was addressed with improved memory handling. This issue is fixed in visionOS 2.6, tvOS 18.6, macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6. Processing a maliciously crafted file may lead to unexpected app termination. | 2025-07-29 | not yet calculated | CVE-2025-31281 |
| Apple--macOS | This issue was addressed by adding an additional prompt for user consent. This issue is fixed in macOS Sonoma 14.7.7, macOS Ventura 13.7.7, macOS Sequoia 15.4. A shortcut may be able to bypass sensitive Shortcuts app settings. | 2025-07-29 | not yet calculated | CVE-2025-43184 |
| Apple--macOS | A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Sequoia 15.6. An app may be able to access protected user data. | 2025-07-29 | not yet calculated | CVE-2025-43185 |
| Apple--macOS | The issue was addressed with improved memory handling. This issue is fixed in watchOS 11.6, iOS 18.6 and iPadOS 18.6, tvOS 18.6, macOS Sequoia 15.6, macOS Sonoma 14.7.7, visionOS 2.6, macOS Ventura 13.7.7. Parsing a file may lead to an unexpected app termination. | 2025-07-29 | not yet calculated | CVE-2025-43186 |
| Apple--macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6. A malicious app may be able to gain root privileges. | 2025-07-29 | not yet calculated | CVE-2025-43188 |
| Apple--macOS | This issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7. A malicious app may be able to read kernel memory. | 2025-07-29 | not yet calculated | CVE-2025-43189 |
| Apple--macOS | A path handling issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to cause a denial-of-service. | 2025-07-29 | not yet calculated | CVE-2025-43191 |
| Apple--macOS | A configuration issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7. Account-driven User Enrollment may still be possible with Lockdown Mode turned on. | 2025-07-29 | not yet calculated | CVE-2025-43192 |
| Apple--macOS | The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.6, macOS Ventura 13.7.7, macOS Sonoma 14.7.7. An app may be able to cause a denial-of-service. | 2025-07-29 | not yet calculated | CVE-2025-43193 |
| Apple--macOS | The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to modify protected parts of the file system. | 2025-07-29 | not yet calculated | CVE-2025-43194 |
| Apple--macOS | An issue existed in the handling of environment variables. This issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to access sensitive user data. | 2025-07-29 | not yet calculated | CVE-2025-43195 |
| Apple--macOS | A path handling issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to gain root privileges. | 2025-07-29 | not yet calculated | CVE-2025-43196 |
| Apple--macOS | This issue was addressed with additional entitlement checks. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to access sensitive user data. | 2025-07-29 | not yet calculated | CVE-2025-43197 |
| Apple--macOS | This issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7. An app may be able to access protected user data. | 2025-07-29 | not yet calculated | CVE-2025-43198 |
| Apple--macOS | A permissions issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. A malicious app may be able to gain root privileges. | 2025-07-29 | not yet calculated | CVE-2025-43199 |
| Apple--macOS | A parsing issue in the handling of directory paths was addressed with improved path validation. This issue is fixed in macOS Sequoia 15.6, macOS Ventura 13.7.7, macOS Sonoma 14.7.7. An app may be able to access protected user data. | 2025-07-29 | not yet calculated | CVE-2025-43206 |
| Apple--macOS | The issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.6. Processing a maliciously crafted image may result in disclosure of process memory. | 2025-07-29 | not yet calculated | CVE-2025-43215 |
| Apple--macOS | An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Sequoia 15.6. Processing a maliciously crafted USD file may disclose memory contents. | 2025-07-29 | not yet calculated | CVE-2025-43218 |
| Apple--macOS | An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6, visionOS 2.6, tvOS 18.6. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory. | 2025-07-29 | not yet calculated | CVE-2025-43221 |
| Apple--macOS | An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in visionOS 2.6, tvOS 18.6, macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6. Processing a maliciously crafted media file may lead to unexpected app termination or corrupt process memory. | 2025-07-29 | not yet calculated | CVE-2025-43224 |
| Apple--macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Ventura 13.7.7, macOS Sonoma 14.7.7. An app may be able to bypass certain Privacy preferences. | 2025-07-29 | not yet calculated | CVE-2025-43232 |
| Apple--macOS | This issue was addressed with improved access restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. A malicious app acting as a HTTPS proxy could get access to sensitive user data. | 2025-07-29 | not yet calculated | CVE-2025-43233 |
| Apple--macOS | Multiple memory corruption issues were addressed with improved input validation. This issue is fixed in watchOS 11.6, iOS 18.6 and iPadOS 18.6, tvOS 18.6, macOS Sequoia 15.6, visionOS 2.6. Processing a maliciously crafted texture may lead to unexpected app termination. | 2025-07-29 | not yet calculated | CVE-2025-43234 |
| Apple--macOS | The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.6. An app may be able to cause a denial-of-service. | 2025-07-29 | not yet calculated | CVE-2025-43235 |
| Apple--macOS | An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Sequoia 15.6. An app may be able to cause unexpected system termination. | 2025-07-29 | not yet calculated | CVE-2025-43237 |
| Apple--macOS | An out-of-bounds access issue was addressed with improved bounds checking. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. Processing a maliciously crafted file may lead to unexpected app termination. | 2025-07-29 | not yet calculated | CVE-2025-43239 |
| Apple--macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Ventura 13.7.7, macOS Sonoma 14.7.7. An app may be able to read files outside of its sandbox. | 2025-07-29 | not yet calculated | CVE-2025-43241 |
| Apple--macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Ventura 13.7.7, macOS Sonoma 14.7.7. An app may be able to modify protected parts of the file system. | 2025-07-29 | not yet calculated | CVE-2025-43243 |
| Apple--macOS | A race condition was addressed with improved state handling. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to cause unexpected system termination. | 2025-07-29 | not yet calculated | CVE-2025-43244 |
| Apple--macOS | A downgrade issue was addressed with additional code-signing restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to access protected user data. | 2025-07-29 | not yet calculated | CVE-2025-43245 |
| Apple--macOS | This issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7. An app may be able to access sensitive user data. | 2025-07-29 | not yet calculated | CVE-2025-43246 |
| Apple--macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. A malicious app with root privileges may be able to modify the contents of system files. | 2025-07-29 | not yet calculated | CVE-2025-43247 |
| Apple--macOS | A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7. A malicious app may be able to gain root privileges. | 2025-07-29 | not yet calculated | CVE-2025-43248 |
| Apple--macOS | A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to gain root privileges. | 2025-07-29 | not yet calculated | CVE-2025-43249 |
| Apple--macOS | A path handling issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to break out of its sandbox. | 2025-07-29 | not yet calculated | CVE-2025-43250 |
| Apple--macOS | An authorization issue was addressed with improved state management. This issue is fixed in macOS Sequoia 15.6. A local attacker may gain access to Keychain items. | 2025-07-29 | not yet calculated | CVE-2025-43251 |
| Apple--macOS | This issue was addressed by adding an additional prompt for user consent. This issue is fixed in macOS Sequoia 15.6. A website may be able to access sensitive user data when resolving symlinks. | 2025-07-29 | not yet calculated | CVE-2025-43252 |
| Apple--macOS | This issue was addressed with improved input validation. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7. A malicious app may be able to launch arbitrary binaries on a trusted device. | 2025-07-29 | not yet calculated | CVE-2025-43253 |
| Apple--macOS | An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Sequoia 15.6, macOS Ventura 13.7.7, macOS Sonoma 14.7.7. Processing a maliciously crafted file may lead to unexpected app termination. | 2025-07-29 | not yet calculated | CVE-2025-43254 |
| Apple--macOS | This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7. An app may be able to gain root privileges. | 2025-07-29 | not yet calculated | CVE-2025-43256 |
| Apple--macOS | This issue was addressed with improved redaction of sensitive information. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An attacker with physical access to a locked device may be able to view sensitive user information. | 2025-07-29 | not yet calculated | CVE-2025-43259 |
| Apple--macOS | This issue was addressed with improved data protection. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7. An app may be able to hijack entitlements granted to other privileged apps. | 2025-07-29 | not yet calculated | CVE-2025-43260 |
| Apple--macOS | A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to break out of its sandbox. | 2025-07-29 | not yet calculated | CVE-2025-43261 |
| Apple--macOS | A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to break out of its sandbox. | 2025-07-29 | not yet calculated | CVE-2025-43266 |
| Apple--macOS | An injection issue was addressed with improved validation. This issue is fixed in macOS Sequoia 15.6. An app may be able to access sensitive user data. | 2025-07-29 | not yet calculated | CVE-2025-43267 |
| Apple--macOS | An access issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Ventura 13.7.7, macOS Sonoma 14.7.7. An app may gain unauthorized access to Local Network. | 2025-07-29 | not yet calculated | CVE-2025-43270 |
| Apple--macOS | A permissions issue was addressed with additional sandbox restrictions. This issue is fixed in macOS Sequoia 15.6. A sandboxed process may be able to circumvent sandbox restrictions. | 2025-07-29 | not yet calculated | CVE-2025-43273 |
| Apple--macOS | A privacy issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.6. A sandboxed process may be able to circumvent sandbox restrictions. | 2025-07-29 | not yet calculated | CVE-2025-43274 |
| Apple--macOS | A race condition was addressed with additional validation. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, macOS Ventura 13.7.7. An app may be able to break out of its sandbox. | 2025-07-29 | not yet calculated | CVE-2025-43275 |
| Apple--macOS | A logic error was addressed with improved error handling. This issue is fixed in macOS Sequoia 15.6. iCloud Private Relay may not activate when more than one user is logged in at the same time. | 2025-07-29 | not yet calculated | CVE-2025-43276 |
| Apple--macOS | The issue was addressed with improved memory handling. This issue is fixed in iOS 18.6 and iPadOS 18.6, watchOS 11.6, macOS Sequoia 15.6, tvOS 18.6, visionOS 2.6. Processing a maliciously crafted audio file may lead to memory corruption. | 2025-07-29 | not yet calculated | CVE-2025-43277 |
| Apple--Safari | A logic issue was addressed with improved checks. This issue is fixed in Safari 18.6, macOS Sequoia 15.6. Processing maliciously crafted web content may lead to an unexpected Safari crash. | 2025-07-29 | not yet calculated | CVE-2025-24188 |
| Apple--Safari | The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6, tvOS 18.6, watchOS 11.6, visionOS 2.6. Processing maliciously crafted web content may lead to memory corruption. | 2025-07-29 | not yet calculated | CVE-2025-31273 |
| Apple--Safari | The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, watchOS 11.6, visionOS 2.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6. Processing maliciously crafted web content may lead to memory corruption. | 2025-07-29 | not yet calculated | CVE-2025-31277 |
| Apple--Safari | The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, iPadOS 17.7.9, watchOS 11.6, visionOS 2.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6. Processing maliciously crafted web content may lead to memory corruption. | 2025-07-29 | not yet calculated | CVE-2025-31278 |
| Apple--Safari | The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, macOS Sequoia 15.6, iPadOS 17.7.9, iOS 18.6 and iPadOS 18.6, tvOS 18.6, watchOS 11.6, visionOS 2.6. Processing web content may lead to a denial-of-service. | 2025-07-29 | not yet calculated | CVE-2025-43211 |
| Apple--Safari | The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6, tvOS 18.6, watchOS 11.6, visionOS 2.6. Processing maliciously crafted web content may lead to an unexpected Safari crash. | 2025-07-29 | not yet calculated | CVE-2025-43212 |
| Apple--Safari | The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, macOS Sequoia 15.6, iOS 18.6 and iPadOS 18.6, tvOS 18.6, watchOS 11.6, visionOS 2.6. Processing maliciously crafted web content may lead to an unexpected Safari crash. | 2025-07-29 | not yet calculated | CVE-2025-43213 |
| Apple--Safari | The issue was addressed with improved memory handling. This issue is fixed in Safari 18.6, watchOS 11.6, iOS 18.6 and iPadOS 18.6, tvOS 18.6, macOS Sequoia 15.6, visionOS 2.6. Processing maliciously crafted web content may lead to an unexpected Safari crash. | 2025-07-29 | not yet calculated | CVE-2025-43214 |
| Apple--Safari | A use-after-free issue was addressed with improved memory management. This issue is fixed in Safari 18.6, watchOS 11.6, iOS 18.6 and iPadOS 18.6, iPadOS 17.7.9, tvOS 18.6, macOS Sequoia 15.6, visionOS 2.6. Processing maliciously crafted web content may lead to an unexpected Safari crash. | 2025-07-29 | not yet calculated | CVE-2025-43216 |
| Apple--Safari | This issue was addressed through improved state management. This issue is fixed in Safari 18.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6, watchOS 11.6, visionOS 2.6. Processing maliciously crafted web content may disclose sensitive user information. | 2025-07-29 | not yet calculated | CVE-2025-43227 |
| Apple--Safari | The issue was addressed with improved UI. This issue is fixed in iOS 18.6 and iPadOS 18.6, Safari 18. 6. Visiting a malicious website may lead to address bar spoofing. | 2025-07-29 | not yet calculated | CVE-2025-43228 |
| Apple--Safari | This issue was addressed through improved state management. This issue is fixed in macOS Sequoia 15.6, Safari 18. 6. Processing maliciously crafted web content may lead to universal cross site scripting. | 2025-07-29 | not yet calculated | CVE-2025-43229 |
| Apple--Safari | A logic issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.6, Safari 18. 6. A download's origin may be incorrectly associated. | 2025-07-29 | not yet calculated | CVE-2025-43240 |
| Apple--Safari | An out-of-bounds read was addressed with improved input validation. This issue is fixed in Safari 18.6, watchOS 11.6, visionOS 2.6, iOS 18.6 and iPadOS 18.6, macOS Sequoia 15.6, tvOS 18.6. Processing maliciously crafted web content may disclose internal states of the app. | 2025-07-29 | not yet calculated | CVE-2025-43265 |
| Archer Technology-- Archer RSA | An issue was discovered in Archer Technology RSA Archer 6.11.00204.10014 allowing attackers to execute arbitrary code via crafted system inputs that would be exported into the CSV and be executed after the user opened the file with compatible applications. | 2025-07-31 | not yet calculated | CVE-2025-50572 |
| Array Networks--vAPV | Array Networks vAPV (version 8.3.2.17) and vxAG (version 9.2.0.34) appliances are affected by a privilege escalation vulnerability caused by a combination of hardcoded SSH credentials (or SSH private key) and insecure permissions on a startup script. The devices ship with a default SSH login or a hardcoded DSA private key, allowing an attacker to authenticate remotely with limited privileges. Once authenticated, an attacker can overwrite the world-writable /ca/bin/monitor.sh script with arbitrary commands. Since this script is executed with elevated privileges through the backend binary, enabling the debug monitor via backend -c "debug monitor on" triggers execution of the attacker's payload as root. This allows full system compromise. | 2025-07-31 | not yet calculated | CVE-2014-125121 |
| Artica ST--Pandora FMS | An unauthenticated remote command execution vulnerability exists in Pandora FMS versions up to and including 5.0RC1 via the Anyterm web interface, which listens on TCP port 8023. The anyterm-module endpoint accepts unsanitized user input via the p parameter and directly injects it into a shell command, allowing arbitrary command execution as the pandora user. In certain versions (notably 4.1 and 5.0RC1), the pandora user can elevate privileges to root without a password using a chain involving the artica user account. This account is typically installed without a password and is configured to run sudo without authentication. Therefore, full system compromise is possible without any credentials. | 2025-07-31 | not yet calculated | CVE-2014-125124 |
| Astium--VoIP PBX | A vulnerability exists in OAstium VoIP PBX astium-confweb-2.1-25399 and earlier, where improper input validation in the logon.php script allows an attacker to bypass authentication via SQL injection. Once authenticated as an administrator, the attacker can upload arbitrary PHP code through the importcompany field in import.php, resulting in remote code execution. The malicious payload is injected into /usr/local/astium/web/php/config.php and executed with root privileges by triggering a configuration reload via sudo /sbin/service astcfgd reload. Successful exploitation leads to full system compromise. | 2025-07-31 | not yet calculated | CVE-2013-10043 |
| ASUS--AI Suite | A null pointer dereference vulnerability exists in the IOMap64.sys driver of ASUS AI Suite 3. The vulnerability can be triggered by a specially crafted input, which may lead to a system crash (BSOD). Refer to the ' Security Update for for AI Suite 3 ' section on the ASUS Security Advisory for more information. | 2025-08-01 | not yet calculated | CVE-2025-6398 |
| AVer--PTC310UV2 | An issue in Aver PTC310UV2 firmware v.0.1.0000.59 allows a remote attacker to execute arbitrary code via the SendAction function | 2025-07-30 | not yet calculated | CVE-2025-45619 |
| AVer--PTC310UV2 | An issue in Aver PTC310UV2 v.0.1.0000.59 allows a remote attacker to obtain sensitive information via a crafted request | 2025-07-30 | not yet calculated | CVE-2025-45620 |
| AZIOT--2MP Full HD Smart Wi-Fi CCTV Home Security Camera | The firmware of the AZIOT 2MP Full HD Smart Wi-Fi CCTV Home Security Camera (version V1.00.02) contains an Incorrect Access Control vulnerability that allows local attackers to gain root shell access. Once accessed, the device exposes critical data including Wi-Fi credentials and ONVIF service credentials stored in plaintext, enabling further compromise of the network and connected systems. | 2025-07-30 | not yet calculated | CVE-2025-50777 |
| Barracuda--Barracuda Message Archiver | the BMA login interface allows arbitrary JavaScript or HTML to be written straight into the page's Document Object Model via the error= URL parameter | 2025-07-29 | not yet calculated | CVE-2025-8319 |
| Beetel Teletech Ltd.--Connection Manager | A stack-based buffer overflow vulnerability exists in Beetel Connection Manager version PCW_BTLINDV1.0.0B04 when parsing the UserName parameter in the NetConfig.ini configuration file. A crafted .ini file containing an overly long UserName value can overwrite the Structured Exception Handler (SEH), leading to arbitrary code execution when the application processes the file. | 2025-07-31 | not yet calculated | CVE-2013-10036 |
| BeyondTrust--Privilege Management for Windows | Prior to version 25.4.270.0, a local authenticated attacker can manipulate user profile files to add illegitimate challenge response codes into the local user registry under certain conditions. This allows users with the ability to edit their user profile files to elevate their privileges to administrator. | 2025-07-28 | not yet calculated | CVE-2025-2297 |
| BeyondTrust--Privilege Management for Windows | Prior to 25.4.270.0, when wmic.exe is elevated with a full admin token the user can stop the Defendpoint service, bypassing anti-tamper protections. Once the service is disabled, the malicious user can add themselves to Administrators group and run any process with elevated permissions. | 2025-07-28 | not yet calculated | CVE-2025-6250 |
| bugsink--bugsink | Bugsink is a self-hosted error tracking service. In versions 1.4.2 and below, 1.5.0 through 1.5.4, 1.6.0 through 1.6.3, and 1.7.0 through 1.7.3, ingestion paths construct file locations directly from untrusted event_id input without validation. A specially crafted event_id can result in paths outside the intended directory, potentially allowing file overwrite or creation in arbitrary locations. Submitting such input requires access to a valid DSN, potentially exposing them. If Bugsink runs in a container, the effect is confined to the container's filesystem. In non-containerized setups, the overwrite may affect other parts of the system accessible to that user. This is fixed in versions 1.4.3, 1.5.5, 1.6.4 and 1.7.4. | 2025-07-30 | not yet calculated | CVE-2025-54433 |
| bytecodealliance--wasm-micro-runtime | The WebAssembly Micro Runtime's (WAMR) iwasm package is the executable binary built with WAMR VMcore which supports WebAssembly System Interface (WASI) and command line interface. In versions 2.4.0 and below, iwasm uses --addr-pool with an IPv4 address that lacks a subnet mask, allowing the system to accept all IP addresses. This can unintentionally expose the service to all incoming connections and bypass intended access restrictions. Services relying on --addr-pool for restricting access by IP may unintentionally become open to all external connections. This may lead to unauthorized access in production deployments, especially when users assume that specifying an IP without a subnet mask implies a default secure configuration. This is fixed in version 2.4.1. | 2025-07-29 | not yet calculated | CVE-2025-54126 |
| ChargePoint--Home Flex | uploadsm in ChargePoint Home Flex 5.5.4.13 does not validate a user-controlled string for bz2 decompression, which allows command execution as the nobody user. | 2025-08-01 | not yet calculated | CVE-2025-54564 |
| ClipBucket LLC--ClipBucket | ClipBucket version 2.6 and earlier contains a critical vulnerability in the ofc_upload_image.php script located at /admin_area/charts/ofc-library/. This endpoint allows unauthenticated users to upload arbitrary files, including executable PHP scripts. Once uploaded, the attacker can access the file via a predictable path and trigger remote code execution. | 2025-07-31 | not yet calculated | CVE-2013-10040 |
| Couchbase--Couchbase Sync Gateway | An issue was discovered in Couchbase Sync Gateway before 3.2.6. In sgcollect_info_options.log and sync_gateway.log, there are cleartext passwords in redacted and unredacted output. | 2025-07-29 | not yet calculated | CVE-2025-52490 |
| CS-Cart--CS-Cart | Cross Site Request Forgery (CSRF) vulnerability in CS Cart 4.18.3, allows attackers to add products to a user's comparison list via a crafted HTTP request. | 2025-07-31 | not yet calculated | CVE-2025-50847 |
| CS-Cart--CS-Cart | A file upload vulnerability was discovered in CS Cart 4.18.3, allows attackers to execute arbitrary code. CS Cart 4.18.3 allows unrestricted upload of HTML files, which are rendered directly in the browser when accessed. This allows an attacker to upload a crafted HTML file containing malicious content, such as a fake login form for credential harvesting or scripts for Cross-Site Scripting (XSS) attacks. Since the content is served from a trusted domain, it significantly increases the likelihood of successful phishing or script execution against other users. | 2025-07-31 | not yet calculated | CVE-2025-50848 |
| CS-Cart--CS-Cart | CS Cart 4.18.3 is vulnerable to Insecure Direct Object Reference (IDOR). The user profile functionality allows enabling or disabling stickers through a parameter (company_id) sent in the request. However, this operation is not properly validated on the server side. An authenticated user can manipulate the request to target other users' accounts and toggle the sticker setting by modifying the company_id or other object identifiers. | 2025-07-31 | not yet calculated | CVE-2025-50849 |
| CS-Cart--CS-Cart | An issue was discovered in CS Cart 4.18.3 allows the vendor login functionality lacks essential security controls such as CAPTCHA verification and rate limiting. This allows an attacker to systematically attempt various combinations of usernames and passwords (brute-force attack) to gain unauthorized access to vendor accounts. The absence of any blocking mechanism makes the login endpoint susceptible to automated attacks. | 2025-07-31 | not yet calculated | CVE-2025-50850 |
| CSC ServiceWorks--CSC Pay Mobile App | CSC Pay Mobile App 2.19.4 (fixed in version 2.20.0) contains a vulnerability allowing users to bypass payment authorization by disabling Bluetooth at a specific point during a transaction. This could result in unauthorized use of laundry services and potential financial loss. | 2025-08-01 | not yet calculated | CVE-2025-46018 |
| cursor--cursor | Cursor is a code editor built for programming with AI. In versions 1.17 through 1.2, there is a UI information disclosure vulnerability in Cursor's MCP (Model Context Protocol) deeplink handler, allowing attackers to execute 2-click arbitrary system commands through social engineering attacks. When users click malicious `cursor://anysphere.cursor-deeplink/mcp/install` links, the installation dialog does not show the arguments being passed to the command being run. If a user clicks a malicious deeplink, then examines the installation dialog and clicks through, the full command including the arguments will be executed on the machine. This is fixed in version 1.3. | 2025-08-01 | not yet calculated | CVE-2025-54133 |
| D-LINK--DI-8200 | D-LINK DI-8200 16.07.26A1 is vulnerable to Buffer Overflow in the ipsec_road_asp function via the host_ip parameter. | 2025-07-31 | not yet calculated | CVE-2025-51383 |
| D-LINK--DI-8200 | D-LINK DI-8200 16.07.26A1 is vulnerable to Buffer Overflow in the ipsec_net_asp function via the remot_ip parameter. | 2025-07-31 | not yet calculated | CVE-2025-51384 |
| D-LINK--DI-8200 | D-LINK DI-8200 16.07.26A1 is vulnerable to Buffer Overflow in the yyxz_dlink_asp function via the id parameter. | 2025-07-31 | not yet calculated | CVE-2025-51385 |
| D-Link--DIR-300 rev A | An OS command injection vulnerability exists in multiple D-Link routers-confirmed on DIR-300 rev A (v1.05) and DIR-615 rev D (v4.13)-via the authenticated tools_vct.xgi CGI endpoint. The web interface fails to properly sanitize user-supplied input in the pingIp parameter, allowing attackers with valid credentials to inject arbitrary shell commands. Exploitation enables full device compromise, including spawning a telnet daemon and establishing a root shell. The vulnerability is present in firmware versions that expose tools_vct.xgi and use the Mathopd/1.5p6 web server. No vendor patch is available, and affected models are end-of-life. | 2025-08-01 | not yet calculated | CVE-2013-10050 |
| D-Link--DIR-600 | An OS command injection vulnerability exists in various legacy D-Link routers-including DIR-300 rev B and DIR-600 (firmware ≤ 2.13 and ≤ 2.14b01, respectively)-due to improper input handling in the unauthenticated command.php endpoint. By sending specially crafted POST requests, a remote attacker can execute arbitrary shell commands with root privileges, allowing full takeover of the device. This includes launching services such as Telnet, exfiltrating credentials, modifying system configuration, and disrupting availability. The flaw stems from the lack of authentication and inadequate sanitation of the cmd parameter. | 2025-08-01 | not yet calculated | CVE-2013-10048 |
| D-Link--DIR-605L | A stack-based buffer overflow vulnerability exists in D-Link DIR-605L Wireless N300 Cloud Router firmware versions 1.12 and 1.13 via the getAuthCode() function. The flaw arises from unsafe usage of sprintf() when processing user-supplied CAPTCHA data via the FILECODE parameter in /goform/formLogin. A remote unauthenticated attacker can exploit this to execute arbitrary code with root privileges on the device. | 2025-07-31 | not yet calculated | CVE-2012-10021 |
| D-Link--DIR-615H1 | An authenticated OS command injection vulnerability exists in various D-Link routers (tested on DIR-615H1 running firmware version 8.04) via the tools_vct.htm endpoint. The web interface fails to sanitize input passed from the ping_ipaddr parameter to the tools_vct.htm diagnostic interface, allowing attackers to inject arbitrary shell commands using backtick encapsulation. With default credentials, an attacker can exploit this blind injection vector to execute arbitrary commands. | 2025-08-01 | not yet calculated | CVE-2013-10059 |
| Debian--devscripts | It was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts (a collection of scripts to make the life of a Debian Package maintainer easier), skips OpenPGP verification if the upstream source is already downloaded from a previous run even if the verification failed back then. | 2025-08-01 | not yet calculated | CVE-2025-8454 |
| DevaslanPHP--project-management | A stored cross-site scripting (XSS) vulnerability exists in DevaslanPHP project-management v1.2.4. The vulnerability resides in the Ticket Name field, which fails to properly sanitize user-supplied input. An authenticated attacker can inject malicious JavaScript payloads into this field, which are subsequently stored in the database. When a legitimate user logs in and is redirected to the Dashboard panel "automatically upon authentication the malicious script executes in the user's browser context. | 2025-07-31 | not yet calculated | CVE-2025-52203 |
| Devolutions--Server | Deadlock in PAM automatic check-in feature in Devolutions Server allows a password to remain valid beyond the end of its intended check-out period due to a deadlock occurring in the scheduling service.This issue affects the following version(s) : * Devolutions Server 2025.2.5.0 and earlier | 2025-07-30 | not yet calculated | CVE-2025-8312 |
| Devolutions--Server | UI synchronization issue in the Just-in-Time (JIT) access request approval interface in Devolutions Server 2025.2.4.0 and earlier allows a remote authenticated attacker to gain unauthorized access to deleted JIT Groups via stale UI state during standard checkout request processing. | 2025-07-30 | not yet calculated | CVE-2025-8353 |
| discourse--discourse | Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the user's session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8. | 2025-07-29 | not yet calculated | CVE-2025-53102 |
| emlog--Pro | Emlog Pro V2.5.7 is vulnerable to Unrestricted Upload of File with Dangerous Type via /emlog/admin/plugin.php?action=upload_zip | 2025-08-01 | not yet calculated | CVE-2025-44139 |
| Eppler Software--WebTester | An OS command injection vulnerability exists in WebTester version 5.x via the install2.php installation script. The parameters cpusername, cppassword, and cpdomain are passed directly to shell commands without sanitization. A remote unauthenticated attacker can exploit this flaw by sending a crafted HTTP POST request, resulting in arbitrary command execution on the underlying system with web server privileges. | 2025-07-31 | not yet calculated | CVE-2013-10037 |
| ExaGrid--EX10 Backup Appliance | ExaGrid EX10 6.3 - 7.0.1.P08 is vulnerable to Incorrect Access Control. Since version 6.3, ExaGrid enforces restrictions preventing users with the Admin role from creating or modifying users with the Security Officer role without approval. However, a flaw in the account creation process allows an attacker to bypass these restrictions via API request manipulation. An attacker with an Admin access can intercept and modify the API request during user creation, altering the parameters to assign the new account to the ExaGrid Security Officers group without the required approval. | 2025-07-31 | not yet calculated | CVE-2025-29556 |
| ExaGrid--EX10 Backup Appliance | ExaGrid EX10 6.3 - 7.0.1.P08 is vulnerable to Incorrect Access Control in the MailConfiguration API endpoint, where users with operator-level privileges can issue an HTTP request to retrieve SMTP credentials, including plaintext passwords. | 2025-07-31 | not yet calculated | CVE-2025-29557 |
| finos--git-proxy | GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). Versions 1.19.1 and below allow users to push to remote repositories while bypassing policies and explicit approvals. Since checks and plugins are skipped, code containing secrets or unwanted changes could be pushed into a repository. This is fixed in version 1.19.2. | 2025-07-30 | not yet calculated | CVE-2025-54583 |
| finos--git-proxy | GitProxy is an application that stands between developers and a Git remote endpoint (e.g., github.com). In versions 1.19.1 and below, an attacker can craft a malicious Git packfile to exploit the PACK signature detection in the parsePush.ts file. By embedding a misleading PACK signature within commit content and carefully constructing the packet structure, the attacker can trick the parser into treating invalid or unintended data as the packfile. Potentially, this would allow bypassing approval or hiding commits. This issue is fixed in version 1.19.2. | 2025-07-30 | not yet calculated | CVE-2025-54584 |
| finos--git-proxy | GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can exploit the way GitProxy handles new branch creation to bypass the approval of prior commits on the parent branch. The vulnerability impacts all users or organizations relying on GitProxy to enforce policy and prevent unapproved changes. It requires no elevated privileges beyond regular push access, and no extra user interaction. It does however, require a GitProxy administrator or designated user (canUserApproveRejectPush) to approve pushes to the child branch. This is fixed in version 1.19.2. | 2025-07-30 | not yet calculated | CVE-2025-54585 |
| firecoders.com--CommentBox component for Joomla | A stored XSS vulnerability in CommentBox component 1.0.0-1.1.0 for Joomla was discovered. | 2025-07-28 | not yet calculated | CVE-2025-54298 |
| freeFTPd--freeFTPd | A stack-based buffer overflow vulnerability exists in freeFTPd version 1.0.10 and earlier in the handling of the FTP PASS command. When an attacker sends a specially crafted password string, the application fails to validate input length, resulting in memory corruption. This can lead to denial of service or arbitrary code execution. Exploitation requires the anonymous user account to be enabled. | 2025-07-31 | not yet calculated | CVE-2013-10042 |
| GestioIP--IPAM | A command injection vulnerability exists in GestioIP 3.0 commit ac67be and earlier in ip_checkhost.cgi. Crafted input to the 'ip' parameter allows attackers to execute arbitrary shell commands on the server via embedded base64-encoded payloads. Authentication may be required depending on deployment configuration. | 2025-07-31 | not yet calculated | CVE-2013-10039 |
| GetProjectsIdea--Create School Management System | GetProjectsIdea Create School Management System 1.0 is vulnerable to Cross Site Scripting (XSS) in my_profile_update_form1.php. | 2025-07-30 | not yet calculated | CVE-2025-52187 |
| Go toolchain--cmd/go | The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS (e.g. Git), but contains metadata for another VCS (e.g. Mercurial). Modules which are retrieved using the go command line, i.e. via "go get", are not affected. | 2025-07-29 | not yet calculated | CVE-2025-4674 |
| Google--Chrome | Use after free in Media Stream in Google Chrome prior to 138.0.7204.183 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-07-30 | not yet calculated | CVE-2025-8292 |
| Grandstream--GXP1628 | Grandstream Networks GXP1628 <=1.0.4.130 is vulnerable to Incorrect Access Control. The device is configured with directory listing enabled, allowing unauthorized access to sensitive directories and files. | 2025-07-29 | not yet calculated | CVE-2025-28170 |
| Grandstream--UCM6510 | An issue in Grandstream UCM6510 v.1.0.20.52 and before allows a remote attacker to obtain sensitive information via the Login function at /cgi and /webrtccgi. | 2025-07-29 | not yet calculated | CVE-2025-28171 |
| Grandstream--UCM6510 | Grandstream Networks UCM6510 v1.0.20.52 and before is vulnerable to Improper Restriction of Excessive Authentication Attempts. An attacker can perform an arbitrary number of authentication attempts using different passwords and eventually gain access to the targeted account using a brute force attack. | 2025-07-29 | not yet calculated | CVE-2025-28172 |
| Havalite CMS--Havalite CMS | An unauthenticated arbitrary file upload vulnerability exists in Havalite CMS version 1.1.7 (and possibly earlier) in the upload.php script. The application fails to enforce proper file extension validation and authentication checks, allowing remote attackers to upload malicious PHP files via a crafted multipart/form-data POST request. Once uploaded, the attacker can access the file directly under havalite/tmp/files/, resulting in remote code execution. | 2025-08-01 | not yet calculated | CVE-2013-10055 |
| HP, Inc.--Certain HP LaserJet Pro Printers | Certain HP LaserJet Pro printers may be vulnerable to information disclosure when a non-authenticated user queries a device's local address book. | 2025-07-30 | not yet calculated | CVE-2025-43018 |
| HP, Inc.--HP Linux Imaging and Printing Software | A potential security vulnerability has been identified in the HP Linux Imaging and Printing Software documentation. This potential vulnerability is due to the use of a weak code signing key, Digital Signature Algorithm (DSA). | 2025-07-28 | not yet calculated | CVE-2025-43023 |
| Human Resource Management System--Human Resource Management System | SQL injection vulnerability in Human Resource Management System version 1.0, which allows an attacker to retrieve, create, update and delete databases via the "city" and "state" parameters in the /controller/ccity.php endpoint. | 2025-07-29 | not yet calculated | CVE-2025-40682 |
| Human Resource Management System--Human Resource Management System | Reflected Cross-Site Scripting (XSS) in Human Resource Management System version 1.0. This vulnerability could allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the 'searccity' parameter in /city.php. | 2025-07-29 | not yet calculated | CVE-2025-40683 |
| Human Resource Management System--Human Resource Management System | Reflected Cross-Site Scripting (XSS) in Human Resource Management System version 1.0. This vulnerability could allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the 'searccountry' parameter in/country.php. | 2025-07-29 | not yet calculated | CVE-2025-40684 |
| Human Resource Management System--Human Resource Management System | Reflected Cross-Site Scripting (XSS) in Human Resource Management System version 1.0. This vulnerability could allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the 'searcstate' parameter in/state.php. | 2025-07-29 | not yet calculated | CVE-2025-40685 |
| Human Resource Management System--Human Resource Management System | Reflected Cross-Site Scripting (XSS) in Human Resource Management System version 1.0. This vulnerability could allow an attacker to execute JavaScript code in the victim's browser by sending a malicious URL through the 'employeeid' parameter in/detailview.php. | 2025-07-29 | not yet calculated | CVE-2025-40686 |
| humhub--cfiles | Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, the File Move functionality does not contain logic that prevents injection of arbitrary JavaScript, which can lead to Browser JS code execution in the context of the user's session. This is fixed in version 0.16.10. | 2025-08-01 | not yet calculated | CVE-2025-54789 |
| humhub--cfiles | Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, Files does not have logic to prevent the exploitation of backend SQL queries without direct output, potentially allowing unauthorized data access. This is fixed in version 0.16.10. | 2025-08-01 | not yet calculated | CVE-2025-54790 |
| InstantCMS--InstantCMS | A remote PHP code execution vulnerability exists in InstantCMS version 1.6 and earlier due to unsafe use of eval() within the search view handler. Specifically, user-supplied input passed via the look parameter is concatenated into a PHP expression and executed without proper sanitation. A remote attacker can exploit this flaw by sending a crafted HTTP GET request with a base64-encoded payload in the Cmd header, resulting in arbitrary PHP code execution within the context of the web server. | 2025-08-01 | not yet calculated | CVE-2013-10051 |
| Institute of Current Students--Institute-of-Current-Students-PHP-Project | A stored Cross-Site Scripting (XSS) vulnerability exists in the qureydetails.php page of Institute-of-Current-Students 1.0, where the input fields for Query and Answer do not properly sanitize user input. Authenticated users can inject arbitrary JavaScript code. | 2025-08-01 | not yet calculated | CVE-2025-50869 |
| Institute of Current Students--Institute-of-Current-Students-PHP-Project | Institute-of-Current-Students 1.0 is vulnerable to Incorrect Access Control in the mydetailsstudent.php endpoint. The myds GET parameter accepts an email address as input and directly returns the corresponding student's personal information without validating the identity or permissions of the requesting user. This allows any authenticated or unauthenticated attacker to enumerate and retrieve sensitive student details by altering the email value in the request URL, leading to information disclosure. | 2025-08-01 | not yet calculated | CVE-2025-50870 |
| Intelbras--RX1500 and RX3000 | An access control issue in Intelbras RX1500 v2.2.9 and RX3000 v1.0.11 allows unauthenticated attackers to access the router's settings file and obtain potentially sensitive information from the current settings. | 2025-07-31 | not yet calculated | CVE-2025-26062 |
| Intelbras--RX1500 and RX3000 | An issue in Intelbras RX1500 v2.2.9 and RX3000 v1.0.11 allows unauthenticated attackers to execute arbitrary code via injecting a crafted payload into the ESSID name when creating a network. | 2025-07-31 | not yet calculated | CVE-2025-26063 |
| Intelbras--RX1500 and RX3000 | A cross-site scripting (XSS) vulnerability in Intelbras RX1500 v2.2.9 and RX3000 v1.0.11 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the name of a connnected device. | 2025-07-31 | not yet calculated | CVE-2025-26064 |
| IROAD--IROAD DASHCAM FX2 | An issue was discovered on IROAD Dashcam FX2 devices. Bypass of Device Pairing/Registration can occur. It requires device registration via the "IROAD X View" app for authentication, but its HTTP server lacks this restriction. Once connected to the dashcam's Wi-Fi network via the default password ("qwertyuiop"), an attacker can directly access the HTTP server at http://192.168.10.1 without undergoing the pairing process. Additionally, no alert is triggered on the device when an attacker connects, making this intrusion completely silent. | 2025-07-28 | not yet calculated | CVE-2025-30133 |
| Johnson Controls, Inc--iSTAR Ultra | OS Command Injection in iSTAR Ultra products web application allows an authenticated attacker to gain even more privileged access ('root' user) to the device firmware. | 2025-07-28 | not yet calculated | CVE-2025-53695 |
| Johnson Controls, Inc--iSTAR Ultra | iSTAR Ultra performs a firmware verification on boot, however the verification does not inspect certain portions of the firmware. These firmware parts may contain malicious code. Tested up to firmware 6.9.2, later firmwares are also possibly affected. | 2025-07-28 | not yet calculated | CVE-2025-53696 |
| Kaseya--KServer | An unrestricted file upload vulnerability exists in Kaseya KServer versions prior to 6.3.0.2. The uploadImage.asp endpoint allows unauthenticated users to upload files to arbitrary paths via a crafted filename parameter in a multipart/form-data POST request. Due to the lack of authentication and input sanitation, an attacker can upload a file with an .asp extension to a web-accessible directory, which can then be invoked to execute arbitrary code with the privileges of the IUSR account. The vulnerability enables remote code execution without prior authentication and was resolved in version 6.3.0.2 by removing the vulnerable uploadImage.asp endpoint. | 2025-07-31 | not yet calculated | CVE-2013-10034 |
| Kimai Project--Kimai | An unauthenticated SQL injection vulnerability exists in Kimai version 0.9.2.x via the db_restore.php endpoint. The flaw allows attackers to inject arbitrary SQL queries into the dates[] POST parameter, enabling file write via INTO OUTFILE under specific environmental conditions. This can lead to remote code execution by writing a PHP payload to the web-accessible temporary directory. The vulnerability has been confirmed in versions including 0.9.2.beta, 0.9.2.1294.beta, and 0.9.2.1306-3. | 2025-07-31 | not yet calculated | CVE-2013-10033 |
| LangChain-ChatGLM-Webui--LangChain-ChatGLM-Webui | Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive files via supplying a crafted request. | 2025-08-01 | not yet calculated | CVE-2025-45150 |
| LB-Link--BL-CPE300M AX300 4G LTE Router | A cross-site scripting (XSS) vulnerability exists in the LB-Link BL-CPE300M 01.01.02P42U14_06 router's web interface. The /goform/goform_get_cmd_process endpoint fails to sanitize user input in the cmd parameter before reflecting it into a text/html response. This allows unauthenticated attackers to inject arbitrary JavaScript, which is executed in the context of the router's origin when the crafted URL is accessed. The issue requires user interaction to exploit. | 2025-07-31 | not yet calculated | CVE-2025-51569 |
| Linksys--E1500 | A directory traversal vulnerability exists in Linksys router's web interface (tested on the E1500 model firmware versions 1.0.00, 1.0.04, and 1.0.05), specifically in the /apply.cgi endpoint. Authenticated attackers can exploit the next_page POST parameter to access arbitrary files outside the intended web root by injecting traversal sequences. This allows exposure of sensitive system files and configuration data. | 2025-08-01 | not yet calculated | CVE-2013-10062 |
| Linksys--WRT120N | A stack-based buffer overflow vulnerability exists in the tmUnblock.cgi endpoint of the Linksys WRT120N wireless router. The vulnerability is triggered by sending a specially crafted HTTP POST request with an overly long TM_Block_URL parameter to the endpoint. By exploiting this flaw, an unauthenticated remote attacker can overwrite memory in a controlled manner, enabling them to temporarily reset the administrator password of the device to a blank value. This grants unauthorized access to the router's web management interface without requiring valid credentials. | 2025-07-31 | not yet calculated | CVE-2014-125122 |
| Linksys--WRT160nv2 | An authenticated OS command injection vulnerability exists in various Linksys router models (tested on WRT160Nv2) running firmware version v2.0.03 via the apply.cgi endpoint. The web interface fails to properly sanitize user-supplied input passed to the ping_size parameter during diagnostic operations. An attacker with valid credentials can inject arbitrary shell commands, enabling remote code execution. | 2025-08-01 | not yet calculated | CVE-2013-10058 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree htb_lookup_leaf has a BUG_ON that can trigger with the following: tc qdisc del dev lo root tc qdisc add dev lo root handle 1: htb default 1 tc class add dev lo parent 1: classid 1:1 htb rate 64bit tc qdisc add dev lo parent 1:1 handle 2: netem tc qdisc add dev lo parent 2:1 handle 3: blackhole ping -I lo -c1 -W0.001 127.0.0.1 The root cause is the following: 1. htb_dequeue calls htb_dequeue_tree which calls the dequeue handler on the selected leaf qdisc 2. netem_dequeue calls enqueue on the child qdisc 3. blackhole_enqueue drops the packet and returns a value that is not just NET_XMIT_SUCCESS 4. Because of this, netem_dequeue calls qdisc_tree_reduce_backlog, and since qlen is now 0, it calls htb_qlen_notify -> htb_deactivate -> htb_deactiviate_prios -> htb_remove_class_from_row -> htb_safe_rb_erase 5. As this is the only class in the selected hprio rbtree, __rb_change_child in __rb_erase_augmented sets the rb_root pointer to NULL 6. Because blackhole_dequeue returns NULL, netem_dequeue returns NULL, which causes htb_dequeue_tree to call htb_lookup_leaf with the same hprio rbtree, and fail the BUG_ON The function graph for this scenario is shown here: 0) | htb_enqueue() { 0) + 13.635 us | netem_enqueue(); 0) 4.719 us | htb_activate_prios(); 0) # 2249.199 us | } 0) | htb_dequeue() { 0) 2.355 us | htb_lookup_leaf(); 0) | netem_dequeue() { 0) + 11.061 us | blackhole_enqueue(); 0) | qdisc_tree_reduce_backlog() { 0) | qdisc_lookup_rcu() { 0) 1.873 us | qdisc_match_from_root(); 0) 6.292 us | } 0) 1.894 us | htb_search(); 0) | htb_qlen_notify() { 0) 2.655 us | htb_deactivate_prios(); 0) 6.933 us | } 0) + 25.227 us | } 0) 1.983 us | blackhole_dequeue(); 0) + 86.553 us | } 0) # 2932.761 us | qdisc_warn_nonwc(); 0) | htb_lookup_leaf() { 0) | BUG_ON(); ------------------------------------------ The full original bug report can be seen here [1]. We can fix this just by returning NULL instead of the BUG_ON, as htb_dequeue_tree returns NULL when htb_lookup_leaf returns NULL. [1] https://lore.kernel.org/netdev/pF5XOOIim0IuEfhI-SOxTgRvNoDwuux7UHKnE_Y5-zVd4wmGvNk2ceHjKb8ORnzw0cGwfmVu42g9dL7XyJLf1NEzaztboTWcm0Ogxuojoeo=@willsroot.io/ | 2025-07-28 | not yet calculated | CVE-2025-38468 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls kvm_xen_schedop_poll does a kmalloc_array() when a VM polls the host for more than one event channel potr (nr_ports > 1). After the kmalloc_array(), the error paths need to go through the "out" label, but the call to kvm_read_guest_virt() does not. [Adjusted commit message. - Paolo] | 2025-07-28 | not yet calculated | CVE-2025-38469 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Assuming the "rx-vlan-filter" feature is enabled on a net device, the 8021q module will automatically add or remove VLAN 0 when the net device is put administratively up or down, respectively. There are a couple of problems with the above scheme. The first problem is a memory leak that can happen if the "rx-vlan-filter" feature is disabled while the device is running: # ip link add bond1 up type bond mode 0 # ethtool -K bond1 rx-vlan-filter off # ip link del dev bond1 When the device is put administratively down the "rx-vlan-filter" feature is disabled, so the 8021q module will not remove VLAN 0 and the memory will be leaked [1]. Another problem that can happen is that the kernel can automatically delete VLAN 0 when the device is put administratively down despite not adding it when the device was put administratively up since during that time the "rx-vlan-filter" feature was disabled. null-ptr-unref or bug_on[2] will be triggered by unregister_vlan_dev() for refcount imbalance if toggling filtering during runtime: $ ip link add bond0 type bond mode 0 $ ip link add link bond0 name vlan0 type vlan id 0 protocol 802.1q $ ethtool -K bond0 rx-vlan-filter off $ ifconfig bond0 up $ ethtool -K bond0 rx-vlan-filter on $ ifconfig bond0 down $ ip link del vlan0 Root cause is as below: step1: add vlan0 for real_dev, such as bond, team. register_vlan_dev vlan_vid_add(real_dev,htons(ETH_P_8021Q),0) //refcnt=1 step2: disable vlan filter feature and enable real_dev step3: change filter from 0 to 1 vlan_device_event vlan_filter_push_vids ndo_vlan_rx_add_vid //No refcnt added to real_dev vlan0 step4: real_dev down vlan_device_event vlan_vid_del(dev, htons(ETH_P_8021Q), 0); //refcnt=0 vlan_info_rcu_free //free vlan0 step5: delete vlan0 unregister_vlan_dev BUG_ON(!vlan_info); //vlan_info is null Fix both problems by noting in the VLAN info whether VLAN 0 was automatically added upon NETDEV_UP and based on that decide whether it should be deleted upon NETDEV_DOWN, regardless of the state of the "rx-vlan-filter" feature. [1] unreferenced object 0xffff8880068e3100 (size 256): comm "ip", pid 384, jiffies 4296130254 hex dump (first 32 bytes): 00 20 30 0d 80 88 ff ff 00 00 00 00 00 00 00 00 . 0............. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 81ce31fa): __kmalloc_cache_noprof+0x2b5/0x340 vlan_vid_add+0x434/0x940 vlan_device_event.cold+0x75/0xa8 notifier_call_chain+0xca/0x150 __dev_notify_flags+0xe3/0x250 rtnl_configure_link+0x193/0x260 rtnl_newlink_create+0x383/0x8e0 __rtnl_newlink+0x22c/0xa40 rtnl_newlink+0x627/0xb00 rtnetlink_rcv_msg+0x6fb/0xb70 netlink_rcv_skb+0x11f/0x350 netlink_unicast+0x426/0x710 netlink_sendmsg+0x75a/0xc20 __sock_sendmsg+0xc1/0x150 ____sys_sendmsg+0x5aa/0x7b0 ___sys_sendmsg+0xfc/0x180 [2] kernel BUG at net/8021q/vlan.c:99! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 0 UID: 0 PID: 382 Comm: ip Not tainted 6.16.0-rc3 #61 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:unregister_vlan_dev (net/8021q/vlan.c:99 (discriminator 1)) RSP: 0018:ffff88810badf310 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88810da84000 RCX: ffffffffb47ceb9a RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88810e8b43c8 RBP: 0000000000000000 R08: 0000000000000000 R09: fffffbfff6cefe80 R10: ffffffffb677f407 R11: ffff88810badf3c0 R12: ffff88810e8b4000 R13: 0000000000000000 R14: ffff88810642a5c0 R15: 000000000000017e FS: 00007f1ff68c20c0(0000) GS:ffff888163a24000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1ff5dad240 CR3: 0000000107e56000 CR4: 00000000000006f0 Call Trace: <TASK ---truncated--- | 2025-07-28 | not yet calculated | CVE-2025-38470 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tls: always refresh the queue when reading sock After recent changes in net-next TCP compacts skbs much more aggressively. This unearthed a bug in TLS where we may try to operate on an old skb when checking if all skbs in the queue have matching decrypt state and geometry. BUG: KASAN: slab-use-after-free in tls_strp_check_rcv+0x898/0x9a0 [tls] (net/tls/tls_strp.c:436 net/tls/tls_strp.c:530 net/tls/tls_strp.c:544) Read of size 4 at addr ffff888013085750 by task tls/13529 CPU: 2 UID: 0 PID: 13529 Comm: tls Not tainted 6.16.0-rc5-virtme Call Trace: kasan_report+0xca/0x100 tls_strp_check_rcv+0x898/0x9a0 [tls] tls_rx_rec_wait+0x2c9/0x8d0 [tls] tls_sw_recvmsg+0x40f/0x1aa0 [tls] inet_recvmsg+0x1c3/0x1f0 Always reload the queue, fast path is to have the record in the queue when we wake, anyway (IOW the path going down "if !strp->stm.full_len"). | 2025-07-28 | not yet calculated | CVE-2025-38471 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conntrack: fix crash due to removal of uninitialised entry A crash in conntrack was reported while trying to unlink the conntrack entry from the hash bucket list: [exception RIP: __nf_ct_delete_from_lists+172] [..] #7 [ff539b5a2b043aa0] nf_ct_delete at ffffffffc124d421 [nf_conntrack] #8 [ff539b5a2b043ad0] nf_ct_gc_expired at ffffffffc124d999 [nf_conntrack] #9 [ff539b5a2b043ae0] __nf_conntrack_find_get at ffffffffc124efbc [nf_conntrack] [..] The nf_conn struct is marked as allocated from slab but appears to be in a partially initialised state: ct hlist pointer is garbage; looks like the ct hash value (hence crash). ct->status is equal to IPS_CONFIRMED|IPS_DYING, which is expected ct->timeout is 30000 (=30s), which is unexpected. Everything else looks like normal udp conntrack entry. If we ignore ct->status and pretend its 0, the entry matches those that are newly allocated but not yet inserted into the hash: - ct hlist pointers are overloaded and store/cache the raw tuple hash - ct->timeout matches the relative time expected for a new udp flow rather than the absolute 'jiffies' value. If it were not for the presence of IPS_CONFIRMED, __nf_conntrack_find_get() would have skipped the entry. Theory is that we did hit following race: cpu x cpu y cpu z found entry E found entry E E is expired <preemption> nf_ct_delete() return E to rcu slab init_conntrack E is re-inited, ct->status set to 0 reply tuplehash hnnode.pprev stores hash value. cpu y found E right before it was deleted on cpu x. E is now re-inited on cpu z. cpu y was preempted before checking for expiry and/or confirm bit. ->refcnt set to 1 E now owned by skb ->timeout set to 30000 If cpu y were to resume now, it would observe E as expired but would skip E due to missing CONFIRMED bit. nf_conntrack_confirm gets called sets: ct->status |= CONFIRMED This is wrong: E is not yet added to hashtable. cpu y resumes, it observes E as expired but CONFIRMED: <resumes> nf_ct_expired() -> yes (ct->timeout is 30s) confirmed bit set. cpu y will try to delete E from the hashtable: nf_ct_delete() -> set DYING bit __nf_ct_delete_from_lists Even this scenario doesn't guarantee a crash: cpu z still holds the table bucket lock(s) so y blocks: wait for spinlock held by z CONFIRMED is set but there is no guarantee ct will be added to hash: "chaintoolong" or "clash resolution" logic both skip the insert step. reply hnnode.pprev still stores the hash value. unlocks spinlock return NF_DROP <unblocks, then crashes on hlist_nulls_del_rcu pprev> In case CPU z does insert the entry into the hashtable, cpu y will unlink E again right away but no crash occurs. Without 'cpu y' race, 'garbage' hlist is of no consequence: ct refcnt remains at 1, eventually skb will be free'd and E gets destroyed via: nf_conntrack_put -> nf_conntrack_destroy -> nf_ct_destroy. To resolve this, move the IPS_CONFIRMED assignment after the table insertion but before the unlock. Pablo points out that the confirm-bit-store could be reordered to happen before hlist add resp. the timeout fixup, so switch to set_bit and before_atomic memory barrier to prevent this. It doesn't matter if other CPUs can observe a newly inserted entry right before the CONFIRMED bit was set: Such event cannot be distinguished from above "E is the old incarnation" case: the entry will be skipped. Also change nf_ct_should_gc() to first check the confirmed bit. The gc sequence is: 1. Check if entry has expired, if not skip to next entry 2. Obtain a reference to the expired entry. 3. Call nf_ct_should_gc() to double-check step 1. nf_ct_should_gc() is thus called only for entries that already failed an expiry check. After this patch, once the confirmed bit check pas ---truncated--- | 2025-07-28 | not yet calculated | CVE-2025-38472 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() syzbot reported null-ptr-deref in l2cap_sock_resume_cb(). [0] l2cap_sock_resume_cb() has a similar problem that was fixed by commit 1bff51ea59a9 ("Bluetooth: fix use-after-free error in lock_sock_nested()"). Since both l2cap_sock_kill() and l2cap_sock_resume_cb() are executed under l2cap_sock_resume_cb(), we can avoid the issue simply by checking if chan->data is NULL. Let's not access to the killed socket in l2cap_sock_resume_cb(). [0]: BUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:82 [inline] BUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] BUG: KASAN: null-ptr-deref in l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 Write of size 8 at addr 0000000000000570 by task kworker/u9:0/52 CPU: 1 UID: 0 PID: 52 Comm: kworker/u9:0 Not tainted 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: hci0 hci_rx_work Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:501 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_report+0x58/0x84 mm/kasan/report.c:524 kasan_report+0xb0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2a4 mm/kasan/generic.c:189 __kasan_check_write+0x20/0x30 mm/kasan/shadow.c:37 instrument_atomic_write include/linux/instrumented.h:82 [inline] clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline] l2cap_sock_resume_cb+0xb4/0x17c net/bluetooth/l2cap_sock.c:1711 l2cap_security_cfm+0x524/0xea0 net/bluetooth/l2cap_core.c:7357 hci_auth_cfm include/net/bluetooth/hci_core.h:2092 [inline] hci_auth_complete_evt+0x2e8/0xa4c net/bluetooth/hci_event.c:3514 hci_event_func net/bluetooth/hci_event.c:7511 [inline] hci_event_packet+0x650/0xe9c net/bluetooth/hci_event.c:7565 hci_rx_work+0x320/0xb18 net/bluetooth/hci_core.c:4070 process_one_work+0x7e8/0x155c kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3321 [inline] worker_thread+0x958/0xed8 kernel/workqueue.c:3402 kthread+0x5fc/0x75c kernel/kthread.c:464 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:847 | 2025-07-28 | not yet calculated | CVE-2025-38473 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: net: sierra: check for no status endpoint The driver checks for having three endpoints and having bulk in and out endpoints, but not that the third endpoint is interrupt input. Rectify the omission. | 2025-07-28 | not yet calculated | CVE-2025-38474 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smc: Fix various oops due to inet_sock type confusion. syzbot reported weird splats [0][1] in cipso_v4_sock_setattr() while freeing inet_sk(sk)->inet_opt. The address was freed multiple times even though it was read-only memory. cipso_v4_sock_setattr() did nothing wrong, and the root cause was type confusion. The cited commit made it possible to create smc_sock as an INET socket. The issue is that struct smc_sock does not have struct inet_sock as the first member but hijacks AF_INET and AF_INET6 sk_family, which confuses various places. In this case, inet_sock.inet_opt was actually smc_sock.clcsk_data_ready(), which is an address of a function in the text segment. $ pahole -C inet_sock vmlinux struct inet_sock { ... struct ip_options_rcu * inet_opt; /* 784 8 */ $ pahole -C smc_sock vmlinux struct smc_sock { ... void (*clcsk_data_ready)(struct sock *); /* 784 8 */ The same issue for another field was reported before. [2][3] At that time, an ugly hack was suggested [4], but it makes both INET and SMC code error-prone and hard to change. Also, yet another variant was fixed by a hacky commit 98d4435efcbf3 ("net/smc: prevent NULL pointer dereference in txopt_get"). Instead of papering over the root cause by such hacks, we should not allow non-INET socket to reuse the INET infra. Let's add inet_sock as the first member of smc_sock. [0]: kvfree_call_rcu(): Double-freed call. rcu_head 000000006921da73 WARNING: CPU: 0 PID: 6718 at mm/slab_common.c:1956 kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 Modules linked in: CPU: 0 UID: 0 PID: 6718 Comm: syz.0.17 Tainted: G W 6.16.0-rc4-syzkaller-g7482bb149b9f #0 PREEMPT Tainted: [W]=WARN Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 lr : kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 sp : ffff8000a03a7730 x29: ffff8000a03a7730 x28: 00000000fffffff5 x27: 1fffe000184823d3 x26: dfff800000000000 x25: ffff0000c2411e9e x24: ffff0000dd88da00 x23: ffff8000891ac9a0 x22: 00000000ffffffea x21: ffff8000891ac9a0 x20: ffff8000891ac9a0 x19: ffff80008afc2480 x18: 00000000ffffffff x17: 0000000000000000 x16: ffff80008ae642c8 x15: ffff700011ede14c x14: 1ffff00011ede14c x13: 0000000000000004 x12: ffffffffffffffff x11: ffff700011ede14c x10: 0000000000ff0100 x9 : 5fa3c1ffaf0ff000 x8 : 5fa3c1ffaf0ff000 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff8000a03a7078 x4 : ffff80008f766c20 x3 : ffff80008054d360 x2 : 0000000000000000 x1 : 0000000000000201 x0 : 0000000000000000 Call trace: kvfree_call_rcu+0x94/0x3f0 mm/slab_common.c:1955 (P) cipso_v4_sock_setattr+0x2f0/0x3f4 net/ipv4/cipso_ipv4.c:1914 netlbl_sock_setattr+0x240/0x334 net/netlabel/netlabel_kapi.c:1000 smack_netlbl_add+0xa8/0x158 security/smack/smack_lsm.c:2581 smack_inode_setsecurity+0x378/0x430 security/smack/smack_lsm.c:2912 security_inode_setsecurity+0x118/0x3c0 security/security.c:2706 __vfs_setxattr_noperm+0x174/0x5c4 fs/xattr.c:251 __vfs_setxattr_locked+0x1ec/0x218 fs/xattr.c:295 vfs_setxattr+0x158/0x2ac fs/xattr.c:321 do_setxattr fs/xattr.c:636 [inline] file_setxattr+0x1b8/0x294 fs/xattr.c:646 path_setxattrat+0x2ac/0x320 fs/xattr.c:711 __do_sys_fsetxattr fs/xattr.c:761 [inline] __se_sys_fsetxattr fs/xattr.c:758 [inline] __arm64_sys_fsetxattr+0xc0/0xdc fs/xattr.c:758 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x180 arch/arm64/kernel/entry-common.c:879 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:898 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 [ ---truncated--- | 2025-07-28 | not yet calculated | CVE-2025-38475 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rpl: Fix use-after-free in rpl_do_srh_inline(). Running lwt_dst_cache_ref_loop.sh in selftest with KASAN triggers the splat below [0]. rpl_do_srh_inline() fetches ipv6_hdr(skb) and accesses it after skb_cow_head(), which is illegal as the header could be freed then. Let's fix it by making oldhdr to a local struct instead of a pointer. [0]: [root@fedora net]# ./lwt_dst_cache_ref_loop.sh ... TEST: rpl (input) [ 57.631529] ================================================================== BUG: KASAN: slab-use-after-free in rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174) Read of size 40 at addr ffff888122bf96d8 by task ping6/1543 CPU: 50 UID: 0 PID: 1543 Comm: ping6 Not tainted 6.16.0-rc5-01302-gfadd1e6231b1 #23 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <IRQ> dump_stack_lvl (lib/dump_stack.c:122) print_report (mm/kasan/report.c:409 mm/kasan/report.c:521) kasan_report (mm/kasan/report.c:221 mm/kasan/report.c:636) kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1)) __asan_memmove (mm/kasan/shadow.c:94 (discriminator 2)) rpl_do_srh_inline.isra.0 (net/ipv6/rpl_iptunnel.c:174) rpl_input (net/ipv6/rpl_iptunnel.c:201 net/ipv6/rpl_iptunnel.c:282) lwtunnel_input (net/core/lwtunnel.c:459) ipv6_rcv (./include/net/dst.h:471 (discriminator 1) ./include/net/dst.h:469 (discriminator 1) net/ipv6/ip6_input.c:79 (discriminator 1) ./include/linux/netfilter.h:317 (discriminator 1) ./include/linux/netfilter.h:311 (discriminator 1) net/ipv6/ip6_input.c:311 (discriminator 1)) __netif_receive_skb_one_core (net/core/dev.c:5967) process_backlog (./include/linux/rcupdate.h:869 net/core/dev.c:6440) __napi_poll.constprop.0 (net/core/dev.c:7452) net_rx_action (net/core/dev.c:7518 net/core/dev.c:7643) handle_softirqs (kernel/softirq.c:579) do_softirq (kernel/softirq.c:480 (discriminator 20)) </IRQ> <TASK> __local_bh_enable_ip (kernel/softirq.c:407) __dev_queue_xmit (net/core/dev.c:4740) ip6_finish_output2 (./include/linux/netdevice.h:3358 ./include/net/neighbour.h:526 ./include/net/neighbour.h:540 net/ipv6/ip6_output.c:141) ip6_finish_output (net/ipv6/ip6_output.c:215 net/ipv6/ip6_output.c:226) ip6_output (./include/linux/netfilter.h:306 net/ipv6/ip6_output.c:248) ip6_send_skb (net/ipv6/ip6_output.c:1983) rawv6_sendmsg (net/ipv6/raw.c:588 net/ipv6/raw.c:918) __sys_sendto (net/socket.c:714 (discriminator 1) net/socket.c:729 (discriminator 1) net/socket.c:2228 (discriminator 1)) __x64_sys_sendto (net/socket.c:2231) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f68cffb2a06 Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 RSP: 002b:00007ffefb7c53d0 EFLAGS: 00000202 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000564cd69f10a0 RCX: 00007f68cffb2a06 RDX: 0000000000000040 RSI: 0000564cd69f10a4 RDI: 0000000000000003 RBP: 00007ffefb7c53f0 R08: 0000564cd6a032ac R09: 000000000000001c R10: 0000000000000000 R11: 0000000000000202 R12: 0000564cd69f10a4 R13: 0000000000000040 R14: 00007ffefb7c66e0 R15: 0000564cd69f10a0 </TASK> Allocated by task 1543: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) __kasan_slab_alloc (mm/kasan/common.c:319 mm/kasan/common.c:345) kmem_cache_alloc_node_noprof (./include/linux/kasan.h:250 mm/slub.c:4148 mm/slub.c:4197 mm/slub.c:4249) kmalloc_reserve (net/core/skbuff.c:581 (discriminator 88)) __alloc_skb (net/core/skbuff.c:669) __ip6_append_data (net/ipv6/ip6_output.c:1672 (discriminator 1)) ip6_ ---truncated--- | 2025-07-28 | not yet calculated | CVE-2025-38476 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may cause a use-after-free. This patch addresses the issue by: 1. Moved qfq_destroy_class into the critical section. 2. Added sch_tree_lock protection to qfq_dump_class and qfq_dump_class_stats. | 2025-07-28 | not yet calculated | CVE-2025-38477 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: comedi: Fix initialization of data for instructions that write to subdevice Some Comedi subdevice instruction handlers are known to access instruction data elements beyond the first `insn->n` elements in some cases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions allocate at least `MIN_SAMPLES` (16) data elements to deal with this, but they do not initialize all of that. For Comedi instruction codes that write to the subdevice, the first `insn->n` data elements are copied from user-space, but the remaining elements are left uninitialized. That could be a problem if the subdevice instruction handler reads the uninitialized data. Ensure that the first `MIN_SAMPLES` elements are initialized before calling these instruction handlers, filling the uncopied elements with 0. For `do_insnlist_ioctl()`, the same data buffer elements are used for handling a list of instructions, so ensure the first `MIN_SAMPLES` elements are initialized for each instruction that writes to the subdevice. | 2025-07-28 | not yet calculated | CVE-2025-38478 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized data in insn_rw_emulate_bits() For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital" subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and `COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have `insn_read` and `insn_write` handler functions, but to have an `insn_bits` handler function for handling Comedi `INSN_BITS` instructions. In that case, the subdevice's `insn_read` and/or `insn_write` function handler pointers are set to point to the `insn_rw_emulate_bits()` function by `__comedi_device_postconfig()`. For `INSN_WRITE`, `insn_rw_emulate_bits()` currently assumes that the supplied `data[0]` value is a valid copy from user memory. It will at least exist because `do_insnlist_ioctl()` and `do_insn_ioctl()` in "comedi_fops.c" ensure at lease `MIN_SAMPLES` (16) elements are allocated. However, if `insn->n` is 0 (which is allowable for `INSN_READ` and `INSN_WRITE` instructions, then `data[0]` may contain uninitialized data, and certainly contains invalid data, possibly from a different instruction in the array of instructions handled by `do_insnlist_ioctl()`. This will result in an incorrect value being written to the digital output channel (or to the digital input/output channel if configured as an output), and may be reflected in the internal saved state of the channel. Fix it by returning 0 early if `insn->n` is 0, before reaching the code that accesses `data[0]`. Previously, the function always returned 1 on success, but it is supposed to be the number of data samples actually read or written up to `insn->n`, which is 0 in this case. | 2025-07-28 | not yet calculated | CVE-2025-38480 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to hold the array of `struct comedi_insn`, getting the length from the `n_insns` member of the `struct comedi_insnlist` supplied by the user. The allocation will fail with a WARNING and a stack dump if it is too large. Avoid that by failing with an `-EINVAL` error if the supplied `n_insns` value is unreasonable. Define the limit on the `n_insns` value in the `MAX_INSNS` macro. Set this to the same value as `MAX_SAMPLES` (65536), which is the maximum allowed sum of the values of the member `n` in the array of `struct comedi_insn`, and sensible comedi instructions will have an `n` of at least 1. | 2025-07-28 | not yet calculated | CVE-2025-38481 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: comedi: das6402: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ if ((1 << it->options[1]) & 0x8cec) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ will be in the range [1,15]. The value 0 explicitly disables the use of interrupts. | 2025-07-28 | not yet calculated | CVE-2025-38482 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: comedi: das16m1: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ if ((1 << it->options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. | 2025-07-28 | not yet calculated | CVE-2025-38483 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: backend: fix out-of-bound write The buffer is set to 80 character. If a caller write more characters, count is truncated to the max available space in "simple_write_to_buffer". But afterwards a string terminator is written to the buffer at offset count without boundary check. The zero termination is written OUT-OF-BOUND. Add a check that the given buffer is smaller then the buffer to prevent. | 2025-07-28 | not yet calculated | CVE-2025-38484 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush fxls8962af_fifo_flush() uses indio_dev->active_scan_mask (with iio_for_each_active_channel()) without making sure the indio_dev stays in buffer mode. There is a race if indio_dev exits buffer mode in the middle of the interrupt that flushes the fifo. Fix this by calling synchronize_irq() to ensure that no interrupt is currently running when disabling buffer mode. Unable to handle kernel NULL pointer dereference at virtual address 00000000 when read [...] _find_first_bit_le from fxls8962af_fifo_flush+0x17c/0x290 fxls8962af_fifo_flush from fxls8962af_interrupt+0x80/0x178 fxls8962af_interrupt from irq_thread_fn+0x1c/0x7c irq_thread_fn from irq_thread+0x110/0x1f4 irq_thread from kthread+0xe0/0xfc kthread from ret_from_fork+0x14/0x2c | 2025-07-28 | not yet calculated | CVE-2025-38485 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: soundwire: Revert "soundwire: qcom: Add set_channel_map api support" This reverts commit 7796c97df6b1b2206681a07f3c80f6023a6593d5. This patch broke Dragonboard 845c (sdm845). I see: Unexpected kernel BRK exception at EL1 Internal error: BRK handler: 00000000f20003e8 [#1] SMP pc : qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] lr : snd_soc_dai_set_channel_map+0x34/0x78 Call trace: qcom_swrm_set_channel_map+0x7c/0x80 [soundwire_qcom] (P) sdm845_dai_init+0x18c/0x2e0 [snd_soc_sdm845] snd_soc_link_init+0x28/0x6c snd_soc_bind_card+0x5f4/0xb0c snd_soc_register_card+0x148/0x1a4 devm_snd_soc_register_card+0x50/0xb0 sdm845_snd_platform_probe+0x124/0x148 [snd_soc_sdm845] platform_probe+0x6c/0xd0 really_probe+0xc0/0x2a4 __driver_probe_device+0x7c/0x130 driver_probe_device+0x40/0x118 __device_attach_driver+0xc4/0x108 bus_for_each_drv+0x8c/0xf0 __device_attach+0xa4/0x198 device_initial_probe+0x18/0x28 bus_probe_device+0xb8/0xbc deferred_probe_work_func+0xac/0xfc process_one_work+0x244/0x658 worker_thread+0x1b4/0x360 kthread+0x148/0x228 ret_from_fork+0x10/0x20 Kernel panic - not syncing: BRK handler: Fatal exception Dan has also reported following issues with the original patch https://lore.kernel.org/all/33fe8fe7-719a-405a-9ed2-d9f816ce1d57@sabinyo.mountain/ Bug #1: The zeroeth element of ctrl->pconfig[] is supposed to be unused. We start counting at 1. However this code sets ctrl->pconfig[0].ch_mask = 128. Bug #2: There are SLIM_MAX_TX_PORTS (16) elements in tx_ch[] array but only QCOM_SDW_MAX_PORTS + 1 (15) in the ctrl->pconfig[] array so it corrupts memory like Yongqin Liu pointed out. Bug 3: Like Jie Gan pointed out, it erases all the tx information with the rx information. | 2025-07-28 | not yet calculated | CVE-2025-38486 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled Mitigate e.g. the following: # echo 1e789080.lpc-snoop > /sys/bus/platform/drivers/aspeed-lpc-snoop/unbind ... [ 120.363594] Unable to handle kernel NULL pointer dereference at virtual address 00000004 when write [ 120.373866] [00000004] *pgd=00000000 [ 120.377910] Internal error: Oops: 805 [#1] SMP ARM [ 120.383306] CPU: 1 UID: 0 PID: 315 Comm: sh Not tainted 6.15.0-rc1-00009-g926217bc7d7d-dirty #20 NONE ... [ 120.679543] Call trace: [ 120.679559] misc_deregister from aspeed_lpc_snoop_remove+0x84/0xac [ 120.692462] aspeed_lpc_snoop_remove from platform_remove+0x28/0x38 [ 120.700996] platform_remove from device_release_driver_internal+0x188/0x200 ... | 2025-07-28 | not yet calculated | CVE-2025-38487 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in crypt_message when using async crypto The CVE-2024-50047 fix removed asynchronous crypto handling from crypt_message(), assuming all crypto operations are synchronous. However, when hardware crypto accelerators are used, this can cause use-after-free crashes: crypt_message() // Allocate the creq buffer containing the req creq = smb2_get_aead_req(..., &req); // Async encryption returns -EINPROGRESS immediately rc = enc ? crypto_aead_encrypt(req) : crypto_aead_decrypt(req); // Free creq while async operation is still in progress kvfree_sensitive(creq, ...); Hardware crypto modules often implement async AEAD operations for performance. When crypto_aead_encrypt/decrypt() returns -EINPROGRESS, the operation completes asynchronously. Without crypto_wait_req(), the function immediately frees the request buffer, leading to crashes when the driver later accesses the freed memory. This results in a use-after-free condition when the hardware crypto driver later accesses the freed request structure, leading to kernel crashes with NULL pointer dereferences. The issue occurs because crypto_alloc_aead() with mask=0 doesn't guarantee synchronous operation. Even without CRYPTO_ALG_ASYNC in the mask, async implementations can be selected. Fix by restoring the async crypto handling: - DECLARE_CRYPTO_WAIT(wait) for completion tracking - aead_request_set_callback() for async completion notification - crypto_wait_req() to wait for operation completion This ensures the request buffer isn't freed until the crypto operation completes, whether synchronous or asynchronous, while preserving the CVE-2024-50047 fix. | 2025-07-28 | not yet calculated | CVE-2025-38488 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again Commit 7ded842b356d ("s390/bpf: Fix bpf_plt pointer arithmetic") has accidentally removed the critical piece of commit c730fce7c70c ("s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL"), causing intermittent kernel panics in e.g. perf's on_switch() prog to reappear. Restore the fix and add a comment. | 2025-07-28 | not yet calculated | CVE-2025-38489 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: libwx: remove duplicate page_pool_put_full_page() page_pool_put_full_page() should only be invoked when freeing Rx buffers or building a skb if the size is too short. At other times, the pages need to be reused. So remove the redundant page put. In the original code, double free pages cause kernel panic: [ 876.949834] __irq_exit_rcu+0xc7/0x130 [ 876.949836] common_interrupt+0xb8/0xd0 [ 876.949838] </IRQ> [ 876.949838] <TASK> [ 876.949840] asm_common_interrupt+0x22/0x40 [ 876.949841] RIP: 0010:cpuidle_enter_state+0xc2/0x420 [ 876.949843] Code: 00 00 e8 d1 1d 5e ff e8 ac f0 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 cd fc 5c ff 45 84 ff 0f 85 40 02 00 00 fb 0f 1f 44 00 00 <45> 85 f6 0f 88 84 01 00 00 49 63 d6 48 8d 04 52 48 8d 04 82 49 8d [ 876.949844] RSP: 0018:ffffaa7340267e78 EFLAGS: 00000246 [ 876.949845] RAX: ffff9e3f135be000 RBX: 0000000000000002 RCX: 0000000000000000 [ 876.949846] RDX: 000000cc2dc4cb7c RSI: ffffffff89ee49ae RDI: ffffffff89ef9f9e [ 876.949847] RBP: ffff9e378f940800 R08: 0000000000000002 R09: 00000000000000ed [ 876.949848] R10: 000000000000afc8 R11: ffff9e3e9e5a9b6c R12: ffffffff8a6d8580 [ 876.949849] R13: 000000cc2dc4cb7c R14: 0000000000000002 R15: 0000000000000000 [ 876.949852] ? cpuidle_enter_state+0xb3/0x420 [ 876.949855] cpuidle_enter+0x29/0x40 [ 876.949857] cpuidle_idle_call+0xfd/0x170 [ 876.949859] do_idle+0x7a/0xc0 [ 876.949861] cpu_startup_entry+0x25/0x30 [ 876.949862] start_secondary+0x117/0x140 [ 876.949864] common_startup_64+0x13e/0x148 [ 876.949867] </TASK> [ 876.949868] ---[ end trace 0000000000000000 ]--- [ 876.949869] ------------[ cut here ]------------ [ 876.949870] list_del corruption, ffffead40445a348->next is NULL [ 876.949873] WARNING: CPU: 14 PID: 0 at lib/list_debug.c:52 __list_del_entry_valid_or_report+0x67/0x120 [ 876.949875] Modules linked in: snd_hrtimer(E) bnep(E) binfmt_misc(E) amdgpu(E) squashfs(E) vfat(E) loop(E) fat(E) amd_atl(E) snd_hda_codec_realtek(E) intel_rapl_msr(E) snd_hda_codec_generic(E) intel_rapl_common(E) snd_hda_scodec_component(E) snd_hda_codec_hdmi(E) snd_hda_intel(E) edac_mce_amd(E) snd_intel_dspcfg(E) snd_hda_codec(E) snd_hda_core(E) amdxcp(E) kvm_amd(E) snd_hwdep(E) gpu_sched(E) drm_panel_backlight_quirks(E) cec(E) snd_pcm(E) drm_buddy(E) snd_seq_dummy(E) drm_ttm_helper(E) btusb(E) kvm(E) snd_seq_oss(E) btrtl(E) ttm(E) btintel(E) snd_seq_midi(E) btbcm(E) drm_exec(E) snd_seq_midi_event(E) i2c_algo_bit(E) snd_rawmidi(E) bluetooth(E) drm_suballoc_helper(E) irqbypass(E) snd_seq(E) ghash_clmulni_intel(E) sha512_ssse3(E) drm_display_helper(E) aesni_intel(E) snd_seq_device(E) rfkill(E) snd_timer(E) gf128mul(E) drm_client_lib(E) drm_kms_helper(E) snd(E) i2c_piix4(E) joydev(E) soundcore(E) wmi_bmof(E) ccp(E) k10temp(E) i2c_smbus(E) gpio_amdpt(E) i2c_designware_platform(E) gpio_generic(E) sg(E) [ 876.949914] i2c_designware_core(E) sch_fq_codel(E) parport_pc(E) drm(E) ppdev(E) lp(E) parport(E) fuse(E) nfnetlink(E) ip_tables(E) ext4 crc16 mbcache jbd2 sd_mod sfp mdio_i2c i2c_core txgbe ahci ngbe pcs_xpcs libahci libwx r8169 phylink libata realtek ptp pps_core video wmi [ 876.949933] CPU: 14 UID: 0 PID: 0 Comm: swapper/14 Kdump: loaded Tainted: G W E 6.16.0-rc2+ #20 PREEMPT(voluntary) [ 876.949935] Tainted: [W]=WARN, [E]=UNSIGNED_MODULE [ 876.949936] Hardware name: Micro-Star International Co., Ltd. MS-7E16/X670E GAMING PLUS WIFI (MS-7E16), BIOS 1.90 12/31/2024 [ 876.949936] RIP: 0010:__list_del_entry_valid_or_report+0x67/0x120 [ 876.949938] Code: 00 00 00 48 39 7d 08 0f 85 a6 00 00 00 5b b8 01 00 00 00 5d 41 5c e9 73 0d 93 ff 48 89 fe 48 c7 c7 a0 31 e8 89 e8 59 7c b3 ff <0f> 0b 31 c0 5b 5d 41 5c e9 57 0d 93 ff 48 89 fe 48 c7 c7 c8 31 e8 [ 876.949940] RSP: 0018:ffffaa73405d0c60 EFLAGS: 00010282 [ 876.949941] RAX: 0000000000000000 RBX: ffffead40445a348 RCX: 0000000000000000 [ 876.949942] RDX: 0000000000000105 RSI: 00000 ---truncated--- | 2025-07-28 | not yet calculated | CVE-2025-38490 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mptcp: make fallback action and fallback decision atomic Syzkaller reported the following splat: WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback net/mptcp/protocol.h:1244 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 check_fully_established net/mptcp/options.c:982 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153 Modules linked in: CPU: 1 UID: 0 PID: 7704 Comm: syz.3.1419 Not tainted 6.16.0-rc3-gbd5ce2324dba #20 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:__mptcp_do_fallback net/mptcp/protocol.h:1223 [inline] RIP: 0010:mptcp_do_fallback net/mptcp/protocol.h:1244 [inline] RIP: 0010:check_fully_established net/mptcp/options.c:982 [inline] RIP: 0010:mptcp_incoming_options+0x21a8/0x2510 net/mptcp/options.c:1153 Code: 24 18 e8 bb 2a 00 fd e9 1b df ff ff e8 b1 21 0f 00 e8 ec 5f c4 fc 44 0f b7 ac 24 b0 00 00 00 e9 54 f1 ff ff e8 d9 5f c4 fc 90 <0f> 0b 90 e9 b8 f4 ff ff e8 8b 2a 00 fd e9 8d e6 ff ff e8 81 2a 00 RSP: 0018:ffff8880a3f08448 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8880180a8000 RCX: ffffffff84afcf45 RDX: ffff888090223700 RSI: ffffffff84afdaa7 RDI: 0000000000000001 RBP: ffff888017955780 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff8880180a8910 R14: ffff8880a3e9d058 R15: 0000000000000000 FS: 00005555791b8500(0000) GS:ffff88811c495000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000110c2800b7 CR3: 0000000058e44000 CR4: 0000000000350ef0 Call Trace: <IRQ> tcp_reset+0x26f/0x2b0 net/ipv4/tcp_input.c:4432 tcp_validate_incoming+0x1057/0x1b60 net/ipv4/tcp_input.c:5975 tcp_rcv_established+0x5b5/0x21f0 net/ipv4/tcp_input.c:6166 tcp_v4_do_rcv+0x5dc/0xa70 net/ipv4/tcp_ipv4.c:1925 tcp_v4_rcv+0x3473/0x44a0 net/ipv4/tcp_ipv4.c:2363 ip_protocol_deliver_rcu+0xba/0x480 net/ipv4/ip_input.c:205 ip_local_deliver_finish+0x2f1/0x500 net/ipv4/ip_input.c:233 NF_HOOK include/linux/netfilter.h:317 [inline] NF_HOOK include/linux/netfilter.h:311 [inline] ip_local_deliver+0x1be/0x560 net/ipv4/ip_input.c:254 dst_input include/net/dst.h:469 [inline] ip_rcv_finish net/ipv4/ip_input.c:447 [inline] NF_HOOK include/linux/netfilter.h:317 [inline] NF_HOOK include/linux/netfilter.h:311 [inline] ip_rcv+0x514/0x810 net/ipv4/ip_input.c:567 __netif_receive_skb_one_core+0x197/0x1e0 net/core/dev.c:5975 __netif_receive_skb+0x1f/0x120 net/core/dev.c:6088 process_backlog+0x301/0x1360 net/core/dev.c:6440 __napi_poll.constprop.0+0xba/0x550 net/core/dev.c:7453 napi_poll net/core/dev.c:7517 [inline] net_rx_action+0xb44/0x1010 net/core/dev.c:7644 handle_softirqs+0x1d0/0x770 kernel/softirq.c:579 do_softirq+0x3f/0x90 kernel/softirq.c:480 </IRQ> <TASK> __local_bh_enable_ip+0xed/0x110 kernel/softirq.c:407 local_bh_enable include/linux/bottom_half.h:33 [inline] inet_csk_listen_stop+0x2c5/0x1070 net/ipv4/inet_connection_sock.c:1524 mptcp_check_listen_stop.part.0+0x1cc/0x220 net/mptcp/protocol.c:2985 mptcp_check_listen_stop net/mptcp/mib.h:118 [inline] __mptcp_close+0x9b9/0xbd0 net/mptcp/protocol.c:3000 mptcp_close+0x2f/0x140 net/mptcp/protocol.c:3066 inet_release+0xed/0x200 net/ipv4/af_inet.c:435 inet6_release+0x4f/0x70 net/ipv6/af_inet6.c:487 __sock_release+0xb3/0x270 net/socket.c:649 sock_close+0x1c/0x30 net/socket.c:1439 __fput+0x402/0xb70 fs/file_table.c:465 task_work_run+0x150/0x240 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xd4 ---truncated--- | 2025-07-28 | not yet calculated | CVE-2025-38491 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfs: Fix race between cache write completion and ALL_QUEUED being set When netfslib is issuing subrequests, the subrequests start processing immediately and may complete before we reach the end of the issuing function. At the end of the issuing function we set NETFS_RREQ_ALL_QUEUED to indicate to the collector that we aren't going to issue any more subreqs and that it can do the final notifications and cleanup. Now, this isn't a problem if the request is synchronous (NETFS_RREQ_OFFLOAD_COLLECTION is unset) as the result collection will be done in-thread and we're guaranteed an opportunity to run the collector. However, if the request is asynchronous, collection is primarily triggered by the termination of subrequests queuing it on a workqueue. Now, a race can occur here if the app thread sets ALL_QUEUED after the last subrequest terminates. This can happen most easily with the copy2cache code (as used by Ceph) where, in the collection routine of a read request, an asynchronous write request is spawned to copy data to the cache. Folios are added to the write request as they're unlocked, but there may be a delay before ALL_QUEUED is set as the write subrequests may complete before we get there. If all the write subreqs have finished by the ALL_QUEUED point, no further events happen and the collection never happens, leaving the request hanging. Fix this by queuing the collector after setting ALL_QUEUED. This is a bit heavy-handed and it may be sufficient to do it only if there are no extant subreqs. Also add a tracepoint to cross-reference both requests in a copy-to-request operation and add a trace to the netfs_rreq tracepoint to indicate the setting of ALL_QUEUED. | 2025-07-28 | not yet calculated | CVE-2025-38492 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Fix crash in timerlat_dump_stack() We have observed kernel panics when using timerlat with stack saving, with the following dmesg output: memcpy: detected buffer overflow: 88 byte write of buffer size 0 WARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0 CPU: 2 UID: 0 PID: 8153 Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy) Call Trace: <TASK> ? trace_buffer_lock_reserve+0x2a/0x60 __fortify_panic+0xd/0xf __timerlat_dump_stack.cold+0xd/0xd timerlat_dump_stack.part.0+0x47/0x80 timerlat_fd_read+0x36d/0x390 vfs_read+0xe2/0x390 ? syscall_exit_to_user_mode+0x1d5/0x210 ksys_read+0x73/0xe0 do_syscall_64+0x7b/0x160 ? exc_page_fault+0x7e/0x1a0 entry_SYSCALL_64_after_hwframe+0x76/0x7e __timerlat_dump_stack() constructs the ftrace stack entry like this: struct stack_entry *entry; ... memcpy(&entry->caller, fstack->calls, size); entry->size = fstack->nr_entries; Since commit e7186af7fb26 ("tracing: Add back FORTIFY_SOURCE logic to kernel_stack event structure"), struct stack_entry marks its caller field with __counted_by(size). At the time of the memcpy, entry->size contains garbage from the ringbuffer, which under some circumstances is zero, triggering a kernel panic by buffer overflow. Populate the size field before the memcpy so that the out-of-bounds check knows the correct size. This is analogous to __ftrace_trace_stack(). | 2025-07-28 | not yet calculated | CVE-2025-38493 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: core: do not bypass hid_hw_raw_request hid_hw_raw_request() is actually useful to ensure the provided buffer and length are valid. Directly calling in the low level transport driver function bypassed those checks and allowed invalid paramto be used. | 2025-07-28 | not yet calculated | CVE-2025-38494 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: core: ensure the allocated report buffer can contain the reserved report ID When the report ID is not used, the low level transport drivers expect the first byte to be 0. However, currently the allocated buffer not account for that extra byte, meaning that instead of having 8 guaranteed bytes for implement to be working, we only have 7. | 2025-07-28 | not yet calculated | CVE-2025-38495 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm-bufio: fix sched in atomic context If "try_verify_in_tasklet" is set for dm-verity, DM_BUFIO_CLIENT_NO_SLEEP is enabled for dm-bufio. However, when bufio tries to evict buffers, there is a chance to trigger scheduling in spin_lock_bh, the following warning is hit: BUG: sleeping function called from invalid context at drivers/md/dm-bufio.c:2745 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 123, name: kworker/2:2 preempt_count: 201, expected: 0 RCU nest depth: 0, expected: 0 4 locks held by kworker/2:2/123: #0: ffff88800a2d1548 ((wq_completion)dm_bufio_cache){....}-{0:0}, at: process_one_work+0xe46/0x1970 #1: ffffc90000d97d20 ((work_completion)(&dm_bufio_replacement_work)){....}-{0:0}, at: process_one_work+0x763/0x1970 #2: ffffffff8555b528 (dm_bufio_clients_lock){....}-{3:3}, at: do_global_cleanup+0x1ce/0x710 #3: ffff88801d5820b8 (&c->spinlock){....}-{2:2}, at: do_global_cleanup+0x2a5/0x710 Preemption disabled at: [<0000000000000000>] 0x0 CPU: 2 UID: 0 PID: 123 Comm: kworker/2:2 Not tainted 6.16.0-rc3-g90548c634bd0 #305 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 Workqueue: dm_bufio_cache do_global_cleanup Call Trace: <TASK> dump_stack_lvl+0x53/0x70 __might_resched+0x360/0x4e0 do_global_cleanup+0x2f5/0x710 process_one_work+0x7db/0x1970 worker_thread+0x518/0xea0 kthread+0x359/0x690 ret_from_fork+0xf3/0x1b0 ret_from_fork_asm+0x1a/0x30 </TASK> That can be reproduced by: veritysetup format --data-block-size=4096 --hash-block-size=4096 /dev/vda /dev/vdb SIZE=$(blockdev --getsz /dev/vda) dmsetup create myverity -r --table "0 $SIZE verity 1 /dev/vda /dev/vdb 4096 4096 <data_blocks> 1 sha256 <root_hash> <salt> 1 try_verify_in_tasklet" mount /dev/dm-0 /mnt -o ro echo 102400 > /sys/module/dm_bufio/parameters/max_cache_size_bytes [read files in /mnt] | 2025-07-28 | not yet calculated | CVE-2025-38496 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: configfs: Fix OOB read on empty string write When writing an empty string to either 'qw_sign' or 'landingPage' sysfs attributes, the store functions attempt to access page[l - 1] before validating that the length 'l' is greater than zero. This patch fixes the vulnerability by adding a check at the beginning of os_desc_qw_sign_store() and webusb_landingPage_store() to handle the zero-length input case gracefully by returning immediately. | 2025-07-28 | not yet calculated | CVE-2025-38497 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: do_change_type(): refuse to operate on unmounted/not ours mounts Ensure that propagation settings can only be changed for mounts located in the caller's mount namespace. This change aligns permission checking with the rest of mount(2). | 2025-07-30 | not yet calculated | CVE-2025-38498 |
| LinuxServer.io--Heimdall Application Dashboard | LinuxServer.io heimdall 2.6.3-ls307 contains a vulnerability in how it handles user-supplied HTTP headers, specifically `X-Forwarded-Host` and `Referer`. An unauthenticated remote attacker can manipulate these headers to perform Host Header Injection and Open Redirect attacks. This allows the loading of external resources from attacker-controlled domains and unintended redirection of users, potentially enabling phishing, UI redress, and session theft. The vulnerability exists due to insufficient validation and trust of untrusted input, affecting the integrity and trustworthiness of the application. | 2025-07-30 | not yet calculated | CVE-2025-50578 |
| localsend--localsend | LocalSend is an open-source app to securely share files and messages with nearby devices over local networks without needing an internet connection. In versions 1.16.1 and below, a critical Man-in-the-Middle (MitM) vulnerability in the software's discovery protocol allows an unauthenticated attacker on the same local network to impersonate legitimate devices, silently intercepting, reading, and modifying any file transfer. This can be used to steal sensitive data or inject malware, like ransomware, into files shared between trusted users. The attack is hardly detectable and easy to implement, posing a severe and immediate security risk. This issue was fixed in version 1.17.0. | 2025-08-01 | not yet calculated | CVE-2025-54792 |
| LXCenter--Kloxo | An unauthenticated SQL injection vulnerability exists in the Kloxo web hosting control panel (developed by LXCenter) prior to version 6.1.12. The flaw resides in the login-name parameter passed to lbin/webcommand.php, which fails to properly sanitize input, allowing an attacker to extract the administrator's password from the backend database. After recovering valid credentials, the attacker can authenticate to the Kloxo control panel and leverage the Command Center feature (display.php) to execute arbitrary operating system commands as root on the underlying host system. This vulnerability was reported to be exploited in the wild in January 2014. | 2025-07-31 | not yet calculated | CVE-2014-125123 |
| LxCenter--Kloxo | Kloxo versions 6.1.12 and earlier contain two setuid root binaries-lxsuexec and lxrestart-that allow local privilege escalation from uid 48. The lxsuexec binary performs a uid check and permits execution of arbitrary commands as root if the invoking user matches uid 48. This flaw enables attackers with Apache-level access to escalate privileges to root without authentication. | 2025-08-01 | not yet calculated | CVE-2012-10022 |
| MapTiler--Tileserver-php | MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting (XSS). The GET parameter "layer" is reflected in an error message without html encoding. This leads to XSS and allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victim's browser. | 2025-07-29 | not yet calculated | CVE-2025-44136 |
| MapTiler--Tileserver-php | MapTiler Tileserver-php v2.0 is vulnerable to Directory Traversal. The renderTile function within tileserver.php is responsible for delivering tiles that are stored as files on the server via web request. Creating the path to a file allows the insertion of "../" and thus read any file on the web server. Affected GET parameters are "TileMatrix", "TileRow", "TileCol" and "Format" | 2025-07-29 | not yet calculated | CVE-2025-44137 |
| Marbella--KR8s Dashcam | An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. When a new SD card is inserted into the dashcam, the existing password is written onto the SD card in cleartext automatically. An attacker with temporary access to the dashcam can switch the SD card to steal this password. | 2025-07-28 | not yet calculated | CVE-2025-30124 |
| Marbella--KR8s Dashcam | An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. All dashcams were shipped with the same default credentials of 12345678, which creates an insecure-by-default condition. For users who change their passwords, it's limited to 8 characters. These short passwords can be cracked in 8 hours via low-end commercial cloud resources. | 2025-07-28 | not yet calculated | CVE-2025-30125 |
| Marbella--KR8s Dashcam | An issue was discovered on Marbella KR8s Dashcam FF 2.0.8 devices. Via port 7777 without any need to pair or press a physical button, a remote attacker can disable recording, delete recordings, or even disable battery protection to cause a flat battery to essentially disable the car from being used. During the process of changing these settings, there are no indications or sounds on the dashcam to alert the dashcam owner that someone else is making those changes. | 2025-07-28 | not yet calculated | CVE-2025-30126 |
| Marvell--QConvergeConsole | Marvell QConvergeConsole compressConfigFiles Directory Traversal Information Disclosure and Denial-of-Service Vulnerability. This vulnerability allows remote attackers to disclose sensitive information or to create a denial-of-service condition on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the compressConfigFiles method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose sensitive information or to create a denial-of-service condition on the system. Was ZDI-CAN-24915. | 2025-07-31 | not yet calculated | CVE-2025-8426 |
| Memos--Memos | The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo. This can be exploited by an attacker to disclose the viewing user's IP address, browser User-Agent string, and potentially other request-specific information to the attacker-controlled server, leading to information disclosure and user tracking. | 2025-07-29 | not yet calculated | CVE-2025-50738 |
| Microsoft, Inc--Windows 11 | DLL hijacking of all PE32 executables when run on Windows for ARM64 CPU architecture. This allows an attacker to execute code, if the attacker can plant a DLL in the same directory as the executable. Vulnerable versions of Windows 11 for ARM attempt to load Base DLLs that would ordinarily not be loaded from the application directory. Fixed in release 24H2, but present in all earlier versions of Windows 11 for ARM CPUs. | 2025-07-28 | not yet calculated | CVE-2025-7676 |
| Microweber--Microweber CMS | Reflected Cross-Site Scripting (XSS) in the id parameter of the live_edit.module_settings API endpoint in Microweber CMS2.0 allows execution of arbitrary JavaScript. | 2025-08-01 | not yet calculated | CVE-2025-51501 |
| Microweber--Microweber CMS | Reflected Cross-Site Scripting (XSS) in Microweber CMS 2.0 via the layout parameter on the /admin/page/create page allows arbitrary JavaScript execution in the context of authenticated admin users. | 2025-08-01 | not yet calculated | CVE-2025-51502 |
| Microweber--Microweber CMS | A Stored Cross-Site Scripting (XSS) vulnerability in Microweber CMS 2.0 allows attackers to inject malicious scripts into user profile fields, leading to arbitrary JavaScript execution in admin browsers. | 2025-07-31 | not yet calculated | CVE-2025-51503 |
| Microweber--Microweber CMS | Microweber CMS 2.0 is vulnerable to Cross Site Scripting (XSS)in the /projects/profile, homepage endpoint via the last name field. | 2025-08-01 | not yet calculated | CVE-2025-51504 |
| MiniWeb--MiniWeb | An unrestricted file upload vulnerability exists in MiniWeb HTTP Server <= Build 300 that allows unauthenticated remote attackers to upload arbitrary files to the server's filesystem. By abusing the upload handler and crafting a traversal path, an attacker can place a malicious .exe in system32, followed by a .mof file in the WMI directory. This triggers execution of the payload with SYSTEM privileges via the Windows Management Instrumentation service. The exploit is only viable on Windows versions prior to Vista. | 2025-08-01 | not yet calculated | CVE-2013-10047 |
| moby--moby | Moby is an open source container framework developed by Docker Inc. that is distributed as Docker Engine, Mirantis Container Runtime, and various other downstream projects/products. In versions 28.2.0 through 28.3.2, when the firewalld service is reloaded it removes all iptables rules including those created by Docker. While Docker should automatically recreate these rules, versions before 28.3.3 fail to recreate the specific rules that block external access to containers. This means that after a firewalld reload, containers with ports published to localhost (like 127.0.0.1:8080) become accessible from remote machines that have network routing to the Docker bridge, even though they should only be accessible from the host itself. The vulnerability only affects explicitly published ports - unpublished ports remain protected. This issue is fixed in version 28.3.3. | 2025-07-30 | not yet calculated | CVE-2025-54388 |
| ModelScope--ms-swift | A remote code execution (RCE) vulnerability exists in the ms-swift project version 3.3.0 due to unsafe deserialization in tests/run.py using yaml.load() from the PyYAML library (versions = 5.3.1). If an attacker can control the content of the YAML configuration file passed to the --run_config parameter, arbitrary code can be executed during deserialization. This can lead to full system compromise. The vulnerability is triggered when a malicious YAML file is loaded, allowing the execution of arbitrary Python commands such as os.system(). It is recommended to upgrade PyYAML to version 5.4 or higher, and to use yaml.safe_load() to mitigate the issue. | 2025-08-01 | not yet calculated | CVE-2025-50460 |
| ModelScope--ms-swift | The modelscope/ms-swift library thru 2.6.1 is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_model_meta()` function of the `ModelFileSystemCache()` class. Attackers can execute arbitrary code and commands by crafting a malicious serialized `.mdl` payload, exploiting the use of `pickle.load()` on data from potentially untrusted sources. This vulnerability allows for remote code execution (RCE) by deceiving victims into loading a seemingly harmless checkpoint during a normal training process, thereby enabling attackers to execute arbitrary code on the targeted machine. Note that the payload file is a hidden file, making it difficult for the victim to detect tampering. More importantly, during the model training process, after the `.mdl` file is loaded and executes arbitrary code, the normal training process remains unaffected'meaning the user remains unaware of the arbitrary code execution. | 2025-08-01 | not yet calculated | CVE-2025-50472 |
| MPlayer Project--MPlayer Lite | A stack-based buffer overflow vulnerability exists in MPlayer Lite r33064 due to improper bounds checking when handling M3U playlist files containing long http:// URL entries. An attacker can craft a malicious .m3u file with a specially formatted URL that triggers a stack overflow when processed by the player, particularly via drag-and-drop interaction. This flaw allows for control of the execution flow through SEH overwrite and a DEP bypass using a ROP chain that leverages known gadgets in loaded DLLs. Successful exploitation may result in arbitrary code execution with the privileges of the current user. | 2025-07-31 | not yet calculated | CVE-2011-10008 |
| n/a--Bacula-Web | SQL Injection vulnerability in Bacula-web before v.9.7.1 allows a remote attacker to execute arbitrary code via a crafted HTTP GET request. | 2025-07-29 | not yet calculated | CVE-2025-45346 |
| n/a--CloudClassroom-PHP-Project | CloudClassroom-PHP-Project 1.0 contains a reflected Cross-site Scripting (XSS) vulnerability in the email parameter of the postquerypublic endpoint. Improper sanitization allows an attacker to inject arbitrary JavaScript code that executes in the context of the user s browser, potentially leading to session hijacking or phishing attacks. | 2025-07-31 | not yet calculated | CVE-2025-50866 |
| n/a--CloudClassroom-PHP-Project | A SQL Injection vulnerability exists in the takeassessment2.php endpoint of the CloudClassroom-PHP-Project 1.0, where the Q5 POST parameter is directly embedded in SQL statements without sanitization. | 2025-07-31 | not yet calculated | CVE-2025-50867 |
| n/a--CloudClassroom-PHP-Project | A SQL Injection vulnerability exists in the takeassessment2.php file of CloudClassroom-PHP-Project 1.0. The Q4 POST parameter is not properly sanitized before being used in SQL queries. | 2025-08-01 | not yet calculated | CVE-2025-50868 |
| n/a--FlashMQ | FlashMQ v1.14.0 was discovered to contain an assertion failure in the function PublishCopyFactory::getNewPublish, which occurs when the QoS value of the publish object is greater than 0. | 2025-07-29 | not yet calculated | CVE-2024-42644 |
| n/a--FlashMQ | An issue in FlashMQ v1.14.0 allows attackers to cause an assertion failure via sending a crafted retain message, leading to a Denial of Service (DoS). | 2025-07-29 | not yet calculated | CVE-2024-42645 |
| n/a--iptime NAS | A buffer overflow vulnerability exists in the upload.cgi module of the iptime NAS firmware v1.5.04. The vulnerability arises due to the unsafe use of the strcpy function to copy attacker-controlled data from the CONTENT_TYPE HTTP header into a fixed-size stack buffer (v8, allocated 8 bytes) without bounds checking. Since this operation occurs before authentication logic is executed, the vulnerability is exploitable pre-authentication. | 2025-07-30 | not yet calculated | CVE-2025-50464 |
| n/a--jwt | jwt v5.4.3 was discovered to contain weak encryption. | 2025-07-31 | not yet calculated | CVE-2025-45770 |
| n/a--MagnusBilling | A Broken Access Control vulnerability in MagnusBilling v7.8.5.3 allows newly registered users to gain escalated privileges by sending a crafted request to /mbilling/index.php/user/save to set their account status fom "pending" to "active" without requiring administrator approval. | 2025-07-31 | not yet calculated | CVE-2025-52289 |
| n/a--NanoMQ | NanoMQ v0.17.9 was discovered to contain a heap use-after-free vulnerability via the component sub_Ctx_handle. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted SUBSCRIBE message. | 2025-07-29 | not yet calculated | CVE-2024-42651 |
| n/a--NanoMQ | An access control issue in NanoMQ v0.21.10 allows attackers to bypass security restrictions and access sensitive system topic messages using MQTT wildcard characters. | 2025-07-29 | not yet calculated | CVE-2024-42655 |
| n/a--playground.electronhub.ai | playground.electronhub.ai v1.1.9 was discovered to contain a cross-site scripting (XSS) vulnerability. | 2025-07-30 | not yet calculated | CVE-2025-51954 |
| n/a--pyjwt | pyjwt v2.10.1 was discovered to contain weak encryption. | 2025-07-31 | not yet calculated | CVE-2025-45768 |
| n/a--pyjwt | php-jwt v6.11.0 was discovered to contain weak encryption. | 2025-07-31 | not yet calculated | CVE-2025-45769 |
| n/a--Restaurant Order System | SQL Injection vulnerability in Restaurant Order System 1.0 allows a local attacker to obtain sensitive information via the payment.php file | 2025-08-01 | not yet calculated | CVE-2025-52327 |
| n/a--TrustedFirmware-M | TrustedFirmware-M (aka Trusted Firmware for M profile Arm CPUs) before 2.1.3 and 2.2.x before 2.2.1 lacks length validation during a firmware upgrade. While processing a new image, the Firmware Upgrade (FWU) module does not validate the length field of the Type-Length-Value (TLV) structure for dependent components against the maximum allowed size. If the length specified in the TLV exceeds the size of the buffer allocated on the stack, the FWU module will overwrite the buffer (and potentially other stack data) with the TLV's value content. An attacker could exploit this by crafting a malicious TLV entry in the unprotected section of the MCUBoot upgrade image. By setting the length field to exceed the expected structure size, the attacker can manipulate the stack memory of the system during the upgrade process. | 2025-07-30 | not yet calculated | CVE-2025-53022 |
| nestjs--nest | Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1. | 2025-08-01 | not yet calculated | CVE-2025-54782 |
| Netgear--DGN1000B | An authenticated OS command injection vulnerability exists in Netgear routers (tested on the DGN1000B model firmware versions 1.1.00.24 and 1.1.00.45) via the TimeToLive parameter in the setup.cgi endpoint. The vulnerability arises from improper input neutralization, enabling command injection through crafted POST requests. This flaw enables remote attackers to deploy payloads or manipulate system state post-authentication. | 2025-08-01 | not yet calculated | CVE-2013-10061 |
| Netgear--DGN2200B | An authenticated OS command injection vulnerability exists in Netgear routers (tested on the DGN2200B model) firmware versions 1.0.0.36 and prior via the pppoe.cgi endpoint. A remote attacker with valid credentials can execute arbitrary commands via crafted input to the pppoe_username parameter. This flaw allows full compromise of the device and may persist across reboots unless configuration is restored. | 2025-08-01 | not yet calculated | CVE-2013-10060 |
| Netgear--SPH200D | A path traversal vulnerability exists in the Netgear SPH200D Skype phone firmware versions <= 1.0.4.80 in its embedded web server. Authenticated attackers can exploit crafted GET requests to access arbitrary files outside the web root by injecting traversal sequences. This can expose sensitive system files and configuration data. | 2025-08-01 | not yet calculated | CVE-2013-10063 |
| nobossextensions.com--No Boss Testimonials component for Joomla | A stored XSS vulnerability in No Boss Testimonials component 1.0.0-3.0.0 and 4.0.0-4.0.2 for Joomla was discovered. | 2025-07-28 | not yet calculated | CVE-2025-54299 |
| nyariv--sandboxjs | A prototype pollution vulnerability exists in @nyariv/sandboxjs versions <= 0.8.23, allowing attackers to inject arbitrary properties into Object.prototype via crafted JavaScript code. This can result in a denial-of-service (DoS) condition or, under certain conditions, escape the sandboxed environment intended to restrict code execution. The vulnerability stems from insufficient prototype access checks in the sandbox's executor logic, particularly in the handling of JavaScript function objects returned. | 2025-07-31 | not yet calculated | CVE-2025-34146 |
| OpenEMR Foundation--OpenEMR | An authenticated SQL injection vulnerability exists in OpenEMR ≤ 4.1.1 Patch 14 that allows a low-privileged attacker to extract administrator credentials and subsequently escalate privileges. Once elevated, the attacker can exploit an unrestricted file upload flaw to achieve remote code execution, resulting in full compromise of the application and its host system. | 2025-08-01 | not yet calculated | CVE-2013-10044 |
| Palo Alto Networks--GlobalProtect App | An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtectâ„¢ App on Linux devices enables a locally authenticated non administrative user to disable the app even if the GlobalProtect app configuration would not normally permit them to do so. The GlobalProtect app on Windows, macOS, iOS, Android, Chrome OS and GlobalProtect UWP app are not affected. | 2025-07-29 | not yet calculated | CVE-2025-2179 |
| Partner Software--Partner Web | Partner Software's Partner Software application and Partner Web application do not sanitize files uploaded on the "reports" tab, allowing an authenticated attacker to upload a malicious file and compromise the device. By default, the software runs as SYSTEM, heightening the severity of the vulnerability. | 2025-08-02 | not yet calculated | CVE-2025-6076 |
| Partner Software--Partner Web | Partner Software's Partner Software Product and corresponding Partner Web application use the same default username and password for the administrator account across all versions. | 2025-08-02 | not yet calculated | CVE-2025-6077 |
| Partner Software--Partner Web | Partner Software's Partner Software application and Partner Web application allows an authenticated user to add notes on the 'Notes' page when viewing a job but does not completely sanitize input, making it possible to add notes with HTML tags and JavaScript, enabling an attacker to add a note containing malicious JavaScript, leading to stored XSS (cross-site scripting). | 2025-08-02 | not yet calculated | CVE-2025-6078 |
| PHPGurukul--Bank Locker Management System | Improper session invalidation in the component /banker/change-password.php of PHPGurukul Bank Locker Management System v1 allows attackers to execute a session hijacking attack. | 2025-07-28 | not yet calculated | CVE-2025-50491 |
| PHPGurukul--Blood Bank & Donor Management System | Improper session invalidation in the component /bbdms/change-password.php of PHPGurukul Blood Bank & Donor Management System v2.4 allows attackers to execute a session hijacking attack. | 2025-07-28 | not yet calculated | CVE-2025-50487 |
| PHPGurukul--Car Rental Project | Improper session invalidation in the component /carrental/update-password.php of PHPGurukul Car Rental Project v3.0 allows attackers to execute a session hijacking attack. | 2025-07-28 | not yet calculated | CVE-2025-50486 |
| PHPGurukul--Car Washing Management System | Improper session invalidation in the component /doctor/change-password.php of PHPGurukul Car Washing Management System v1.0 allows attackers to execute a session hijacking attack. | 2025-07-28 | not yet calculated | CVE-2025-50494 |
| PHPGurukul--Doctor Appointment Management System | Improper session invalidation in the component /doctor/change-password.php of PHPGurukul Doctor Appointment Management System v1 allows attackers to execute a session hijacking attack. | 2025-07-28 | not yet calculated | CVE-2025-50493 |
| PHPGurukul--e-Diary Management System | Improper session invalidation in the component /edms/change-password.php of PHPGurukul e-Diary Management System v1 allows attackers to execute a session hijacking attack. | 2025-07-28 | not yet calculated | CVE-2025-50492 |
| PHPGurukul--Nipah virus (NiV) – Testing Management System | phpgurukul Nipah virus (NiV) Testing Management System 1.0 contains a SQL injection vulnerability in the /new-user-testing.php file, due to insufficient validation of user input for the " govtissuedid" parameter. | 2025-07-29 | not yet calculated | CVE-2025-51044 |
| PHPGurukul--Online Course Registration | Improper session invalidation in the component /crm/change-password.php of PHPGurukul Online Course Registration v3.1 allows attackers to execute a session hijacking attack. | 2025-07-28 | not yet calculated | CVE-2025-50485 |
| PHPGurukul--Online Library Management System | Improper session invalidation in the component /library/change-password.php of PHPGurukul Online Library Management System v3.0 allows attackers to execute a session hijacking attack. | 2025-07-28 | not yet calculated | CVE-2025-50488 |
| PHPGurukul--Pre-School Enrollment System | Phpgurukul Pre-School Enrollment System 1.0 contains a SQL injection vulnerability in the /admin/password-recovery.php file. This vulnerability is attributed to the insufficient validation of user input for the username parameter. | 2025-07-29 | not yet calculated | CVE-2025-51045 |
| PHPGurukul--Small CRM | Improper session invalidation in the component /crm/change-password.php of PHPGurukul Small CRM v3.0 allows attackers to execute a session hijacking attack. | 2025-07-28 | not yet calculated | CVE-2025-50484 |
| PHPGurukul--Student Result Management System | Improper session invalidation in the component /srms/change-password.php of PHPGurukul Student Result Management System v2.0 allows attackers to execute a session hijacking attack. | 2025-07-28 | not yet calculated | CVE-2025-50489 |
| PHPGurukul--Student Result Management System | Improper session invalidation in the component /elms/emp-changepassword.php of PHPGurukul Student Result Management System v2.0 allows attackers to execute a session hijacking attack. | 2025-07-28 | not yet calculated | CVE-2025-50490 |
| Piwigo--Piwigo | Piwigo 13.8.0 and below is vulnerable to SQL Injection in the parameters max_level and min_register. These parameters are used in ws_user_gerList function from file include\ws_functions\pwg.users.php and this same function is called by ws.php file at some point can be used for searching users in advanced way in /admin.php?page=user_list. | 2025-07-29 | not yet calculated | CVE-2024-43018 |
| polkadot-evm--frontier | Polkadot Frontier is an Ethereum and EVM compatibility layer for Polkadot and Substrate. In versions prior to commit 36f70d1, the Curve25519Add and Curve25519ScalarMul precompiles incorrectly handle invalid Ristretto point representations. Instead of returning an error, they silently treat invalid input bytes as the Ristretto identity element, leading to potentially incorrect cryptographic results. This is fixed in commit 36f70d1. | 2025-07-28 | not yet calculated | CVE-2025-54426 |
| polkadot-evm--frontier | Polkadot Frontier is an Ethereum and EVM compatibility layer for Polkadot and Substrate. The extrinsic note_min_gas_price_target is an inherent extrinsic, meaning only the block producer can call it. To ensure correctness, the ProvideInherent trait should be implemented for each inherent, which includes the check_inherent call. This allows other nodes to verify if the input (in this case, the target value) is correct. However, prior to commit a754b3d, the check_inherent function has not been implemented for note_min_gas_price_target. This lets the block producer set the target value without verification. The target is then used to set the MinGasPrice, which has an upper and lower bound defined in the on_initialize hook. The block producer can set the target to the upper bound. Which also increases the upper and lower bounds for the next block. Over time, this could result in continuously raising the gas price, making contract execution too expensive and ineffective for users. An attacker could use this flaw to manipulate the gas price, potentially leading to significantly inflated transaction fees. Such manipulation could render contract execution prohibitively expensive for users, effectively resulting in a denial-of-service condition for the network. This is fixed in version a754b3d. | 2025-07-28 | not yet calculated | CVE-2025-54427 |
| polkadot-evm--frontier | Polkadot Frontier is an Ethereum and EVM compatibility layer for Polkadot and Substrate. There are various account address types in Frontier, e.g. precompiled contracts, smart contracts, and externally owned accounts. Some EVM mechanisms should be unreachable by certain types of accounts for safety. For precompiles to be callable by smart contracts they must be explicitly configured as CallableByContract. If this configuration is absent, then the precompile should be unreachable via smart contract accounts. In commits prior to 0822030, the underlying implementation of CallableByContract which returned the AddressType was incorrect. It considered the contract address running under CREATE or CREATE2 to be AddressType::EOA rather than correctly as AddressType::Contract. The issue only affects users who use custom precompile implementations that utilize AddressType::EOA and AddressType::Contract. It's not directly exploitable in any of the predefined precompiles in Frontier. This is fixed in version 0822030. | 2025-07-28 | not yet calculated | CVE-2025-54429 |
| PowerStick--Wave Dual-Band Wifi Extender | An authenticated remote code execution vulnerability in PowerStick Wave Dual-Band Wifi Extender V1.0 allows an attacker with valid credentials to execute arbitrary commands with root privileges. The issue stems from insufficient sanitization of user-supplied input in the /cgi-bin/cgi_vista.cgi executable, which is passed to a system-level function call. | 2025-07-28 | not yet calculated | CVE-2025-29534 |
| PrestaShop--PrestaShop | A PHAR deserialization vulnerability in the component /themes/import of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request. | 2025-07-30 | not yet calculated | CVE-2025-25691 |
| PrestaShop--PrestaShop | A PHAR deserialization vulnerability in the _getHeaders function of PrestaShop v8.2.0 allows attackers to execute arbitrary code via a crafted POST request. | 2025-07-30 | not yet calculated | CVE-2025-25692 |
| ProcessMaker, Inc.--ProcessMaker Open Source | A code injection vulnerability exists in ProcessMaker Open Source versions 2.x when using the default 'neoclassic' skin. An authenticated user can execute arbitrary PHP code via multiple endpoints, including appFolderAjax.php, casesStartPage_Ajax.php, and cases_SchedulerGetPlugins.php, by supplying crafted POST requests to parameters such as action and params. These endpoints fail to validate user input and directly invoke PHP functions like system() with user-supplied parameters, enabling remote code execution. The vulnerability affects both Linux and Windows installations and is present in default configurations of versions including 2.0.23 through 2.5.1. The vulnerable skin cannot be removed through the web interface, and exploitation requires only valid user credentials. | 2025-07-31 | not yet calculated | CVE-2013-10035 |
| PuneethReddyHC--Online Shopping System Advanced | A SQL Injection vulnerability exists in the action.php endpoint of PuneethReddyHC Online Shopping System Advanced 1.0 due to improper sanitization of user-supplied input in the keyword POST parameter. | 2025-07-29 | not yet calculated | CVE-2025-51970 |
| Quantum--DXi6702 | XML External Entity Injection vulnerability in Quantum DXi6702 2.3.0.3 (11449-53631 Build304) devices via rest/Users?action=authenticate. | 2025-08-01 | not yet calculated | CVE-2019-19144 |
| Raidsonic Technology GmbH--IB-NAS5220 | An OS command injection vulnerability exists in multiple Raidsonic NAS devices-specifically tested on IB-NAS5220 and IB-NAS4220-via the unauthenticated timeHandler.cgi endpoint exposed through the web interface. The CGI script fails to properly sanitize user-supplied input in the timeZone parameter of a POST request, allowing remote attackers to inject arbitrary shell commands. | 2025-08-01 | not yet calculated | CVE-2013-10049 |
| Rocket Software--Rocket Zena | Rocket Software Rocket Zena 4.4.1.26 is vulnerable to SQL Injection via the filter parameter. | 2025-07-30 | not yet calculated | CVE-2024-45955 |
| Russound--MBX-PRE-D67F | An OS command injection vulnerability exists in Russound MBX-PRE-D67F firmware version 3.1.6, allowing unauthenticated attackers to execute arbitrary commands as root via crafted input to the hostname parameter in network configuration requests. This vulnerability stems from improper neutralization of special elements used in an OS command within the network configuration handler, enabling remote code execution with the highest privileges. | 2025-07-31 | not yet calculated | CVE-2025-50475 |
| SAML-Toolkits--ruby-saml | The Ruby SAML library is for implementing the client side of a SAML authorization. In versions 1.18.0 and below, a denial-of-service vulnerability exists in ruby-saml even with the message_max_bytesize setting configured. The vulnerability occurs because the SAML response is validated for Base64 format prior to checking the message size, leading to potential resource exhaustion. This is fixed in version 1.18.1. | 2025-07-30 | not yet calculated | CVE-2025-54572 |
| sandboxie-plus--Sandboxie | Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions 1.16.1 and below, a critical security vulnerability exists in password handling mechanisms. During encrypted sandbox creation, user passwords are transmitted via shared memory, exposing them to potential interception. The vulnerability is particularly severe during password modification operations, where both old and new passwords are passed as plaintext command-line arguments to the Imbox process without any encryption or obfuscation. This implementation flaw allows any process within the user session, including unprivileged processes, to retrieve these sensitive credentials by reading the command-line arguments, thereby bypassing standard privilege requirements and creating a significant security risk. This is fixed in version 1.16.2. | 2025-07-29 | not yet calculated | CVE-2025-54422 |
| Saurus--Saurus CMS Community Edition | Saurus CMS Community Edition since commit d886e5b0 (2010-04-23) is vulnerable to a SQL Injection vulnerability in the `prepareSearchQuery()` method in `FulltextSearch.class.php`. The application directly concatenates user-supplied input (`$search_word`) into SQL queries without sanitization, allowing attackers to manipulate the SQL logic and potentially extract sensitive information or escalate their privileges. | 2025-08-01 | not yet calculated | CVE-2025-52390 |
| Sielox--AnyWare | Sielox AnyWare v2.1.2 was discovered to contain a SQL injection vulnerability via the email address field of the password reset form. | 2025-07-31 | not yet calculated | CVE-2024-34327 |
| Sielox--AnyWare | An open redirect in Sielox AnyWare v2.1.2 allows attackers to execute a man-in-the-middle attack via a crafted URL. | 2025-07-31 | not yet calculated | CVE-2024-34328 |
| silabs.com--Zigbee | A Zigbee Radio Co-Processor (RCP), which is using SiLabs EmberZNet Zigbee stack, was unable to send messages to the host system (CPCd) due to heavy Zigbee traffic, resulting in a Denial of Service (DoS) attack, Only hard reset will bring the device to normal operation | 2025-07-30 | not yet calculated | CVE-2025-1221 |
| silabs.com--Zigbee Stack | Failure to handle the error status returned by the buffer management APIs in SiLabs EmberZNet Zigbee stack may result in data leaks or potential Denial of Service (DoS). | 2025-07-30 | not yet calculated | CVE-2025-1394 |
| silverbucket--webfinger.js | webfinger.js is a TypeScript-based WebFinger client that runs in both browsers and Node.js environments. In versions 2.8.0 and below, the lookup function accepts user addresses for account checking. However, the ActivityPub specification requires preventing access to localhost services in production. This library does not prevent localhost access, only checking for hosts that start with "localhost" and end with a port. Users can exploit this by creating servers that send GET requests with controlled host, path, and port parameters to query services on the instance's host or local network, enabling blind SSRF attacks. This is fixed in version 2.8.1. | 2025-08-01 | not yet calculated | CVE-2025-54590 |
| Simple E-Document--Simple E-Document | An unrestricted file upload vulnerability exists in Simple E-Document versions 3.0 to 3.1 that allows an unauthenticated attacker to bypass authentication by sending a specific cookie header (access=3) with HTTP requests. The application's upload mechanism fails to restrict file types and does not validate or sanitize user-supplied input, allowing attackers to upload malicious .php scripts. Authentication can be bypassed entirely by supplying a specially crafted cookie (access=3), granting access to the upload functionality without valid credentials. If file uploads are enabled on the server, the attacker can upload a web shell and gain remote code execution with the privileges of the web server user, potentially leading to full system compromise. | 2025-07-31 | not yet calculated | CVE-2014-125126 |
| Sipwise--rtpengine | In Sipwise rtpengine before 13.4.1.1, an origin-validation error in the endpoint-learning logic of the media-relay core allows remote attackers to inject or intercept RTP/SRTP media streams via RTP packets (except when the relay is configured for strict source and learning disabled). Version 13.4.1.1 fixes the heuristic mode by limiting exposure to the first five packets, and introduces a recrypt flag that fully prevents SRTP attacks when both mitigations are enabled. | 2025-08-01 | not yet calculated | CVE-2025-53399 |
| SonicWall--SonicOS | Use of Externally-Controlled Format String vulnerability in the SonicOS SSL VPN interface allows a remote unauthenticated attacker to cause service disruption. | 2025-07-29 | not yet calculated | CVE-2025-40600 |
| SQLite--SQLite | An integer overflow in the sqlite3KeyInfoFromExprList function in SQLite versions 3.39.2 through 3.41.1 allows an attacker with the ability to execute arbitrary SQL statements to cause a denial of service or disclose sensitive information from process memory via a crafted SELECT statement with a large number of expressions in the ORDER BY clause. | 2025-07-29 | not yet calculated | CVE-2025-7458 |
| SwitchBot--SwitchBot App for iOS/Android | "SwitchBot" App for iOS/Android contains an insertion of sensitive information into log file vulnerability in versions V6.24 through V9.12. If this vulnerability is exploited, sensitive user information may be exposed to an attacker who has access to the application logs. | 2025-07-29 | not yet calculated | CVE-2025-53649 |
| Synactis--PDF In-The-Box | A stack-based buffer overflow vulnerability exists in Synactis PDF In-The-Box ActiveX control (PDF_IN_1.ocx), specifically the ConnectToSynactis method. When a long string is passed to this method-intended to populate the ldCmdLine argument of a WinExec call-a strcpy operation overwrites a saved TRegistry class pointer on the stack. This allows remote attackers to execute arbitrary code in the context of the user by enticing them to visit a malicious webpage that instantiates the vulnerable ActiveX control. The vulnerability was discovered via its use in third-party software such as Logic Print 2013. | 2025-08-01 | not yet calculated | CVE-2013-10057 |
| TESI--Gandia Integra Total | A SQL injection vulnerability has been found in Gandia Integra Total of TESI from version 2.1.2217.3 to v4.4.2236.1. The vulnerability allows an authenticated attacker to retrieve, create, update and delete databases through the 'idestudio' parameter in /encuestas/integraweb/html/view/acceso.php. | 2025-08-01 | not yet calculated | CVE-2025-41370 |
| TESI--Gandia Integra Total | A SQL injection vulnerability has been found in Gandia Integra Total of TESI from version 2.1.2217.3 to v4.4.2236.1. The vulnerability allows an authenticated attacker to retrieve, create, update and delete databases through the 'idestudio' parameter in /encuestas/integraweb_v4/integra/html/view/acceso.php | 2025-08-01 | not yet calculated | CVE-2025-41371 |
| TESI--Gandia Integra Total | A SQL injection vulnerability has been found in Gandia Integra Total of TESI from version 2.1.2217.3 to v4.4.2236.1. The vulnerability allows an authenticated attacker to retrieve, create, update and delete databases through the 'idestudio' parameter in /encuestas/integraweb[_v4]/integra/html/view/informe_campo_entrevistas.php. | 2025-08-01 | not yet calculated | CVE-2025-41372 |
| TESI--Gandia Integra Total | A SQL injection vulnerability has been found in Gandia Integra Total of TESI from version 2.1.2217.3 to v4.4.2236.1. The vulnerability allows an authenticated attacker to retrieve, create, update and delete databases through the 'idestudio' parameter in /encuestas/integraweb[_v4]/integra/html/view/hislistadoacciones.php. | 2025-08-01 | not yet calculated | CVE-2025-41373 |
| TESI--Gandia Integra Total | A SQL injection vulnerability has been found in Gandia Integra Total of TESI from version 2.1.2217.3 to v4.4.2236.1. The vulnerability allows an authenticated attacker to retrieve, create, update and delete databases through the 'idestudio' parameter in /encuestas/integraweb[_v4]/integra/html/view/hislistadoacciones.php. | 2025-08-01 | not yet calculated | CVE-2025-41374 |
| TESI--Gandia Integra Total | A SQL injection vulnerability has been found in Gandia Integra Total of TESI from version 2.1.2217.3 to v4.4.2236.1. The vulnerability allows an authenticated attacker to retrieve, create, update and delete databases through the 'idestudio' parameter in /encuestas/integraweb[_v4]/integra/html/view/consultaincimails.php. | 2025-08-01 | not yet calculated | CVE-2025-41375 |
| TESI--Gandia Integra Total | A SQL injection vulnerability has been found in Gandia Integra Total of TESI from version 2.1.2217.3 to v4.4.2236.1. The vulnerability allows an authenticated attacker to retrieve, create, update and delete databases through the 'idestudio' parameter in /encuestas/integraweb[_v4]/integra/html/view/consultacuotasred.php. | 2025-08-01 | not yet calculated | CVE-2025-41376 |
| Tesla--Wall Connector | Tesla Wall Connector Content-Length Header Improper Input Validation Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Tesla Wall Connector devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of the HTTP Content-Length header. The issue results from the lack of proper validation of user-supplied data, which can result in memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-26300. | 2025-07-30 | not yet calculated | CVE-2025-8320 |
| Tesla--Wall Connector | Tesla Wall Connector Firmware Downgrade Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Tesla Wall Connector devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware upgrade feature. The issue results from the lack of an anti-downgrade mechanism. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the device. Was ZDI-CAN-26299. | 2025-07-30 | not yet calculated | CVE-2025-8321 |
| The Language Sloth--The Language Sloth Web Application | A stored cross-site scripting (XSS) vulnerability in The Language Sloth Web Application v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Description text field. | 2025-08-01 | not yet calculated | CVE-2025-45778 |
| Totolink--X6000R | Totolink X6000R V9.4.0cu.1360_B20241207 was found to contain a command injection vulnerability in the sub_4184C0 function via the tz parameter. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request. | 2025-07-29 | not yet calculated | CVE-2025-52284 |
| TP-Link Systems INC.--TL-WR841N V11 | A vulnerability has been found in TP-Link TL-WR841N V11. The vulnerability exists in the /userRpm/WlanNetworkRpm.htm file due to missing input parameter validation, which may lead to the buffer overflow to cause a crash of the web service and result in a denial-of-service (DoS) condition. The attack may be launched remotely. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-07-29 | not yet calculated | CVE-2025-53711 |
| TP-Link Systems INC.--TL-WR841N V11 | A vulnerability has been found in TP-Link TL-WR841N V11. The vulnerability exists in the /userRpm/WlanNetworkRpm_AP.htm file due to missing input parameter validation, which may lead to the buffer overflow to cause a crash of the web service and result in a denial-of-service (DoS) condition. The attack may be launched remotely. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-07-29 | not yet calculated | CVE-2025-53712 |
| TP-Link Systems INC.--TL-WR841N V11 | A vulnerability has been found in TP-Link TL-WR841N V11. The vulnerability exists in the /userRpm/WlanNetworkRpm_APC.htm file due to missing input parameter validation, which may lead to the buffer overflow to cause a crash of the web service and result in a denial-of-service (DoS) condition. The attack may be launched remotely. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-07-29 | not yet calculated | CVE-2025-53713 |
| TP-Link Systems INC.--TL-WR841N V11 | A vulnerability has been found in TP-Link TL-WR841N V11. The vulnerability exists in the /userRpm/WzdWlanSiteSurveyRpm_AP.htm file due to missing input parameter validation, which may lead to the buffer overflow to cause a crash of the web service and result in a denial-of-service (DoS) condition. The attack may be launched remotely. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-07-29 | not yet calculated | CVE-2025-53714 |
| TP-Link Systems INC.--TL-WR841N V11 | A vulnerability has been found in TP-Link TL-WR841N V11. The vulnerability exists in the /userRpm/Wan6to4TunnelCfgRpm.htm file due to missing input parameter validation, which may lead to the buffer overflow to cause a crash of the web service and result in a denial-of-service (DoS) condition. The attack may be launched remotely. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-07-29 | not yet calculated | CVE-2025-53715 |
| traefik--traefik | Traefik is an HTTP reverse proxy and load balancer. In versions 2.11.27 and below, 3.0.0 through 3.4.4 and 3.5.0-rc1, a path traversal vulnerability was discovered in WASM Traefik's plugin installation mechanism. By supplying a maliciously crafted ZIP archive containing file paths with ../ sequences, an attacker can overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service. This is fixed in versions 2.11.28, 3.4.5 and 3.5.0. | 2025-08-01 | not yet calculated | CVE-2025-54386 |
| TSplus--TSplus Remote Access | Access to TSplus Remote Access Admin Tool is restricted to administrators (unless "Disable UAC" option is enabled) and requires a PIN code. In versions below v18.40.6.17 the PIN's hash is stored in a system registry accessible to regular users, making it possible to perform a brute-force attack using rainbow tables, since the hash is not salted. LTS (Long-Term Support) versions also received patches in v17.2025.6.27 and v16.2025.6.27 releases. | 2025-07-29 | not yet calculated | CVE-2025-5922 |
| TUFaT--FlashChat | An unauthenticated arbitrary file upload vulnerability exists in FlashChat versions 6.0.2 and 6.0.4 through 6.0.8. The upload.php endpoint fails to properly validate file types and authentication, allowing attackers to upload malicious PHP scripts. Once uploaded, these scripts can be executed remotely, resulting in arbitrary code execution as the web server user. | 2025-07-31 | not yet calculated | CVE-2013-10038 |
| UltimateFosters--UltimatePOS | A Stored Cross Site Scripting vulnerability has been found in UltimatePOS by UltimateFosters. This vulnerability is due to the lack of proper validation of user inputs via '/products/<PRODUCT_ID>/edit', affecting to 'name' parameter via POST. The vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her session cookies details. | 2025-07-31 | not yet calculated | CVE-2025-40980 |
| Unknown--SureForms | The SureForms WordPress plugin before 1.7.2 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against both authenticated and unauthenticated users. | 2025-08-01 | not yet calculated | CVE-2025-5921 |
| Vivaldi--iCONTROL+ Server | A cross-site scripting vulnerability in Vivaldi United Group iCONTROL+ Server including Firmware version 4.7.8.0.eden Logic version 5.32 and below. This issue allows attackers to inject JavaScript payloads within the error or edit-menu-item parameters which are then executed in the victim's browser session. | 2025-07-29 | not yet calculated | CVE-2025-52358 |
| Vox Media--Chorus CMS | HTML injection in Vox Media's Chorus CMS. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL using the 'q' parameter in '/search'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | 2025-07-28 | not yet calculated | CVE-2025-40730 |
| Xorux--LPAR2RRD | An authenticated, read-only user can kill any processes running on the Xormon Original virtual appliance as the lpar2rrd user. | 2025-07-28 | not yet calculated | CVE-2025-54767 |
| Xorux--LPAR2RRD | An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to download logs from the appliance configuration, exposing sensitive information. | 2025-07-28 | not yet calculated | CVE-2025-54768 |
| Xorux--LPAR2RRD | An authenticated, read-only user can upload a file and perform a directory traversal to have the uploaded file placed in a location of their choosing. This can be used to overwrite existing PERL modules within the application to achieve remote code execution (RCE) by an attacker. | 2025-07-28 | not yet calculated | CVE-2025-54769 |
| Xorux--XorMon-NG | An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to import the appliance configuration, allowing an attacker to control the configuration of the appliance, to include granting themselves administrative level permissions. | 2025-07-28 | not yet calculated | CVE-2025-54765 |
| Xorux--XorMon-NG | An API endpoint that should be limited to web application administrators is hidden from, but accessible by, lower-level read only web application users. The endpoint can be used to export the appliance configuration, exposing sensitive information. | 2025-07-28 | not yet calculated | CVE-2025-54766 |
| Zimbra--Zimbra Collaboration | An issue was discovered in Zimbra Collaboration (ZCS) through 10.1. A Cross-Site Scripting (XSS) vulnerability exists in Zimbra webmail due to insufficient validation of the content type metadata when importing files into the briefcase. Attackers can exploit this issue by crafting a file with manipulated metadata, allowing them to bypass content type checks and execute arbitrary JavaScript within the victim's session. | 2025-07-30 | not yet calculated | CVE-2024-45515 |
| ZPanel Project--ZPanel | A remote command execution vulnerability exists in ZPanel version 10.0.0.2 in its htpasswd module. When creating .htaccess files, the inHTUsername field is passed unsanitized to a system() call that invokes the system's htpasswd binary. By injecting shell metacharacters into the username field, an authenticated attacker can execute arbitrary system commands. Exploitation requires a valid ZPanel account-such as one in the default Users, Resellers, or Administrators groups-but no elevated privileges. | 2025-08-01 | not yet calculated | CVE-2013-10053 |
| ZTE Japan. K.K.--ZXHN-F660T | ZXHN-F660T and ZXHN-F660A provided by ZTE Japan K.K. use a common credential for all installations. With the knowledge of the credential, an attacker may log in to the affected devices. | 2025-07-31 | not yet calculated | CVE-2025-53558 |
Vulnerability Summary for the Week of July 21, 2025
Posted on Monday July 28, 2025
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 1000 Projects--ABC Courier Management System | A vulnerability has been found in 1000 Projects ABC Courier Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /Add_reciver.php. The manipulation of the argument reciver_name leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 7.3 | CVE-2025-8173 |
| 1000 Projects--ABC Courier Management System | A vulnerability was found in 1000 Projects ABC Courier Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /getbyid.php. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-26 | 7.3 | CVE-2025-8185 |
| 1000 Projects--ABC Courier Management System | A vulnerability, which was classified as critical, was found in 1000 Projects ABC Courier Management System 1.0. This affects an unknown part of the file /report.php. The manipulation of the argument From leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-27 | 7.3 | CVE-2025-8241 |
| alexacrm--Dataverse Integration | The Dataverse Integration plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks within its reset_password_link REST endpoint in versions 2.77 through 2.81. The endpoint's handler accepts a client-supplied id, email, or login, looks up that user, and calls get_password_reset_key() unconditionally. Because it only checks that the caller is authenticated, and not that they own or may edit the target account, any authenticated attacker, with Subscriber-level access and above, can obtain a password reset link for an administrator and hijack that account. | 2025-07-24 | 8.8 | CVE-2025-7695 |
| ASKEY--RTF8207w | Certain modem models developed by Askey has a Stack-based Buffer Overflow vulnerability, allowing unauthenticated remote attackers to control the program's execution flow and potentially execute arbitrary code. | 2025-07-21 | 9.8 | CVE-2025-7921 |
| Autodesk--RealDWG | A maliciously crafted binary file, when present while loading files in certain Autodesk applications, could lead to execution of arbitrary code in the context of the current process due to an untrusted search path being utilized. | 2025-07-24 | 7.8 | CVE-2025-5039 |
| Autodesk--Revit | A maliciously crafted RFA file, when parsed through Autodesk Revit, can force an Out-of-Bounds Read vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-07-22 | 7.8 | CVE-2025-5042 |
| AWS--Client VPN | During the AWS Client VPN client installation on Windows devices, the install process references the C:\usr\local\windows-x86_64-openssl-localbuild\ssl directory location to fetch the OpenSSL configuration file. As a result, a non-admin user could place arbitrary code in the configuration file. If an admin user starts the AWS Client VPN client installation process, that code could be executed with root-level privileges. This issue does not affect Linux or Mac devices. We recommend users discontinue any new installations of AWS Client VPN on Windows prior to version 5.2.2. | 2025-07-23 | 7.8 | CVE-2025-8069 |
| Bayraktar Solar Energies--ScadaWatt Otopilot | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Bayraktar Solar Energies ScadaWatt Otopilot allows SQL Injection.This issue affects ScadaWatt Otopilot: before 27.05.2025. | 2025-07-24 | 9.8 | CVE-2025-4822 |
| Bloomberg--Comdb2 | A null pointer dereference vulnerability exists in the CDB2SQLQUERY protocol buffer message handling of Bloomberg Comdb2 8.1. A specially crafted protocol buffer message can lead to a denial of service. An attacker can simply connect to a database instance over TCP and send the crafted message to trigger this vulnerability. | 2025-07-22 | 7.5 | CVE-2025-35966 |
| Bloomberg--Comdb2 | A denial of service vulnerability exists in the Bloomberg Comdb2 8.1 database when handling a distributed transaction heartbeat. A specially crafted protocol buffer message can lead to a denial of service. An attacker can simply connect to a database instance over TCP and send the crafted message to trigger this vulnerability. | 2025-07-22 | 7.5 | CVE-2025-36512 |
| Bloomberg--Comdb2 | A null pointer dereference vulnerability exists in the net_connectmsg Protocol Buffer Message functionality of Bloomberg Comdb2 8.1. A specially crafted network packets can lead to a denial of service. An attacker can send packets to trigger this vulnerability. | 2025-07-22 | 7.5 | CVE-2025-36520 |
| Bloomberg--Comdb2 | A denial of service vulnerability exists in the Distributed Transaction Commit/Abort Operation functionality of Bloomberg Comdb2 8.1. A specially crafted network packet can lead to a denial of service. An attacker can send a malicious packet to trigger this vulnerability. | 2025-07-22 | 7.5 | CVE-2025-46354 |
| Bloomberg--Comdb2 | A null pointer dereference vulnerability exists in the Distributed Transaction component of Bloomberg Comdb2 8.1 when processing a number of fields used for coordination. A specially crafted protocol buffer message can lead to a denial of service. An attacker can simply connect to a database instance over TCP and send the crafted message to trigger this vulnerability. | 2025-07-22 | 7.5 | CVE-2025-48498 |
| bsecuretech--bSecure Your Universal Checkout | The bSecure plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its order_info REST endpoint in versions 1.3.7 through 1.7.9. The plugin registers the /webhook/v2/order_info/ route with a permission_callback that always returns true, effectively bypassing all authentication. This makes it possible for unauthenticated attackers who know any user's email to obtain a valid login cookie and fully impersonate that account. | 2025-07-22 | 9.8 | CVE-2025-6187 |
| Campcodes--Sales and Inventory System | A vulnerability classified as critical was found in Campcodes Sales and Inventory System 1.0. This vulnerability affects unknown code of the file /pages/settings_update.php of the component Setting Handler. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-21 | 7.3 | CVE-2025-7933 |
| Canonical--MAAS | Due to insufficient verification, an attacker could use a malicious client to bypass authentication checks and run RPC commands in a region. This has been addressed in MAAS and updated in the corresponding snaps. | 2025-07-21 | 9.6 | CVE-2024-6107 |
| Chanjet--CRM | A vulnerability was found in Chanjet CRM 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /mail/mailinactive.php of the component Login Page. The manipulation leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-21 | 7.3 | CVE-2025-7915 |
| code-projects--Church Donation System | A vulnerability was found in code-projects Church Donation System 1.0 and classified as critical. This issue affects some unknown processing of the file /members/edit_user.php. The manipulation of the argument firstname leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 2025-07-21 | 7.3 | CVE-2025-7928 |
| code-projects--Church Donation System | A vulnerability was found in code-projects Church Donation System 1.0. It has been classified as critical. Affected is an unknown function of the file /members/edit_Members.php. The manipulation of the argument fname leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 2025-07-21 | 7.3 | CVE-2025-7929 |
| code-projects--Church Donation System | A vulnerability was found in code-projects Church Donation System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /members/add_members.php. The manipulation of the argument mobile leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 2025-07-21 | 7.3 | CVE-2025-7930 |
| code-projects--Church Donation System | A vulnerability was found in code-projects Church Donation System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /members/admin_pic.php. The manipulation of the argument image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-21 | 7.3 | CVE-2025-7931 |
| code-projects--Church Donation System | A vulnerability was found in code-projects Church Donation System 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/index.php of the component HTTP POST Request Handler. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 7.3 | CVE-2025-8166 |
| code-projects--Exam Form Submission | A vulnerability was found in code-projects Exam Form Submission 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/update_s1.php. The manipulation of the argument credits leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-27 | 7.3 | CVE-2025-8237 |
| code-projects--Exam Form Submission | A vulnerability classified as critical has been found in code-projects Exam Form Submission 1.0. Affected is an unknown function of the file /admin/update_s2.php. The manipulation of the argument credits leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-27 | 7.3 | CVE-2025-8238 |
| code-projects--Exam Form Submission | A vulnerability classified as critical was found in code-projects Exam Form Submission 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/. The manipulation of the argument email leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-27 | 7.3 | CVE-2025-8239 |
| code-projects--Exam Form Submission | A vulnerability, which was classified as critical, has been found in code-projects Exam Form Submission 1.0. Affected by this issue is some unknown functionality of the file /user/dashboard.php. The manipulation of the argument phone leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-27 | 7.3 | CVE-2025-8240 |
| code-projects--Online Ordering System | A vulnerability, which was classified as critical, was found in code-projects Online Ordering System 1.0. Affected is an unknown function of the file /admin/delete_user.php. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-27 | 7.3 | CVE-2025-8232 |
| code-projects--Online Ordering System | A vulnerability has been found in code-projects Online Ordering System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/user.php. The manipulation of the argument un leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-27 | 7.3 | CVE-2025-8233 |
| code-projects--Online Ordering System | A vulnerability was found in code-projects Online Ordering System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/delete_member.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-27 | 7.3 | CVE-2025-8234 |
| code-projects--Online Ordering System | A vulnerability was found in code-projects Online Ordering System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/product.php. The manipulation of the argument Name leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-27 | 7.3 | CVE-2025-8235 |
| code-projects--Online Ordering System | A vulnerability was found in code-projects Online Ordering System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/edit_product.php. The manipulation of the argument Name leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-27 | 7.3 | CVE-2025-8236 |
| code-projects--Public Chat Room | A vulnerability was found in code-projects Public Chat Room 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /login.php. The manipulation of the argument Username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-22 | 7.3 | CVE-2025-7950 |
| D-Link--DIR-513 | A vulnerability was found in D-Link DIR-513 up to 20190831. It has been declared as critical. This vulnerability affects the function formSetWanDhcpplus of the file /goform/formSetWanDhcpplus. The manipulation of the argument curTime leads to buffer overflow. The attack can be initiated remotely. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-07-21 | 8.8 | CVE-2025-7945 |
| D-Link--DIR-513 | A vulnerability was found in D-Link DIR-513 1.0. It has been rated as critical. This issue affects the function formLanguageChange of the file /goform/formLanguageChange of the component HTTP POST Request Handler. The manipulation of the argument curTime leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-07-25 | 8.8 | CVE-2025-8159 |
| D-Link--DIR-513 | A vulnerability was found in D-Link DIR-513 1.10. It has been rated as critical. Affected by this issue is the function websAspInit of the file /goform/formSetWanPPPoE. The manipulation of the argument curTime leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-07-25 | 8.8 | CVE-2025-8168 |
| D-Link--DIR-513 | A vulnerability classified as critical has been found in D-Link DIR-513 1.10. This affects the function formSetWanPPTPcallback of the file /goform/formSetWanPPTPpath of the component HTTP POST Request Handler. The manipulation of the argument curTime leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-07-25 | 8.8 | CVE-2025-8169 |
| D-Link--DIR-513 | A vulnerability was found in D-Link DIR-513 up to 1.10 and classified as critical. This issue affects the function formSetWanL2TPcallback of the file /goform/formSetWanL2TPtriggers of the component HTTP POST Request Handler. The manipulation leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-07-26 | 8.8 | CVE-2025-8184 |
| D3TN GmbH--D3TN | NULL Pointer Dereference in µD3TN via non-singleton destination Endpoint Identifier allows remote attacker to reliably cause DoS | 2025-07-25 | 7.5 | CVE-2025-8183 |
| Dahua--IPC | A vulnerability has been found in Dahua products. Attackers could exploit a buffer overflow vulnerability by sending specially crafted malicious packets, potentially causing service disruption (e.g., crashes) or remote code execution (RCE). Some devices may have deployed protection mechanisms such as Address Space Layout Randomization (ASLR), which reduces the likelihood of successful RCE exploitation. However, denial-of-service (DoS) attacks remain a concern. | 2025-07-23 | 8.1 | CVE-2025-31700 |
| Dahua--IPC | A vulnerability has been found in Dahua products. Attackers could exploit a buffer overflow vulnerability by sending specially crafted malicious packets, potentially causing service disruption (e.g., crashes) or remote code execution (RCE). Some devices may have deployed protection mechanisms such as Address Space Layout Randomization (ASLR), which reduces the likelihood of successful RCE exploitation. However, denial-of-service (DoS) attacks remain a concern. | 2025-07-23 | 8.1 | CVE-2025-31701 |
| databasebackup--WP Database Backup Unlimited Database & Files Backup by Backup for WP | The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection in versions before 5.2 via the mysqldump function. This vulnerability allows unauthenticated attackers to execute arbitrary commands on the host operating system. | 2025-07-25 | 9.8 | CVE-2019-25224 |
| den-media--hiWeb Export Posts | The hiWeb Export Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.0.0. This is due to missing or incorrect nonce validation on the tool-dashboard-history.php file. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php), via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-07-24 | 8.1 | CVE-2025-7640 |
| Digiwin--EAI | The EAI developed by Digiwin has a Privilege Escalation vulnerability, allowing remote attackers with regular privileges to elevate their privileges to administrator level via a specific API. | 2025-07-21 | 8.8 | CVE-2025-7344 |
| Digiwin--SFT | The SFT developed by Digiwin has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. | 2025-07-21 | 9.8 | CVE-2025-7343 |
| Droip--Droip | The Droip plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the make_google_font_offline() function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-07-25 | 8.8 | CVE-2025-5831 |
| Droip--Droip | The Droip plugin for WordPress is vulnerable to unauthorized modification and access of data due to a missing capability check on the droip_post_apis() function in all versions up to, and including, 2.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform many actions as the AJAX hooks to several functions. Some potential impacts include arbitrary post deletion, arbitrary post creation, post duplication, settings update, user manipulation, and much more. | 2025-07-25 | 8.8 | CVE-2025-5835 |
| DuraComm Corporation--SPM-500 DP-10iN-100-MU | DuraComm SPM-500 DP-10iN-100-MU is vulnerable to a cross-site scripting attack. This could allow an attacker to prevent legitimate users from accessing the web interface. | 2025-07-22 | 8.1 | CVE-2025-41425 |
| DuraComm Corporation--SPM-500 DP-10iN-100-MU | DuraComm SPM-500 DP-10iN-100-MU lacks access controls for a function that should require user authentication. This could allow an attacker to repeatedly reboot the device. | 2025-07-22 | 7.5 | CVE-2025-48733 |
| DuraComm Corporation--SPM-500 DP-10iN-100-MU | DuraComm SPM-500 DP-10iN-100-MU transmits sensitive data without encryption over a channel that could be intercepted by attackers. | 2025-07-22 | 7.5 | CVE-2025-53703 |
| ELECOM CO.,LTD.--WRC-BE36QS-B | WRC-BE36QS-B and WRC-W701-B contain an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in WebGUI. If exploited, an arbitrary OS command may be executed by a remote attacker who can log in to WebGUI. | 2025-07-22 | 7.2 | CVE-2025-53472 |
| EmbedThis--GoAhead | goform/formTest in EmbedThis GoAhead 2.5 allows HTML injection via the name parameter. | 2025-07-25 | 7.2 | CVE-2023-53155 |
| Engeman--Web | A vulnerability classified as critical has been found in Engeman Web up to 12.0.0.1. Affected is an unknown function of the file /Login/RecoveryPass of the component Password Recovery Page. The manipulation of the argument LanguageCombobox leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-27 | 7.3 | CVE-2025-8220 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that, under specific circumstances, could have potentially allowed a successful attacker to trigger unintended content rendering leading to XSS. | 2025-07-23 | 8.7 | CVE-2025-4700 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 15.10 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed an authenticated user to perform cross-site scripting attacks when the instance is served through certain content delivery networks. | 2025-07-23 | 7.7 | CVE-2025-4439 |
| gsayed786--Orion Login with SMS | The Orion Login with SMS plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.5. This is due to the olws_handle_verify_phone() function not utilizing a strong enough OTP value, exposing the hash needed to generate the OTP value, and no restrictions on the number of attempts to submit the code. This makes it possible for unauthenticated attackers to log in as other users, including administrators, if they have access to their phone number. | 2025-07-22 | 8.1 | CVE-2025-7692 |
| haxtheweb--issues | HAX CMS allows you to manage your microsite universe with PHP or NodeJs backends. In versions 11.0.13 and below of haxcms-nodejs and versions 11.0.8 and below of haxcms-php, API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interact with a resource before performing a given operation. The API endpoints within the HAX CMS application check if a user is authenticated, but don't check for authorization before performing an operation. This is fixed in versions 11.0.14 of haxcms-nodejs and 11.0.9 of haxcms-php. | 2025-07-26 | 8.3 | CVE-2025-54378 |
| haxtheweb--issues | HAX CMS NodeJS allows users to manage their microsite universe with a NodeJS backend. Versions 11.0.9 and below were distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys for JWTs. Users aren't prompted to change credentials or secrets during installation, and there is no way to change them through the UI. An unauthenticated attacker can read the default user credentials and JWT private keys from the public haxtheweb GitHub repositories. These credentials and keys can be used to access unconfigured self-hosted instances of the application, modify sites, and perform further attacks. This is fixed in version 11.0.10. | 2025-07-22 | 7.3 | CVE-2025-54137 |
| HCL Software--iAutomate | HCL iAutomate is affected by an insufficient session expiration. This allows tokens to remain valid indefinitely unless manually revoked, increasing the risk of unauthorized access. | 2025-07-24 | 7.1 | CVE-2025-31952 |
| HCL Software--iAutomate | HCL iAutomate includes hardcoded credentials which may result in potential exposure of confidential data if intercepted or accessed by unauthorized parties. | 2025-07-24 | 7.1 | CVE-2025-31953 |
| HCL Software--iAutomate | HCL iAutomate is affected by a sensitive data exposure vulnerability. This issue may allow unauthorized access to sensitive information within the system. | 2025-07-24 | 7.6 | CVE-2025-31955 |
| hogash--KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme | The Kallyas theme for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the delete_font() function in all versions up to, and including, 4.21.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders on the server. | 2025-07-26 | 8.1 | CVE-2025-6989 |
| hogash--KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme | The kallyas theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.21.0 via the 'TH_LatestPosts4` widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included. | 2025-07-26 | 7.5 | CVE-2025-6991 |
| htplugins--Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) | The Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete-file' field in all versions up to, and including, 3.2.8. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, when an administrator deletes the submission, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2025-07-22 | 8.1 | CVE-2025-7645 |
| IBM--Engineering Systems Design Rhapsody | IBM Engineering Systems Design Rhapsody 9.0.2, 10.0, and 10.0.1 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system. | 2025-07-23 | 8.8 | CVE-2025-33076 |
| IBM--Engineering Systems Design Rhapsody | IBM Engineering Systems Design Rhapsody 9.0.2, 10.0, and 10.0.1 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system. | 2025-07-23 | 8.8 | CVE-2025-33077 |
| IBM--i | IBM i 7.2, 7.3, 7.4, 7.5, and 7.6 is vulnerable to a privilege escalation caused by an invalid database authority check. A bad actor could execute a database procedure or function without having all required permissions, in addition to causing denial of service for some database actions. | 2025-07-24 | 7.5 | CVE-2025-33109 |
| iqonicdesign--WPBookit | The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_new_customer' route in all versions up to, and including, 1.0.6. The plugin's imageâ€Âupload handler calls move_uploaded_file() on clientâ€Âsupplied files without restricting allowed extensions or MIME types, nor sanitizing the filename. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-07-24 | 9.8 | CVE-2025-7852 |
| kyverno--kyverno | Kyverno is a policy engine designed for cloud native platform engineering teams. In versions 1.14.1 and below, a Denial of Service (DoS) vulnerability exists due to improper handling of JMESPath variable substitutions. Attackers with permissions to create or update Kyverno policies can craft expressions using the {{@}} variable combined with a pipe and an invalid JMESPath function (e.g., {{@ | non_existent_function }}). This leads to a nil value being substituted into the policy structure. Subsequent processing by internal functions, specifically getValueAsStringMap, which expect string values, results in a panic due to a type assertion failure (interface {} is nil, not string). This crashes Kyverno worker threads in the admission controller and causes continuous crashes of the reports controller pod. This is fixed in version 1.14.2. | 2025-07-23 | 7.7 | CVE-2025-47281 |
| Lantronix--Provisioning Manager | Lantronix Provisioning Manager is vulnerable to XML external entity attacks in configuration files supplied by network devices, leading to unauthenticated remote code execution on hosts with Provisioning Manager installed. | 2025-07-22 | 8 | CVE-2025-7766 |
| librenms--librenms | LibreNMS is an auto-discovering PHP/MySQL/SNMP based network monitoring which includes support for a wide range of network hardware and operating systems. LibreNMS versions 25.6.0 and below contain an architectural vulnerability in the ajax_form.php endpoint that permits Remote File Inclusion based on user-controlled POST input. The application directly uses the type parameter to dynamically include .inc.php files from the trusted path includes/html/forms/, without validation or allowlisting. This pattern introduces a latent Remote Code Execution (RCE) vector if an attacker can stage a file in this include path - for example, via symlink, development misconfiguration, or chained vulnerabilities. This is fixed in version 25.7.0. | 2025-07-22 | 7.5 | CVE-2025-54138 |
| LinuxServer--Heimdall | LinuxServer.io Heimdall before 2.7.3 allows XSS via the q parameter. | 2025-07-27 | 7.2 | CVE-2025-54597 |
| Manager-io--Manager | Manager-io/Manager is accounting software. A critical unauthenticated full read Server-Side Request Forgery (SSRF) vulnerability has been identified in the proxy handler component of both manager Desktop and Server edition versions up to and including 25.7.18.2519. This vulnerability allows an unauthenticated attacker to bypass network isolation and access restrictions, potentially enabling access to internal services, cloud metadata endpoints, and exfiltration of sensitive data from isolated network segments. This vulnerability is fixed in version 25.7.21.2525. | 2025-07-21 | 10 | CVE-2025-54122 |
| MB connect line--mbNET.mini | A high privileged remote attacker can execute arbitrary system commands via POST requests in the send_sms action due to improper neutralization of special elements used in an OS command. | 2025-07-21 | 7.2 | CVE-2025-41673 |
| MB connect line--mbNET.mini | A high privileged remote attacker can execute arbitrary system commands via POST requests in the diagnostic action due to improper neutralization of special elements used in an OS command. | 2025-07-21 | 7.2 | CVE-2025-41674 |
| MB connect line--mbNET.mini | A high privileged remote attacker can execute arbitrary system commands via GET requests in the cloud server communication script due to improper neutralization of special elements used in an OS command. | 2025-07-21 | 7.2 | CVE-2025-41675 |
| melapress--Melapress Login Security | The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. This makes it possible for unauthenticated attackers who know an arbitrary user meta value to bypass authentication checks and log in as that user. | 2025-07-26 | 9.8 | CVE-2025-6895 |
| Moderec--Tourtella | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Moderec Tourtella allows SQL Injection.This issue affects Tourtella: before 26.05.2025. | 2025-07-24 | 9.8 | CVE-2025-4784 |
| motovnet--Ebook Store | The Ebook Store plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ebook_store_save_form function in all versions up to, and including, 5.8012. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-07-24 | 9.8 | CVE-2025-7437 |
| N-Media--Website Contact Form With File Upload | The Website Contact Form With File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'upload_file()' function in versions up to, and including, 1.3.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | 2025-07-22 | 9.8 | CVE-2015-10137 |
| n/a--bun | Versions of the package bun after 0.0.12 are vulnerable to Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the $ shell API due to improper neutralization of user input. An attacker can exploit this by providing specially crafted input that includes command-line arguments or shell metacharacters, leading to unintended command execution. **Note:** This issue relates to the widely known and actively developed 'Bun' JavaScript runtime. The bun package on NPM at versions 0.0.12 and below belongs to a different and older project that happened to claim the 'bun' name in the past. | 2025-07-23 | 8.8 | CVE-2025-8022 |
| n/a--files-bucket-server | All versions of the package files-bucket-server are vulnerable to Directory Traversal where an attacker can traverse the file system and access files outside of the intended directory. | 2025-07-23 | 7.5 | CVE-2025-8021 |
| N/A--N/A | A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-config within Linux Pluggable Authentication Modules (PAM). This flaw allows an unprivileged local attacker (for example, a user logged in via SSH) to obtain the elevated privileges normally reserved for a physically present, "allow_active" user. The highest risk is that the attacker can then perform all allow_active yes Polkit actions, which are typically restricted to console users, potentially gaining unauthorized control over system configurations, services, or other sensitive operations. | 2025-07-23 | 7.8 | CVE-2025-6018 |
| n/a--private-ip | All versions of the package private-ip are vulnerable to Server-Side Request Forgery (SSRF) where an attacker can provide an IP or hostname that resolves to a multicast IP address (224.0.0.0/4) which is not included as part of the private IP ranges in the package's source code. | 2025-07-23 | 8.2 | CVE-2025-8020 |
| n/a--WP JobHunt | The WP JobHunt plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.2 via the cs_remove_profile_callback() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete accounts of other users including admins. | 2025-07-22 | 8.1 | CVE-2025-6585 |
| Network Thermostat--X-Series WiFi thermostats | The embedded web server on the thermostat listed version ranges contain a vulnerability that allows unauthenticated attackers, either on the local area network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat's embedded web server and reset user credentials by manipulating specific elements of the embedded web interface. | 2025-07-24 | 9.8 | CVE-2025-6260 |
| NI--LabVIEW | Out of bounds read vulnerability due to improper bounds checking in NI LabVIEW in lvre!UDecStrToNum that may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q1 and prior versions. | 2025-07-23 | 7.8 | CVE-2025-2633 |
| NI--LabVIEW | Out of bounds read vulnerability due to improper bounds checking in NI LabVIEW in fontmgr may result in information disclosure or arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted VI. This vulnerability affects NI LabVIEW 2025 Q1 and prior versions. | 2025-07-23 | 7.8 | CVE-2025-2634 |
| nik00726--Thumbnail carousel slider | The Responsive Thumbnail Slider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type sanitization in the via the image uploader in versions up to 1.0.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected sites server using a double extension which may make remote code execution possible. | 2025-07-25 | 8.8 | CVE-2015-10144 |
| nmedia--Frontend File Manager Plugin | The Frontend File Manager Plugin plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the wpfm_delete_multiple_files() function in all versions up to, and including, 21.5. This makes it possible for unauthenticated attackers to delete arbitrary posts. | 2025-07-25 | 7.5 | CVE-2023-7306 |
| nootheme--Realty Portal Agent | The Realty Portal - Agent plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the rp_user_profile() AJAX handler in versions 0.1.0 through 0.3.9. The handler reads the client-supplied meta key and value pairs from $_POST and passes them directly to update_user_meta() without restricting to a safe whitelist. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the wp_capabilities meta and grant themselves the administrator role. | 2025-07-23 | 8.8 | CVE-2025-6190 |
| OISF--libhtp | LibHTP is a security-aware parser for the HTTP protocol and its related bits and pieces. In versions 0.5.50 and below, there is a traffic-induced memory leak that can starve the process of memory, leading to loss of visibility. To workaround this issue, set `suricata.yaml app-layer.protocols.http.libhtp.default-config.lzma-enabled` to false. This issue is fixed in version 0.5.51. | 2025-07-23 | 7.5 | CVE-2025-53537 |
| OISF--suricata | Suricata is a network IDS, IPS and NSM engine developed by the OISF (Open Information Security Foundation) and the Suricata community. In versions 7.0.10 and below and 8.0.0-beta1 through 8.0.0-rc1, mishandling of data on HTTP2 stream 0 can lead to uncontrolled memory usage, leading to loss of visibility. Workarounds include disabling the HTTP/2 parser, and using a signature like drop http2 any any -> any any (frame:http2.hdr; byte_test:1,=,0,3; byte_test:4,=,0,5; sid: 1;) where the first byte test tests the HTTP2 frame type DATA and the second tests the stream id 0. This is fixed in versions 7.0.11 and 8.0.0. | 2025-07-22 | 7.5 | CVE-2025-53538 |
| onlyoffice--ONLYOFFICE Docs | The ONLYOFFICE Docs plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its oo.callback REST endpoint in versions 1.1.0 to 2.2.0. The plugin's permission callback only verifies that the supplied, encrypted attachment ID maps to an existing attachment post, but does not verify the requester's identity or capabilities. This makes it possible for unauthenticated attackers to log in as an arbitrary user. | 2025-07-24 | 9.8 | CVE-2025-6380 |
| PageLines--Platform | The Platform theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the *_ajax_save_options() function in all versions up to 1.4.4 (exclusive). This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. | 2025-07-25 | 9.8 | CVE-2015-10143 |
| paoltaia--GeoDirectory WP Business Directory Plugin and Classified Listings Directory | The GeoDirectory - WP Business Directory Plugin and Classified Listings Directory plugin for WordPress is vulnerable to time-based SQL Injection via the dist parameter in all versions up to, and including, 2.8.97 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-07-26 | 7.5 | CVE-2024-13507 |
| PAVO Inc.--PAVO Pay | Authorization Bypass Through User-Controlled Key vulnerability in PAVO Inc. PAVO Pay allows Exploitation of Trusted Identifiers.This issue affects PAVO Pay: before 13.05.2025. | 2025-07-21 | 7.5 | CVE-2025-4129 |
| PAVO Inc.--PAVO Pay | Use of Hard-coded Credentials vulnerability in PAVO Inc. PAVO Pay allows Read Sensitive Constants Within an Executable.This issue affects PAVO Pay: before 13.05.2025. | 2025-07-21 | 7.5 | CVE-2025-4130 |
| PHPGurukul--Local Services Search Engine Management System | A vulnerability classified as critical was found in PHPGurukul Local Services Search Engine Management System 2.1. Affected by this vulnerability is an unknown functionality of the file /admin/changeimage.php. The manipulation of the argument editid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-26 | 7.3 | CVE-2025-8179 |
| PowerDNS--Recursor | An attacker spoofing answers to ECS enabled requests sent out by the Recursor has a chance of success higher than non-ECS enabled queries. The updated version include various mitigations against spoofing attempts of ECS enabled queries by chaining ECS enabled requests and enforcing stricter validation of the received answers. The most strict mitigation done when the new setting outgoing.edns_subnet_harden (old style name edns-subnet-harden) is enabled. | 2025-07-21 | 7.5 | CVE-2025-30192 |
| psauxit--Nginx Cache Purge Preload | The Nginx Cache Purge Preload plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.1 via the 'nppp_preload_cache_on_update' function. This is due to insufficient sanitization of the $_SERVER['HTTP_REFERERER'] parameter passed from the 'nppp_handle_fastcgi_cache_actions_admin_bar' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server. | 2025-07-22 | 7.2 | CVE-2025-6213 |
| pyload--pyload | pyLoad is a free and open-source Download Manager written in pure Python. In version 0.5.0b3.dev89, an authenticated path traversal vulnerability exists in the /json/upload endpoint of pyLoad. By manipulating the filename of an uploaded file, an attacker can traverse out of the intended upload directory, allowing them to write arbitrary files to any location on the system accessible to the pyLoad process. This may lead to: Remote Code Execution (RCE), local privilege escalation, system-wide compromise, persistence, and backdoors. This is fixed in version 0.5.0b3.dev90. | 2025-07-22 | 7.5 | CVE-2025-54140 |
| Rolantis Information Technologies--Agentis | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rolantis Information Technologies Agentis allows SQL Injection.This issue affects Agentis: before 4.32. | 2025-07-22 | 10 | CVE-2025-4285 |
| RooCodeInc--Roo-Code | Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions 3.23.18 and below, RooCode does not validate line breaks (\n) in its command input, allowing potential bypass of the allow-list mechanism. The project appears to lack parsing or validation logic to prevent multi-line command injection. When commands are evaluated for execution, only the first line or token may be considered, enabling attackers to smuggle additional commands in subsequent lines. This is fixed in version 3.23.19. | 2025-07-23 | 7.8 | CVE-2025-54377 |
| Samsung Electronics--MagicINFO 9 Server | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a Web Server.This issue affects MagicINFO 9 Server: less than 21.1080.0 | 2025-07-23 | 9.8 | CVE-2025-54438 |
| Samsung Electronics--MagicINFO 9 Server | Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. | 2025-07-23 | 9.8 | CVE-2025-54440 |
| Samsung Electronics--MagicINFO 9 Server | Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. | 2025-07-23 | 9.8 | CVE-2025-54442 |
| Samsung Electronics--MagicINFO 9 Server | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a Web Server.This issue affects MagicINFO 9 Server: less than 21.1080.0 | 2025-07-23 | 9.8 | CVE-2025-54443 |
| Samsung Electronics--MagicINFO 9 Server | Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. | 2025-07-23 | 9.8 | CVE-2025-54444 |
| Samsung Electronics--MagicINFO 9 Server | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a Web Server.This issue affects MagicINFO 9 Server: less than 21.1080.0 | 2025-07-23 | 9.8 | CVE-2025-54446 |
| Samsung Electronics--MagicINFO 9 Server | Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. | 2025-07-23 | 9.8 | CVE-2025-54448 |
| Samsung Electronics--MagicINFO 9 Server | Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. | 2025-07-23 | 9.8 | CVE-2025-54449 |
| Samsung Electronics--MagicINFO 9 Server | Improper Control of Generation of Code ('Code Injection') vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. | 2025-07-23 | 9.8 | CVE-2025-54451 |
| Samsung Electronics--MagicINFO 9 Server | Use of Hard-coded Credentials vulnerability in Samsung Electronics MagicINFO 9 Server allows Authentication Bypass.This issue affects MagicINFO 9 Server: less than 21.1080.0. | 2025-07-23 | 9.1 | CVE-2025-54454 |
| Samsung Electronics--MagicINFO 9 Server | Use of Hard-coded Credentials vulnerability in Samsung Electronics MagicINFO 9 Server allows Authentication Bypass.This issue affects MagicINFO 9 Server: less than 21.1080.0. | 2025-07-23 | 9.1 | CVE-2025-54455 |
| Samsung Electronics--MagicINFO 9 Server | Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. | 2025-07-23 | 8.8 | CVE-2025-54439 |
| Samsung Electronics--MagicINFO 9 Server | Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. | 2025-07-23 | 8.8 | CVE-2025-54441 |
| Samsung Electronics--MagicINFO 9 Server | Improper Restriction of XML External Entity Reference vulnerability in Samsung Electronics MagicINFO 9 Server allows Server Side Request Forgery.This issue affects MagicINFO 9 Server: less than 21.1080.0. | 2025-07-23 | 8.2 | CVE-2025-54445 |
| Samsung Electronics--MagicINFO 9 Server | Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. | 2025-07-23 | 8.1 | CVE-2025-54447 |
| Samsung Electronics--MagicINFO 9 Server | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. | 2025-07-23 | 8.8 | CVE-2025-54453 |
| Samsung Electronics--MagicINFO 9 Server | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. | 2025-07-23 | 7.2 | CVE-2025-54450 |
| Samsung Electronics--MagicINFO 9 Server | Improper Authentication vulnerability in Samsung Electronics MagicINFO 9 Server allows Authentication Bypass.This issue affects MagicINFO 9 Server: less than 21.1080.0. | 2025-07-23 | 7.3 | CVE-2025-54452 |
| Shenzhen Libituo Technology--LBT-T300-T310 | A vulnerability was found in Shenzhen Libituo Technology LBT-T300-T310 2.2.3.6. It has been rated as critical. Affected by this issue is the function sub_40B6F0 of the file at/appy.cgi. The manipulation of the argument wan_proto leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-22 | 8.8 | CVE-2025-8019 |
| Simopro Technology--WinMatrix3 | WinMatrix3 developed by Simopro Technology has an Insecure Deserialization vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server by sending maliciously crafted serialized contents. | 2025-07-21 | 9.8 | CVE-2025-7916 |
| Simopro Technology--WinMatrix3 Web package | WinMatrix3 Web package developed by Simopro Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. | 2025-07-21 | 9.8 | CVE-2025-7918 |
| Simopro Technology--WinMatrix3 Web package | WinMatrix3 Web package developed by Simopro Technology has an Arbitrary File Upload vulnerability, allowing remote attackers with administrator privileges to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2025-07-21 | 7.2 | CVE-2025-7917 |
| Simplehelp--Simplehelp | Inclusion of Functionality from Untrusted Control Sphere vulnerability in Simplehelp.This issue affects Simplehelp: before 5.5.12. | 2025-07-25 | 8.3 | CVE-2025-36727 |
| SMG Software--Information Portal | Unrestricted Upload of File with Dangerous Type, Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SMG Software Information Portal allows Code Injection, Upload a Web Shell to a Web Server, Code Inclusion.This issue affects Information Portal: before 13.06.2025. | 2025-07-24 | 10 | CVE-2025-5243 |
| SolarWinds--SolarWinds Observability Self-Hosted | SolarWinds Observability Self-Hosted is susceptible to Deserialization of Untrusted Data Local Privilege Escalation vulnerability. An attacker with low privileges can escalate privileges to run malicious files copied to a permission-protected folder. This vulnerability requires authentication from a low-level account and local access to the host server. | 2025-07-24 | 7.8 | CVE-2025-26397 |
| Sophos--Sophos Firewall | An arbitrary file writing vulnerability in the Secure PDF eXchange (SPX) feature of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to pre-auth remote code execution, if a specific configuration of SPX is enabled in combination with the firewall running in High Availability (HA) mode. | 2025-07-21 | 9.8 | CVE-2025-6704 |
| Sophos--Sophos Firewall | An SQL injection vulnerability in the legacy (transparent) SMTP proxy of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to remote code execution, if a quarantining policy is active for Email and SFOS was upgraded from a version older than 21.0 GA. | 2025-07-21 | 9.8 | CVE-2025-7624 |
| Sophos--Sophos Firewall | A business logic vulnerability in the Up2Date component of Sophos Firewall older than version 21.0 MR1 (20.0.1) can lead to attackers controlling the firewall's DNS environment to achieve remote code execution. | 2025-07-21 | 8.1 | CVE-2024-13974 |
| Sophos--Sophos Firewall | A command injection vulnerability in WebAdmin of Sophos Firewall versions older than 21.0 MR2 (21.0.2) can lead to adjacent attackers achieving pre-auth code execution on High Availability (HA) auxiliary devices, if OTP authentication for the admin user is enabled. | 2025-07-21 | 8.8 | CVE-2025-7382 |
| steverio--Social Streams | The Social Streams plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.1. This is due to the plugin not properly validating a user's identity prior to updating their user meta information in the update_user_meta() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change their user type to that of an administrator. | 2025-07-23 | 8.8 | CVE-2025-7722 |
| Synology--Synology Router Manager (SRM) | Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in DDNS Record functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to execute arbitrary code via unspecified vectors. | 2025-07-23 | 7.2 | CVE-2024-53286 |
| Tenda--AC10 | A vulnerability classified as critical has been found in Tenda AC10 16.03.10.13. Affected is an unknown function of the file /goform/RequestsProcessLaid. The manipulation of the argument device1D leads to heap-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-26 | 8.8 | CVE-2025-8178 |
| Tenda--AC20 | A vulnerability was found in Tenda AC20 16.03.08.05. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /goform/SetStaticRouteCfg. The manipulation of the argument list leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 8.8 | CVE-2025-8131 |
| Tenda--AC20 | A vulnerability classified as critical has been found in Tenda AC20 up to 16.03.08.12. Affected is an unknown function of the file /goform/SetSysTimeCfg of the component httpd. The manipulation of the argument timeZone leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 8.8 | CVE-2025-8160 |
| Tenda--AC23 | A vulnerability has been found in Tenda AC23 16.03.07.52 and classified as critical. Affected by this vulnerability is the function sub_46C940 of the file /goform/setMacFilterCfg of the component httpd. The manipulation of the argument deviceList leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-23 | 8.8 | CVE-2025-8060 |
| Tenda--AC6 | A vulnerability has been found in Tenda AC6 15.03.06.50 and classified as critical. Affected by this vulnerability is the function setparentcontrolinfo of the component httpd. The manipulation leads to buffer overflow. The attack can be launched remotely. | 2025-07-21 | 8.8 | CVE-2025-7914 |
| Tenda--AC7 | A vulnerability was found in Tenda AC7 15.03.06.44. It has been classified as critical. Affected is the function formSetMacFilterCfg of the file /goform/setMacFilterCfg of the component httpd. The manipulation of the argument deviceList leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-22 | 8.8 | CVE-2025-8017 |
| Tenda--CH22 | A vulnerability, which was classified as critical, has been found in Tenda CH22 1.0.0.1. Affected by this issue is the function formdeleteUserName of the file /goform/deleteUserName. The manipulation of the argument old_account leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-26 | 8.8 | CVE-2025-8180 |
| ThemeMove--MinimogWP The High Converting eCommerce WordPress Theme | The MinimogWP - The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.9.0. This is due to an insufficient check on quantity values when changing quantities in the cart. This makes it possible for unauthenticated attackers to add items to the cart and adjust the quantity to a fractional amount, causing the price to change based on the fractional amount. The vulnerability cannot be exploited if WooCommerce version 9.8.2+ is installed. | 2025-07-26 | 7.5 | CVE-2025-8198 |
| tj-actions--branch-names | tj-actions/branch-names is a Github actions repository that contains workflows to retrieve branch or tag names with support for all events. In versions 8.2.1 and below, a critical vulnerability has been identified in the tj-actions/branch-names' GitHub Action workflow which allows arbitrary command execution in downstream workflows. This issue arises due to inconsistent input sanitization and unescaped output, enabling malicious actors to exploit specially crafted branch names or tags. While internal sanitization mechanisms have been implemented, the action outputs remain vulnerable, exposing consuming workflows to significant security risks. This is fixed in version 9.0.0 | 2025-07-26 | 9.1 | CVE-2025-54416 |
| tobias_conrad--Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition | The Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition plugin for WordPress is vulnerable to unauthenticated login token generation due to a missing capability check on the `webinarignition_sign_in_support_staff` and `webinarignition_register_support` functions in all versions up to, and including, 4.03.31. This makes it possible for unauthenticated attackers to generate login tokens for arbitrary WordPress users under certain circumstances, issuing authorization cookies which can lead to authentication bypass. | 2025-07-24 | 9.8 | CVE-2025-6441 |
| TOTOLINK--A702R | A vulnerability, which was classified as critical, was found in TOTOLINK A702R 4.0.0-B20230721.1521. Affected is an unknown function of the file /boafrm/formFilter of the component HTTP POST Request Handler. The manipulation of the argument ip6addr leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 8.8 | CVE-2025-8136 |
| TOTOLINK--A702R | A vulnerability has been found in TOTOLINK A702R 4.0.0-B20230721.1521 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /boafrm/formIpQoS of the component HTTP POST Request Handler. The manipulation of the argument mac leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 8.8 | CVE-2025-8137 |
| TOTOLINK--A702R | A vulnerability was found in TOTOLINK A702R 4.0.0-B20230721.1521 and classified as critical. Affected by this issue is some unknown functionality of the file /boafrm/formOneKeyAccessButton of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 8.8 | CVE-2025-8138 |
| TOTOLINK--A702R | A vulnerability was found in TOTOLINK A702R 4.0.0-B20230721.1521. It has been classified as critical. This affects an unknown part of the file /boafrm/formPortFw of the component HTTP POST Request Handler. The manipulation of the argument service_type leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 8.8 | CVE-2025-8139 |
| TOTOLINK--A702R | A vulnerability was found in TOTOLINK A702R 4.0.0-B20230721.1521. It has been declared as critical. This vulnerability affects unknown code of the file /boafrm/formWlanMultipleAP of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 8.8 | CVE-2025-8140 |
| TOTOLINK--N600R | A vulnerability, which was classified as critical, was found in TOTOLINK N600R and X2000R 1.0.0.1. This affects an unknown part of the file vsftpd.conf of the component FTP Service. The manipulation leads to least privilege violation. It is possible to initiate the attack remotely. | 2025-07-26 | 7.2 | CVE-2025-8181 |
| TOTOLINK--T6 | A vulnerability classified as critical was found in TOTOLINK T6 4.1.5cu.748_B20211015. This vulnerability affects the function tcpcheck_net of the file /router/meshSlaveDlfw of the component MQTT Packet Handler. The manipulation of the argument serverIp leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 8.8 | CVE-2025-8170 |
| TOTOLINK--X15 | A vulnerability has been found in TOTOLINK X15 1.0.0-B20230714.1105 and classified as critical. This vulnerability affects unknown code of the file /boafrm/formFilter of the component HTTP POST Request Handler. The manipulation of the argument ip6addr/url/vpnPassword/vpnUser leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-27 | 8.8 | CVE-2025-8242 |
| TOTOLINK--X15 | A vulnerability was found in TOTOLINK X15 1.0.0-B20230714.1105 and classified as critical. This issue affects some unknown processing of the file /boafrm/formMapDel of the component HTTP POST Request Handler. The manipulation of the argument devicemac1 leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-27 | 8.8 | CVE-2025-8243 |
| TOTOLINK--X15 | A vulnerability was found in TOTOLINK X15 1.0.0-B20230714.1105. It has been classified as critical. Affected is an unknown function of the file /boafrm/formMapDelDevice of the component HTTP POST Request Handler. The manipulation of the argument macstr leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-27 | 8.8 | CVE-2025-8244 |
| TOTOLINK--X15 | A vulnerability was found in TOTOLINK X15 1.0.0-B20230714.1105. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /boafrm/formMultiAPVLAN of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-27 | 8.8 | CVE-2025-8245 |
| TOTOLINK--X15 | A vulnerability was found in TOTOLINK X15 1.0.0-B20230714.1105. It has been rated as critical. Affected by this issue is some unknown functionality of the file /boafrm/formRoute of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-27 | 8.8 | CVE-2025-8246 |
| translated--lara-mcp | Lara Translate MCP Server is a Model Context Protocol (MCP) Server for Lara Translate API. Versions 0.0.11 and below contain a command injection vulnerability which exists in the @translated/lara-mcp MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to child_process.exec, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (|, >, &&, etc.). This vulnerability is fixed in version 0.0.12. | 2025-07-21 | 7.5 | CVE-2025-53832 |
| Turpak--Automatic Station Monitoring System | Authorization Bypass Through User-Controlled Key vulnerability in Turpak Automatic Station Monitoring System allows Privilege Escalation.This issue affects Automatic Station Monitoring System: before 5.0.6.51. | 2025-07-21 | 7.1 | CVE-2025-4040 |
| Turtek Software--Eyotek | Authorization Bypass Through User-Controlled Key vulnerability in Turtek Software Eyotek allows Exploitation of Trusted Identifiers.This issue affects Eyotek: before 11.03.2025. | 2025-07-21 | 7.5 | CVE-2025-1469 |
| Two App Studio--Journey | Insufficient protection against brute-force and runtime manipulation in the local authentication component in Two App Studio Journey 5.5.6 on iOS allows local attackers to bypass biometric and PIN-based access control via repeated PIN attempts or dynamic code injection. | 2025-07-21 | 7.8 | CVE-2025-41459 |
| viewvc--viewvc | ViewVC is a browser interface for CVS and Subversion version control repositories. In versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3, the standalone.py script provided in the ViewVC distribution can expose the contents of the host server's filesystem though a directory traversal-style attack. This is fixed in versions 1.1.31 and 1.2.4. | 2025-07-22 | 7.5 | CVE-2025-54141 |
| VMware--bitnamicharts/appsmith | Three Bitnami Helm charts mount Kubernetes Secrets under a predictable path (/opt/bitnami/*/secrets) that is located within the web server document root. In affected versions, this can lead to unauthenticated access to sensitive credentials via HTTP/S. A remote attacker could retrieve these secrets by accessing specific URLs if the application is exposed externally. The issue affects deployments using the default value of usePasswordFiles=true, which mounts secrets as files into the container filesystem. | 2025-07-24 | 10 | CVE-2025-41240 |
| WebMovementLLC--FoxyPress | The FoxyPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the uploadify.php file in versions up to, and including, 0.4.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | 2025-07-22 | 9.8 | CVE-2012-10020 |
| Weidmueller--IE-SR-2TX-WL | An unauthenticated remote attacker may use a stack based buffer overflow in the u-link Management API to gain full access on the affected devices. | 2025-07-23 | 9.8 | CVE-2025-41687 |
| Weidmueller--IE-SR-2TX-WL | An authenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of improper sanitizing of user input in the Main Web Interface (endpoint event_mail_test). | 2025-07-23 | 8.8 | CVE-2025-41683 |
| Weidmueller--IE-SR-2TX-WL | An authenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of improper sanitizing of user input in the Main Web Interface (endpoint tls_iotgen_setting). | 2025-07-23 | 8.8 | CVE-2025-41684 |
| WWBN--AVideo | A cross-site scripting (xss) vulnerability exists in the userLogin cancelUri parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability. | 2025-07-24 | 9.6 | CVE-2025-41420 |
| WWBN--AVideo | A cross-site scripting (xss) vulnerability exists in the managerPlaylists PlaylistOwnerUsersId parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability. | 2025-07-24 | 9.6 | CVE-2025-46410 |
| WWBN--AVideo | A cross-site scripting (xss) vulnerability exists in the videoNotFound 404ErrorMsg parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability. | 2025-07-24 | 9.6 | CVE-2025-50128 |
| WWBN--AVideo | A cross-site scripting (xss) vulnerability exists in the videosList page parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability. | 2025-07-24 | 9 | CVE-2025-53084 |
| WWBN--AVideo | A race condition vulnerability exists in the aVideoEncoder.json.php unzip functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A series of specially crafted HTTP request can lead to arbitrary code execution. | 2025-07-24 | 8.8 | CVE-2025-25214 |
| WWBN--AVideo | A cross-site scripting (xss) vulnerability exists in the LoginWordPress loginForm cancelUri parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary Javascript execution. An attacker can get a user to visit a webpage to trigger this vulnerability. | 2025-07-24 | 8.3 | CVE-2025-36548 |
| WWBN--AVideo | An incomplete blacklist exists in the .htaccess sample of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to a arbitrary code execution. An attacker can request a .phar file to trigger this vulnerability. | 2025-07-24 | 7.3 | CVE-2025-48732 |
| yt-dlp--yt-dlp | yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder (or {}), insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the mitigation for CVE-2024-22423 where the default placeholder and {} were not covered by the new escaping rules. Windows users who are unable to upgrade should avoid using --exec altogether. Instead, the --write-info-json or --dump-json options could be used, with an external script or command line consuming the JSON output. This is fixed in version 2025.07.21. | 2025-07-22 | 7.5 | CVE-2025-54072 |
| zmievsa--cadwyn | Cadwyn creates production-ready community-driven modern Stripe-like API versioning in FastAPI. In versions before 5.4.3, the version parameter of the "/docs" endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. This XSS would notably allow an attacker to execute JavaScript code on a user's session for any application based on Cadwyn via a one-click attack. The vulnerability has been fixed in version 5.4.3. | 2025-07-21 | 7.6 | CVE-2025-53528 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 995525477-1--Video and Audio Player for WordPress Mine CloudVod LMS | Mine CloudVod plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'audio' parameter in all versions up to, and including, 2.1.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-24 | 6.4 | CVE-2025-8071 |
| ABB--AC500 V2 | Buffer Over-read vulnerability in ABB AC500 V2.This issue affects AC500 V2: through 2.5.2. | 2025-07-24 | 5.8 | CVE-2025-7745 |
| ABB--Switch Actuator 4 DU-83330 | : Active Debug Code vulnerability in ABB Switch Actuator 4 DU-83330, ABB Switch actuator, door/light 4 DU -83330-500.This issue affects Switch Actuator 4 DU-83330: All Versions; Switch actuator, door/light 4 DU -83330-500: All Versions. | 2025-07-22 | 6.8 | CVE-2025-7705 |
| Abnormal AI--Abnormal Security | Abnormal Security /v1.0/rbac/users_v2/{USER_ID}/ before 2025-02-19 allows downgrading the privileges of other user accounts. | 2025-07-25 | 4.3 | CVE-2025-54596 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-07-24 | 5.4 | CVE-2025-46993 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-07-24 | 5.4 | CVE-2025-46996 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. | 2025-07-24 | 5.4 | CVE-2025-47061 |
| Akbim Software--Online Exam Registration | Authorization Bypass Through User-Controlled Key vulnerability in Akbim Software Online Exam Registration allows Exploitation of Trusted Identifiers.This issue affects Online Exam Registration: before 14.03.2025. | 2025-07-21 | 4.4 | CVE-2025-2301 |
| alexalouit--WP Wallcreeper | The WP Wallcreeper plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admin_notices hook in all versions up to, and including, 1.6.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable and disable caching. | 2025-07-24 | 4.3 | CVE-2025-7822 |
| anop-goswami--Latest Post Accordian Slider | The Latest Post Accordian Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the 'lpaccordian' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-07-22 | 6.1 | CVE-2025-7687 |
| bdthemes--Pixel Gallery Addons for Elementor Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery | The Pixel Gallery Addons for Elementor - Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via URLs in all widgets in all versions up to, and including, 1.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-22 | 6.4 | CVE-2025-7644 |
| Campcodes--Courier Management System | A vulnerability was found in Campcodes Courier Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /edit_branch.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-26 | 6.3 | CVE-2025-8186 |
| Campcodes--Courier Management System | A vulnerability was found in Campcodes Courier Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /edit_parcel.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-26 | 6.3 | CVE-2025-8187 |
| Campcodes--Courier Management System | A vulnerability classified as critical has been found in Campcodes Courier Management System 1.0. This affects an unknown part of the file /edit_staff.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-26 | 6.3 | CVE-2025-8188 |
| Campcodes--Courier Management System | A vulnerability classified as critical was found in Campcodes Courier Management System 1.0. This vulnerability affects unknown code of the file /edit_user.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-26 | 6.3 | CVE-2025-8189 |
| Campcodes--Courier Management System | A vulnerability, which was classified as critical, has been found in Campcodes Courier Management System 1.0. This issue affects some unknown processing of the file /print_pdets.php. The manipulation of the argument ids leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-26 | 6.3 | CVE-2025-8190 |
| Campcodes--Courier Management System | A vulnerability classified as critical has been found in Campcodes Courier Management System 1.0. This affects an unknown part of the file /parcel_list.php. The manipulation of the argument s leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-27 | 6.3 | CVE-2025-8229 |
| Campcodes--Courier Management System | A vulnerability classified as critical was found in Campcodes Courier Management System 1.0. This vulnerability affects unknown code of the file /manage_user.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-27 | 6.3 | CVE-2025-8230 |
| Canara--ai1 Mobile Banking App | A vulnerability was found in Canara ai1 Mobile Banking App 3.6.23 on Android and classified as problematic. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.canarabank.mobility. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-26 | 5.3 | CVE-2025-8207 |
| cbutlerjr--WP-Members Membership Plugin | The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpmem_login_link' shortcode in all versions up to, and including, 3.5.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-22 | 6.4 | CVE-2025-7495 |
| cleverplugins--Security Ninja WordPress Security Plugin & Firewall | The Security Ninja - WordPress Security Plugin & Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.242 via the 'get_file_source' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to extract sensitive data, including the contents of any file on the server. | 2025-07-24 | 4.9 | CVE-2025-8009 |
| code-projects--Document Management System | A vulnerability, which was classified as critical, has been found in code-projects Document Management System 1.0. This issue affects some unknown processing of the file /insert.php. The manipulation of the argument uploaded_file leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 6.3 | CVE-2025-8171 |
| code-projects--Food Ordering Review System | A vulnerability was found in code-projects Food Ordering Review System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /user/reservation_page.php. The manipulation of the argument reg_Id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 2025-07-22 | 6.3 | CVE-2025-8018 |
| code-projects--Food Review System | A vulnerability was found in code-projects Food Review System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/approve_reservation.php. The manipulation of the argument occasion leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 6.3 | CVE-2025-8165 |
| code-projects--Public Chat Room | A vulnerability has been found in code-projects Public Chat Room 1.0 and classified as critical. This vulnerability affects unknown code of the file send_message.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 6.3 | CVE-2025-8164 |
| code-projects--Voting System | A vulnerability was found in code-projects Voting System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/candidates_add.php. The manipulation of the argument photo leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-26 | 6.3 | CVE-2025-8174 |
| codemacher--Structured Content (JSON-LD) #wpsc | The Structured Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's sc_fs_local_business shortcode in all versions up to, and including, 1.6.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-24 | 6.4 | CVE-2025-4608 |
| D-Link--DI-8400 | A vulnerability was found in D-Link DI-8400 16.07.26A1. It has been classified as problematic. This affects an unknown part of the file usb_paswd.asp of the component jhttpd. The manipulation of the argument share_enable leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-26 | 6.5 | CVE-2025-8175 |
| D-Link--DIR-890L | A vulnerability, which was classified as critical, has been found in D-Link DIR-890L up to 111b04. This issue affects some unknown processing of the file rgbin of the component UART Port. The manipulation leads to hard-coded credentials. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-07-27 | 6.8 | CVE-2025-8231 |
| D-Link--DIR817L | A vulnerability classified as critical has been found in D-Link DIR‑817L up to 1.04B01. This affects the function lxmldbc_system of the file ssdpcgi. The manipulation leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-21 | 6.3 | CVE-2025-7932 |
| Dataprom Informatics--PACS-ACSS | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dataprom Informatics PACS-ACSS allows Cross-Site Scripting (XSS).This issue affects PACS-ACSS: before 16.05.2025. | 2025-07-23 | 6.5 | CVE-2025-4411 |
| deerwms--deer-wms-2 | A vulnerability was found in deerwms deer-wms-2 up to 3.3. It has been classified as critical. Affected is an unknown function of the file /system/dept/edit. The manipulation of the argument ancestors leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-24 | 6.3 | CVE-2025-8123 |
| deerwms--deer-wms-2 | A vulnerability was found in deerwms deer-wms-2 up to 3.3. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /system/role/authUser/unallocatedList. The manipulation of the argument params[dataScope] leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-24 | 6.3 | CVE-2025-8124 |
| deerwms--deer-wms-2 | A vulnerability was found in deerwms deer-wms-2 up to 3.3. It has been rated as critical. Affected by this issue is some unknown functionality of the file /system/role/authUser/allocatedList. The manipulation of the argument params[dataScope] leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 6.3 | CVE-2025-8125 |
| deerwms--deer-wms-2 | A vulnerability classified as critical has been found in deerwms deer-wms-2 up to 3.3. This affects an unknown part of the file /system/user/export. The manipulation of the argument params[dataScope] leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 6.3 | CVE-2025-8126 |
| deerwms--deer-wms-2 | A vulnerability classified as critical was found in deerwms deer-wms-2 up to 3.3. This vulnerability affects unknown code of the file /system/user/list. The manipulation of the argument params[dataScope] leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 6.3 | CVE-2025-8127 |
| deerwms--deer-wms-2 | A vulnerability classified as critical was found in deerwms deer-wms-2 up to 3.3. Affected by this vulnerability is an unknown functionality of the file /system/role/export. The manipulation of the argument params[dataScope] leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 6.3 | CVE-2025-8161 |
| deerwms--deer-wms-2 | A vulnerability, which was classified as critical, has been found in deerwms deer-wms-2 up to 3.3. Affected by this issue is some unknown functionality of the file /system/dept/list. The manipulation of the argument params[dataScope] leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 6.3 | CVE-2025-8162 |
| deerwms--deer-wms-2 | A vulnerability, which was classified as critical, was found in deerwms deer-wms-2 up to 3.3. This affects an unknown part of the file /system/role/list. The manipulation of the argument params[dataScope] leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 6.3 | CVE-2025-8163 |
| Dell--AppSync | Dell AppSync, version(s) 4.6.0.0, contains an Unrestricted Upload of File with Dangerous Type vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Remote execution. | 2025-07-21 | 6.6 | CVE-2025-32744 |
| Dell--AppSync | Dell AppSync, version(s) 4.6.0.0, contains an Improper Restriction of XML External Entity Reference vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure and Information tampering. | 2025-07-21 | 4.2 | CVE-2025-36603 |
| Dell--PowerScale OneFS | Dell PowerScale OneFS, versions prior to 9.11.0.0, contains a use of a broken or risky cryptographic algorithm vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | 2025-07-21 | 4.4 | CVE-2025-30477 |
| ejmahler--transpose | The transpose crate before 0.2.3 for Rust allows an integer overflow via input_width and input_height arguments. | 2025-07-27 | 4.5 | CVE-2023-53156 |
| ejointjp--WP Applink | The WP Applink plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' parameter in all versions up to, and including, 0.4.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-24 | 6.4 | CVE-2025-6385 |
| ELECOM CO.,LTD.--WRC-BE36QS-B | Hidden functionality issue exists in WRC-BE36QS-B and WRC-W701-B. If exploited, the product's hidden debug function may be enabled by a remote attacker who can log in to WebGUI. | 2025-07-22 | 4.9 | CVE-2025-46267 |
| encode--starlette | Starlette is a lightweight ASGI (Asynchronous Server Gateway Interface) framework/toolkit, designed for building async web services in Python. In versions 0.47.1 and below, when parsing a multi-part form with large files (greater than the default max spool size) starlette will block the main thread to roll the file over to disk. This blocks the event thread which means the application can't accept new connections. The UploadFile code has a minor bug where instead of just checking for self._in_memory, the logic should also check if the additional bytes will cause a rollover. The vulnerability is fixed in version 0.47.2. | 2025-07-21 | 5.3 | CVE-2025-54121 |
| espocrm--espocrm | EspoCRM is an Open Source CRM (Customer Relationship Management) software. EspoCRM versions 9.1.6 and earlier are vulnerable to blind LDAP Injection when LDAP authentication is enabled. A remote, unauthenticated attacker can manipulate LDAP queries by injecting crafted input containing wildcard characters (e.g., *). This may allow the attacker to bypass authentication controls, enumerate valid usernames, or retrieve sensitive directory information depending on the LDAP server configuration. This was fixed in version 9.1.7. | 2025-07-21 | 6.5 | CVE-2025-52575 |
| etruel--WPeMatico RSS Feed Fetcher | The WPeMatico RSS Feed Fetcher plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.7. This is due to missing nonce validation in the handle_feedback_submission() function. This makes it possible for unauthenticated attackers to deactivate the plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-07-26 | 4.3 | CVE-2025-8103 |
| fleetwire--Fleetwire Fleet Management | The Fleetwire Fleet Management plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fleetwire_list shortcode in all versions up to, and including, 1.0.19 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-23 | 6.4 | CVE-2025-6261 |
| funnelcockpit--FunnelCockpit | The FunnelCockpit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'error' parameter in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrative user into performing an action such as clicking on a link. | 2025-07-24 | 6.1 | CVE-2025-6588 |
| fuyang_lipengjun--platform | A vulnerability, which was classified as critical, has been found in fuyang_lipengjun platform up to ca9aceff6902feb7b0b6bf510842aea88430796a. This issue affects the function queryPage of the file platform-schedule/src/main/java/com/platform/controller/ScheduleJobController.java. The manipulation of the argument beanName leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | 2025-07-21 | 6.3 | CVE-2025-7934 |
| fuyang_lipengjun--platform | A vulnerability, which was classified as critical, was found in fuyang_lipengjun platform up to ca9aceff6902feb7b0b6bf510842aea88430796a. Affected is the function SysLogController of the file platform-admin/src/main/java/com/platform/controller/SysLogController.java. The manipulation of the argument key leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-07-21 | 6.3 | CVE-2025-7935 |
| fuyang_lipengjun--platform | A vulnerability has been found in fuyang_lipengjun platform up to ca9aceff6902feb7b0b6bf510842aea88430796a and classified as critical. Affected by this vulnerability is the function queryPage of the file com/platform/controller/ScheduleJobLogController.java. The manipulation of the argument beanName/methodName leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | 2025-07-21 | 6.3 | CVE-2025-7936 |
| Genshin--Albedo Cat House App | A vulnerability was found in Genshin Albedo Cat House App 1.0.2 on Android. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.house.auscat. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. | 2025-07-21 | 5.3 | CVE-2025-7940 |
| gerkin--iThoughts Advanced Code Editor | The iThoughts Advanced Code Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.10. This is due to missing or incorrect nonce validation on the 'ithoughts_ace_update_options' AJAX action. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-07-24 | 4.3 | CVE-2025-7835 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed an unauthorized user to access custom service desk email addresses. | 2025-07-24 | 4.3 | CVE-2025-0765 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions starting from 15.4 before 18.0.5, all versions starting from 18.1 before 18.1.3, all versions starting from 18.2 before 18.2.1 that, under circumstances, could have allowed an unauthorized user to read deployment job logs by sending a crafted request. | 2025-07-24 | 4.3 | CVE-2025-1299 |
| GitLab--GitLab | An issue has been discovered in GitLab EE affecting all versions from 17.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that, under certain circumstances, could have allowed an attacker to access internal notes in GitLab Duo responses. | 2025-07-24 | 4.3 | CVE-2025-4976 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed priviledged users to access certain resource_group information through the API which should have been unavailable. | 2025-07-24 | 4.3 | CVE-2025-7001 |
| gn_themes--WP Shortcodes Plugin Shortcodes Ultimate | The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 7.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-21 | 6.4 | CVE-2025-7354 |
| gn_themes--WP Shortcodes Plugin Shortcodes Ultimate | The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 7.4.2. This is due to missing or incorrect nonce validation on the preview function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. In combination with CVE-2025-7354, it leads to Reflected Cross-Site Scripting. | 2025-07-21 | 6.1 | CVE-2025-7369 |
| gn_themes--WP Shortcodes Plugin Shortcodes Ultimate | The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via an uploaded image's 'Title' and 'Slide link' fields in all versions up to, and including, 7.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-22 | 6.4 | CVE-2025-8015 |
| goharbor--harbor | Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Versions 2.11.2 and below, as well as versions 2.12.0-rc1 and 2.13.0-rc1, contain a vulnerability where the markdown field in the info tab page can be exploited to inject XSS code. This is fixed in versions 2.11.3 and 2.12.3. | 2025-07-23 | 4.1 | CVE-2025-32019 |
| gutentor--Gutentor Gutenberg Blocks Page Builder for Gutenberg Editor | The Gutentor - Gutenberg Blocks - Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTML data attributes of multiple widgets, in all versions up to, and including, 3.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-21 | 6.4 | CVE-2025-4685 |
| haxtheweb--issues | HAXiam is a packaging wrapper for HAXcms which allows anyone to spawn their own microsite management platform. In versions 11.0.4 and below, the application returns a 200 response when requesting the data of a valid user and a 404 response when requesting the data of an invalid user. This can be used to infer the existence of valid user accounts. An authenticated attacker can use automated tooling to brute force potential usernames and use the application's response to identify valid accounts. This can be used in conjunction with other vulnerabilities, such as the lack of authorization checks, to enumerate and deface another user's sites. This is fixed in version 11.0.5. | 2025-07-21 | 4.3 | CVE-2025-54129 |
| haxtheweb--issues | HAX CMS allows users to manage their microsite universe with a NodeJS or PHP backend. In haxcms-nodejs versions 11.0.12 and below and in haxcms-php versions 11.0.7 and below, all pages within the HAX CMS application do not contain headers to prevent other websites from loading the site within an iframe. This applies to both the CMS and generated sites. An unauthenticated attacker can load the standalone login page or other sensitive functionality within an iframe, performing a UI redressing attack (clickjacking). This can be used to perform social engineering attacks to attempt to coerce users into performing unintended actions within the HAX CMS application. This is fixed in haxcms-nodejs version 11.0.13 and haxcms-php 11.0.8. | 2025-07-22 | 4.3 | CVE-2025-54139 |
| HotelRunner--B2B | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in HotelRunner B2B allows Cross-Site Scripting (XSS).This issue affects B2B: before 04.06.2025. | 2025-07-22 | 4.8 | CVE-2025-4294 |
| HotelRunner--B2B | Improper Validation of Certificate with Host Mismatch vulnerability in HotelRunner B2B allows HTTP Response Splitting.This issue affects B2B: before 04.06.2025. | 2025-07-22 | 4.6 | CVE-2025-4295 |
| HotelRunner--B2B | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in HotelRunner B2B allows Forceful Browsing.This issue affects B2B: before 04.06.2025. | 2025-07-23 | 4.7 | CVE-2025-4296 |
| IBM--Cognos Analytics Mobile | IBM Cognos Analytics Mobile (iOS) 1.1.0 through 1.1.22 could allow malicious actors to view and modify information coming to and from the application which could then be used to access confidential information on the device or network by using a the deprecated or misconfigured AFNetworking library at runtime. | 2025-07-21 | 6.5 | CVE-2025-36106 |
| IBM--Cognos Analytics Mobile | IBM Cognos Analytics Mobile (iOS) 1.1.0 through 1.1.22 is vulnerable to authentication bypass by using the Local Authentication Framework library which is not needed as biometric authentication is not used in the application. | 2025-07-21 | 5.2 | CVE-2025-36057 |
| IBM--Cognos Analytics Mobile | IBM Cognos Analytics Mobile (iOS) 1.1.0 through 1.1.22 could be vulnerable to information exposure due to the use of unencrypted network traffic. | 2025-07-21 | 5.9 | CVE-2025-36062 |
| IBM--Cognos Analytics Mobile | IBM Cognos Analytics Mobile (iOS) 1.1.0 through 1.1.22 could allow malicious actors to obtain sensitive information due to the cleartext transmission of data. | 2025-07-21 | 5.9 | CVE-2025-36107 |
| IBM--Db2 Mirror for i | IBM Db2 Mirror for i 7.4, 7.5, and 7.6 GUI is affected by cross-site WebSocket hijacking vulnerability. By sending a specially crafted request, an unauthenticated malicious actor could exploit this vulnerability to sniff an existing WebSocket connection to then remotely perform operations that the user is not allowed to perform. | 2025-07-23 | 6.3 | CVE-2025-36116 |
| IBM--Db2 Mirror for i | IBM Db2 Mirror for i 7.4, 7.5, and 7.6 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system. | 2025-07-23 | 6.3 | CVE-2025-36117 |
| IBM--Engineering Systems Design Rhapsody | IBM Engineering Systems Design Rhapsody 9.0.2, 10.0, and 10.0.1 transmits sensitive information without encryption that could allow an attacker to obtain highly sensitive information. | 2025-07-23 | 5.9 | CVE-2025-33020 |
| IBM--MQ Operator | IBM MQ Operator LTS 2.0.0 through 2.0.29, MQ Operator CD 3.0.0, 3.0.1, 3.1.0 through 3.1.3, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, and MQ Operator SC2 3.2.0 through 3.2.13 Container could disclose sensitive information to a local user due to improper clearing of heap memory before release. | 2025-07-24 | 6.2 | CVE-2025-33013 |
| IBM--MQ Operator | IBM MQ Operator LTS 2.0.0 through 2.0.29, MQ Operator CD 3.0.0, 3.0.1, 3.1.0 through 3.1.3, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, and MQ Operator SC2 3.2.0 through 3.2.13 Internet Pass-Thru could allow a malicious user to obtain sensitive information from another TLS session connection by the proxy to the same hostname and port due to improper certificate validation. | 2025-07-24 | 5.9 | CVE-2025-36005 |
| IBM--Security QRadar Network Threat Analytics | IBM Security QRadar Network Threat Analytics 1.0.0 through 1.3.1 could allow a privileged user to cause a denial of service due to improper allocation of resources. | 2025-07-22 | 4.5 | CVE-2024-38335 |
| IBM--SmartCloud Analytics Log Analysis | IBM SmartCloud Analytics - Log Analysis 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0, 1.3.8.1, and 1.3.8.2 could allow a local user to cause a denial of service due to improper validation of specified type of input. | 2025-07-23 | 6.2 | CVE-2024-40682 |
| IBM--SmartCloud Analytics Log Analysis | IBM SmartCloud Analytics - Log Analysis 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0, 1.3.8.1, and 1.3.8.2 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. | 2025-07-23 | 5.4 | CVE-2024-40686 |
| IBM--SmartCloud Analytics Log Analysis | IBM SmartCloud Analytics - Log Analysis 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0, 1.3.8.1, and 1.3.8.2 could allow a local, authenticated attacker to bypass client-side enforcement of security to manipulate data. | 2025-07-23 | 5.5 | CVE-2024-41750 |
| IBM--SmartCloud Analytics Log Analysis | IBM SmartCloud Analytics - Log Analysis 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0, 1.3.8.1, and 1.3.8.2 could allow a local, authenticated attacker to bypass client-side enforcement of security to manipulate data. | 2025-07-23 | 5.5 | CVE-2024-41751 |
| iputils--iputils | ping in iputils before 20250602 allows a denial of service (application error in adaptive ping mode or incorrect data collection) via a crafted ICMP Echo Reply packet, because a zero timestamp can lead to large intermediate values that have an integer overflow when squared during statistics calculations. NOTE: this issue exists because of an incomplete fix for CVE-2025-47268 (that fix was only about timestamp calculations, and it did not account for a specific scenario where the original timestamp in the ICMP payload is zero). | 2025-07-22 | 6.5 | CVE-2025-48964 |
| itsourcecode--Employee Management System | A vulnerability, which was classified as critical, was found in itsourcecode Employee Management System 1.0. Affected is an unknown function of the file /admin/index.php. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 6.3 | CVE-2025-8172 |
| itsourcecode--Insurance Management System | A vulnerability, which was classified as critical, has been found in itsourcecode Insurance Management System 1.0. This issue affects some unknown processing of the file /updateAgent.php. The manipulation of the argument agent_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 6.3 | CVE-2025-8135 |
| jerryshensjf--JPACookieShop JPA | A vulnerability was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 1.0. It has been classified as critical. Affected is the function addGoods of the file GoodsController.java. The manipulation leads to unrestricted upload. It is possible to launch the attack remotely. | 2025-07-21 | 6.3 | CVE-2025-7939 |
| jerryshensjf--JPACookieShop JPA | A vulnerability was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 1.0 and classified as critical. This issue affects the function updateGoods of the file GoodsController.java. The manipulation leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-21 | 4.3 | CVE-2025-7938 |
| jerryshensjf--JPACookieShop JPA | A vulnerability classified as problematic was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 up to 24a15c02b4f75042c9f7f615a3fed2ec1cefb999. Affected by this vulnerability is the function goodsSearch of the file GoodsCustController.java. The manipulation of the argument keyword leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | 2025-07-27 | 4.3 | CVE-2025-8221 |
| jerryshensjf--JPACookieShop JPA | A vulnerability, which was classified as problematic, was found in jerryshensjf JPACookieShop 蛋糕商城JPA版 up to 24a15c02b4f75042c9f7f615a3fed2ec1cefb999. This affects an unknown part of the file AdminTypeCustController.java. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | 2025-07-27 | 4.3 | CVE-2025-8223 |
| Jingmen Zeyou--Large File Upload Control | A vulnerability classified as critical has been found in Jingmen Zeyou Large File Upload Control up to 6.3. Affected is an unknown function of the file /index.jsp. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-26 | 6.3 | CVE-2025-8203 |
| jonsisk--WP Get The Table | The WP Get The Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'url' parameter in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-24 | 6.4 | CVE-2025-6387 |
| krasenslavov--Featured Image Plus Quick & Bulk Edit with Unsplash | The Featured Image Plus - Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.4 via the fip_get_image_options() function. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-07-23 | 5.5 | CVE-2025-5818 |
| Kron Technologies--Kron PAM | Allocation of Resources Without Limits or Throttling vulnerability in Kron Technologies Kron PAM allows HTTP DoS.This issue affects Kron PAM: before 3.7. | 2025-07-25 | 6.5 | CVE-2025-5253 |
| Kron Technologies--Kron PAM | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kron Technologies Kron PAM allows Stored XSS.This issue affects Kron PAM: before 3.7. | 2025-07-25 | 6.1 | CVE-2025-5254 |
| libssh--libssh | A flaw was found in the SFTP server message decoding logic of libssh. The issue occurs due to an incorrect packet length check that allows an integer overflow when handling large payload sizes on 32-bit systems. This issue leads to failed memory allocation and causes the server process to crash, resulting in a denial of service. | 2025-07-25 | 4.3 | CVE-2025-5449 |
| ManageEngine--Applications Manager | Zohocorp ManageEngine Applications Manager versions 176600 and prior are vulnerable to stored cross-site scripting in the File/Directory monitor. | 2025-07-23 | 6.4 | CVE-2025-27930 |
| marviorocha--Station Pro Advanced Audio Streaming & Player for WordPress | The Station Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' and 'height' parameter in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-24 | 6.4 | CVE-2025-7959 |
| MB connect line--mbNET.mini | A high privileged remote attacker can alter the configuration database via POST requests due to improper neutralization of special elements used in a SQL statement. | 2025-07-21 | 6.5 | CVE-2025-41678 |
| MB connect line--mbNET.mini | An unauthenticated remote attacker could exploit a buffer overflow vulnerability in the device causing a denial of service that affects only the network initializing wizard (Conftool) service. | 2025-07-21 | 5.3 | CVE-2025-41679 |
| MB connect line--mbNET.mini | A high privileged remote attacker can exhaust critical system resources by sending specifically crafted POST requests to the send-sms action in fast succession. | 2025-07-21 | 4.9 | CVE-2025-41676 |
| MB connect line--mbNET.mini | A high privileged remote attacker can exhaust critical system resources by sending specifically crafted POST requests to the send-mail action in fast succession. | 2025-07-21 | 4.9 | CVE-2025-41677 |
| MB connect line--mbNET.mini | A high privileged remote attacker can gain persistent XSS via POST requests due to improper neutralization of special elements used to create dynamic content. | 2025-07-21 | 4.8 | CVE-2025-41681 |
| mdempfle--Advanced iFrame | The Advanced iFrame plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'advanced_iframe' shortcode in all versions up to, and including, 2025.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-26 | 6.4 | CVE-2025-6987 |
| mdshuvo--Post Grid Master Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder | The Post Grid Master plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'argsArray['read_more_text']' parameter in all versions up to, and including, 3.4.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-07-24 | 6.1 | CVE-2025-5084 |
| Medtronic--MyCareLink Patient Monitor 24950 | Medtronic MyCareLink Patient Monitor has an internal service that deserializes data, which allows a local attacker to interact with the service by crafting a binary payload to crash the service or elevate privileges. This issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025 | 2025-07-24 | 6.5 | CVE-2025-4393 |
| Medtronic--MyCareLink Patient Monitor 24950 | Medtronic MyCareLink Patient Monitor uses an unencrypted filesystem on internal storage, which allows an attacker with physical access to read and modify files. This issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025 | 2025-07-24 | 6.8 | CVE-2025-4394 |
| Medtronic--MyCareLink Patient Monitor 24950 | Medtronic MyCareLink Patient Monitor has a built-in user account with an empty password, which allows an attacker with physical access to log in with no password and access modify system functionality. This issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025 | 2025-07-24 | 6.8 | CVE-2025-4395 |
| mia4--Birth Chart Compatibility | The Birth Chart Compatibility plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 2.0. This is due to insufficient protection against directly accessing the plugin's index.php file, which causes an error exposing the full path. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website. | 2025-07-22 | 5.3 | CVE-2025-6082 |
| mindnl--Affiliate Plus | The Affiliate Plus plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.2. This is due to missing or incorrect nonce validation on the 'affiplus_settings' page. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-07-24 | 6.1 | CVE-2025-7690 |
| minutemedia--Voltax Video Player | The Voltax Video Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 1.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-24 | 6.4 | CVE-2025-6539 |
| motovnet--Ebook Store | The Ebook Store plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Order Details in all versions up to, and including, 5.8012 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-07-21 | 4.4 | CVE-2025-7486 |
| museai--muse.ai video embedding | The muse.ai video embedding plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's muse-ai shortcode in all versions up to, and including, 0.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-24 | 6.4 | CVE-2025-6262 |
| n/a--jshERP | A vulnerability classified as critical has been found in jshERP up to 3.5. Affected is an unknown function of the file /user/delete of the component Account Handler. The manipulation of the argument ID leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-22 | 5.4 | CVE-2025-7947 |
| n/a--jshERP | A vulnerability classified as problematic was found in jshERP up to 3.5. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/user/updatePwd. The manipulation leads to weak password recovery. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-22 | 4.3 | CVE-2025-7948 |
| n/a--LibTIFF | A vulnerability was found in LibTIFF up to 4.7.0. It has been declared as critical. This vulnerability affects the function get_histogram of the file tools/tiffmedian.c. The manipulation leads to use after free. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The patch is identified as fe10872e53efba9cc36c66ac4ab3b41a839d5172. It is recommended to apply a patch to fix this issue. | 2025-07-26 | 5.3 | CVE-2025-8176 |
| n/a--LibTIFF | A vulnerability was found in LibTIFF up to 4.7.0. It has been rated as critical. This issue affects the function setrow of the file tools/thumbnail.c. The manipulation leads to buffer overflow. An attack has to be approached locally. The patch is named e8c9d6c616b19438695fd829e58ae4fde5bfbc22. It is recommended to apply a patch to fix this issue. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-07-26 | 5.3 | CVE-2025-8177 |
| OB--OceanBase Server | In OceanBase's Oracle tenant mode, a malicious user with specific privileges can achieve privilege escalation to SYS-level access by executing carefully crafted commands. This vulnerability only affects OceanBase tenants in Oracle mode. Tenants in MySQL mode are unaffected. | 2025-07-24 | 6.3 | CVE-2025-8107 |
| Okta--Okta On-Premises Provisioning Agent | Okta On-Premises Provisioning (OPP) agents log certain user data during administrator-initiated password resets. This vulnerability allows an attacker with access to the local servers running OPP agents to retrieve user personal information and temporary passwords created during password reset. You are affected by this vulnerability if the following preconditions are met: Local server running OPP agent with versions >=2.2.1 and <= 2.3.0, and User account has had an administrator-initiated password reset while using the affected versions. | 2025-07-22 | 6.8 | CVE-2025-7371 |
| omnishop--Omnishop Mobile shop apps complementing your WooCommerce webshop | The Omnishop plugin for WordPress is vulnerable to Cross-Site Request Forgery on its /users/delete REST route in all versions up to, and including, 1.0.9. The route's permission_callback only verifies that the requester is logged in, but fails to require any nonce or other proof of intent. This makes it possible for unauthenticated attackers to delete arbitrary user accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-07-23 | 6.5 | CVE-2025-6214 |
| omnishop--Omnishop Mobile shop apps complementing your WooCommerce webshop | The Omnishop plugin for WordPress is vulnerable to Unauthenticated Registration Bypass in all versions up to, and including, 1.0.9. Its /users/register endpoint is exposed to the public (permission_callback always returns true) and invokes wp_create_user() unconditionally, ignoring the site's users_can_register option and any nonce or CAPTCHA checks. This makes it possible for unauthenticated attackers to create arbitrary user accounts (customer) on sites where registrations should be closed. | 2025-07-23 | 5.3 | CVE-2025-6215 |
| OpenAI--Codex CLI | OpenAI Codex CLI before 0.9.0 auto-approves ripgrep (aka rg) execution even with the --pre or --hostname-bin or --search-zip or -z flag. | 2025-07-25 | 4.1 | CVE-2025-54558 |
| opencast--opencast | Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to version 17.6, Opencast would incorrectly send the hashed global system account credentials (ie: org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass) when attempting to fetch mediapackage elements included in a mediapackage XML file. A previous CVE prevented many cases where the credentials were inappropriately sent, but not all. Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing. This issue is fixed in Opencast 17.6. | 2025-07-26 | 6.5 | CVE-2025-54380 |
| PHPGurukul--Apartment Visitors Management System | A vulnerability was found in PHPGurukul Apartment Visitors Management System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /search-visitor.php of the component HTTP POST Request Handler. The manipulation of the argument searchdata leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-22 | 4.3 | CVE-2025-7946 |
| PHPGurukul--BP Monitoring Management System | A vulnerability classified as critical was found in PHPGurukul BP Monitoring Management System 1.0. This vulnerability affects unknown code of the file /bwdates-report-result.php. The manipulation of the argument fromdate/todate leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 6.3 | CVE-2025-8134 |
| PHPGurukul--Login and User Management System | A vulnerability was found in PHPGurukul Login and User Management System 3.3. It has been declared as critical. This vulnerability affects unknown code of the file /admin/yesterday-reg-users.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 6.3 | CVE-2025-8158 |
| PHPGurukul--Online Banquet Booking System | A vulnerability has been found in PHPGurukul Online Banquet Booking System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/view-user-queries.php. The manipulation of the argument viewid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-21 | 6.3 | CVE-2025-7927 |
| PHPGurukul--Online Banquet Booking System | A vulnerability, which was classified as problematic, has been found in PHPGurukul Online Banquet Booking System 1.0. Affected by this issue is some unknown functionality of the file /admin/login.php. The manipulation of the argument user_login/userpassword leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-21 | 4.3 | CVE-2025-7925 |
| PHPGurukul--Taxi Stand Management System | A vulnerability was found in PHPGurukul Taxi Stand Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /admin/search-autoortaxi.php. The manipulation of the argument searchdata leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-21 | 4.3 | CVE-2025-7943 |
| PHPGurukul--Taxi Stand Management System | A vulnerability was found in PHPGurukul Taxi Stand Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /search.php. The manipulation of the argument searchdata leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-21 | 4.3 | CVE-2025-7944 |
| PHPGurukul--User Registration & Login and User Management | A vulnerability was found in PHPGurukul User Registration & Login and User Management 3.3 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/lastsevendays-reg-users.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 6.3 | CVE-2025-8156 |
| PHPGurukul--User Registration & Login and User Management | A vulnerability was found in PHPGurukul User Registration & Login and User Management 3.3. It has been classified as critical. This affects an unknown part of the file /admin/lastthirtyays-reg-users.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 6.3 | CVE-2025-8157 |
| Projectworlds--Online Admission System | A vulnerability classified as critical has been found in Projectworlds Online Admission System 1.0. This affects an unknown part of the file /admin.php. The manipulation of the argument markof leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-27 | 6.3 | CVE-2025-8247 |
| QEMU--QEMU | hw/pci/pcie_sriov.c in QEMU through 10.0.3 has a migration state inconsistency, a related issue to CVE-2024-26327. | 2025-07-25 | 4.2 | CVE-2025-54566 |
| QEMU--QEMU | hw/pci/pcie_sriov.c in QEMU through 10.0.3 mishandles the VF Enable bit write mask, a related issue to CVE-2024-26327. | 2025-07-25 | 4.2 | CVE-2025-54567 |
| reallaunch--Valuation Calculator | The Valuation Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-23 | 6.4 | CVE-2025-5753 |
| Red Hat--Red Hat Enterprise Linux 10 | A global buffer overflow vulnerability was found in the soup_header_name_to_string function in Libsoup. The `soup_header_name_to_string` function does not validate the `name` parameter passed in, and directly accesses `soup_header_name_strings[name]`. The value of `name` is controllable, when `name` exceeds the index range of `soup_headr_name_string`, it will cause an out-of-bounds access. | 2025-07-25 | 5.5 | CVE-2025-8197 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libssh, a library that implements the SSH protocol. When calculating the session ID during the key exchange (KEX) process, an allocation failure in cryptographic functions may lead to a NULL pointer dereference. This issue can cause the client or server to crash. | 2025-07-24 | 4.7 | CVE-2025-8114 |
| Rolantis Information Technologies--Agentis | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Rolantis Information Technologies Agentis allows Reflected XSS, DOM-Based XSS.This issue affects Agentis: before 4.32. | 2025-07-22 | 6.1 | CVE-2025-4284 |
| rosenpass--rosenpass | The rosenpass crate before 0.2.1 for Rust allows remote attackers to cause a denial of service (panic) via a one-byte UDP packet. | 2025-07-27 | 5.3 | CVE-2023-53157 |
| SAP_SE--SAP FICA ODN framework | SAP FICA ODN framework allows a high privileged user to inject value inside the local variable which can then be executed by the application. An attacker could thereby control the behaviour of the application causing high impact on integrity, low impact on availability and no impact on confidentiality of the application. | 2025-07-23 | 5.5 | CVE-2025-42947 |
| sflack--Like & Share My Site | The Like & Share My Site plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2. This is due to missing or incorrect nonce validation on the 'lsms_admin' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-07-22 | 6.1 | CVE-2025-7685 |
| Shanghai Lingdang Information Technology--Lingdang CRM | A vulnerability was found in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.4.7. It has been rated as critical. This issue affects some unknown processing of the file /crm/crmapi/erp/tabdetail_moduleSave_dxkp.php of the component HTTP POST Request Handler. The manipulation of the argument getvaluestring leads to sql injection. The attack may be initiated remotely. Upgrading to version 8.6.5.2 is able to address this issue. It is recommended to upgrade the affected component. The vendor explains: "All SQL injection vectors were patched via parameterized queries and input sanitization in v8.6.5+. We strongly advise all customers to upgrade to the current version (v8.6.5.2), which includes this fix and additional security enhancements." | 2025-07-27 | 6.3 | CVE-2025-8219 |
| Simopro Technology--WinMatrix3 Web package | WinMatrix3 Web package developed by Simopro Technology has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read, modify, and delete database contents. | 2025-07-21 | 6.5 | CVE-2025-7919 |
| Simopro Technology--WinMatrix3 Web package | WinMatrix3 Web package developed by Simopro Technology has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks. | 2025-07-21 | 6.1 | CVE-2025-7920 |
| Simplehelp--Simplehelp | Cross-Site Request Forgery (CSRF) vulnerability in Simplehelp.This issue affects Simplehelp: before 5.5.11. | 2025-07-25 | 6.3 | CVE-2025-36728 |
| sminozzi--Memory Usage, Memory Limit, PHP and Server Memory Health Check and Provide Suggestions | The Memory Usage plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.98. This is due to missing nonce validation in the wpmemory_install_plugin() function. This makes it possible for unauthenticated attackers to silently install one of the several whitelisted plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-07-27 | 4.3 | CVE-2025-8104 |
| Sophos--Sophos Firewall | A post-auth SQL injection vulnerability in WebAdmin of Sophos Firewall versions older than 21.0 MR1 (21.0.1) can potentially lead to administrators achieving arbitrary code execution. | 2025-07-21 | 6.8 | CVE-2024-13973 |
| sparklewpthemes--Educenter | The Educenter theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Circle Counter Block in all versions up to, and including, 1.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-26 | 6.4 | CVE-2025-5529 |
| stratosg--YANewsflash | The YANewsflash plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to missing or incorrect nonce validation on the 'yanewsflash/yanewsflash.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-07-23 | 6.1 | CVE-2025-6054 |
| Synology--Synology Router Manager (SRM) | Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in VPN Setting functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors. | 2025-07-23 | 5.9 | CVE-2024-53287 |
| Synology--Synology Router Manager (SRM) | Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in NTP Region functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors. | 2025-07-23 | 5.9 | CVE-2024-53288 |
| taeggie--Taeggie Feed | The Taeggie Feed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's taeggie-feed shortcode in all versions up to, and including, 0.1.10. The plugin's render() method takes the user-supplied name attribute and injects it directly into a <script> tag - both in the id attribute and inside jQuery.getScript() - without proper escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-24 | 6.4 | CVE-2025-6382 |
| Tenda--AC18 | A vulnerability has been found in Tenda AC18 15.03.05.19 and classified as problematic. This vulnerability affects unknown code of the file /etc_ro/smb.conf of the component Samba. The manipulation leads to weak password requirements. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | 2025-07-26 | 5.6 | CVE-2025-8182 |
| tigroumeow--AI Engine | The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4. The simpleTranscribeAudio endpoint fails to restrict URL schemes before calling get_audio(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to read any file on the web server and exfiltrate it via the plugin's OpenAI API integration. | 2025-07-24 | 6.5 | CVE-2025-7780 |
| TOTOLINK--T6 | A vulnerability classified as critical was found in TOTOLINK T6 4.1.5cu.748. This vulnerability affects the function ckeckKeepAlive of the file wireless.so of the component MQTT Packet Handler. The manipulation leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-22 | 6.3 | CVE-2025-7952 |
| Turtek Software--Eyotek | Authorization Bypass Through User-Controlled Key vulnerability in Turtek Software Eyotek allows Exploitation of Trusted Identifiers.This issue affects Eyotek: before 23.06.2025. | 2025-07-21 | 6.5 | CVE-2025-5681 |
| Two App Studio--Journey | Unencrypted storage in the database in Two App Studio Journey v5.5.9 for iOS allows local attackers to extract sensitive data via direct access to the app's filesystem. | 2025-07-21 | 5.5 | CVE-2025-41458 |
| ullakalim8--Supreme Addons for Beaver Builder | The Supreme Addons for Beaver Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's auto_qrcodesabb shortcode in all versions up to, and including, 1.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-24 | 6.4 | CVE-2025-3669 |
| vcita--CRM and Lead Management by vcita | The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' parameter in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-22 | 6.4 | CVE-2025-5240 |
| wonderplugin--Wonder Slider | The Wonder Slider Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image title and description DOM in all versions up to, and including, 14.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-26 | 6.4 | CVE-2025-7501 |
| wpbakery--WPBakery Visual Composer | The WPBakery Page Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple Page Builder elements (Copyright Element, Hover Box, Separator With Text, FAQ, Single Image, Custom Header, Button, Call To Action, Progress Bar, Pie Chart, Round Chart, and Line Chart) in all versions up to, and including, 8.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-24 | 6.4 | CVE-2025-4968 |
| wpeverest--User Registration & Membership Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin | The User Registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's urcr_restrict shortcode in all versions up to, and including, 4.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-22 | 6.4 | CVE-2025-6831 |
| xpeedstudio--ElementsKit Elementor Addons and Templates | The ElementsKit Elementor Addons and Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL attribute of a custom widget in all versions up to, and including, 3.5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-24 | 6.4 | CVE-2025-3614 |
| xTemos--Woodmart | The WoodMart theme for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 8.2.6. This is due to insufficient validation of the qty parameter in the woodmart_update_cart_item function. This makes it possible for unauthenticated attackers to manipulate cart quantities using fractional values, allowing them to obtain products for free by setting extremely small quantities (e.g., 0.00001) that round cart totals to $0.00, effectively bypassing payment requirements and allowing unauthorized acquisition of virtual or downloadable products. | 2025-07-26 | 5.3 | CVE-2025-8097 |
| yanyutao0402--ChanCMS | A vulnerability classified as critical has been found in yanyutao0402 ChanCMS up to 3.1.2. This affects the function getArticle of the file app/modules/api/service/gather.js. The manipulation of the argument targetUrl leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.3 is able to address this issue. The identifier of the patch is 3ef58a50e8b3c427b03c8cf3c9e19a79aa809be6. It is recommended to upgrade the affected component. | 2025-07-25 | 6.3 | CVE-2025-8133 |
| yanyutao0402--ChanCMS | A vulnerability was found in yanyutao0402 ChanCMS up to 3.1.2. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /collect/getArticle. The manipulation of the argument taskUrl leads to deserialization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.3 is able to address this issue. The patch is named 33d9bb464353015aaaba84e27638ac9a3912795d. It is recommended to upgrade the affected component. | 2025-07-27 | 6.3 | CVE-2025-8227 |
| yanyutao0402--ChanCMS | A vulnerability was found in yanyutao0402 ChanCMS up to 3.1.2. It has been rated as critical. Affected by this issue is the function getPages of the file /cms/collect/getPages. The manipulation of the argument targetUrl leads to server-side request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.3 is able to address this issue. It is recommended to upgrade the affected component. | 2025-07-27 | 6.3 | CVE-2025-8228 |
| yanyutao0402--ChanCMS | A vulnerability was found in yanyutao0402 ChanCMS up to 3.1.2. It has been rated as critical. Affected by this issue is the function delfile of the file app/extend/utils.js. The manipulation leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.3 is able to address this issue. The name of the patch is c8a282bf02a62b59ec60b4699e91c51aff2ee9cd. It is recommended to upgrade the affected component. | 2025-07-25 | 5.4 | CVE-2025-8132 |
| yanyutao0402--ChanCMS | A vulnerability was found in yanyutao0402 ChanCMS up to 3.1.2. It has been classified as problematic. Affected is an unknown function of the file /sysApp/find. The manipulation of the argument accessKey/secretKey leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 3.1.3 is able to address this issue. It is recommended to upgrade the affected component. | 2025-07-27 | 4.3 | CVE-2025-8226 |
| Yeelink--Yeelight App | A vulnerability was found in Yeelink Yeelight App up to 3.5.4 on Android. It has been classified as problematic. Affected is an unknown function of the file AndroidManifest.xml of the component com.yeelight.cherry. The manipulation leads to improper export of android application components. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-26 | 5.3 | CVE-2025-8210 |
| zhousg--letao | A vulnerability, which was classified as critical, has been found in zhousg letao up to 7d8df0386a65228476290949e0413de48f7fbe98. This issue affects some unknown processing of the file routes\bf\product.js. The manipulation of the argument pictrdtz leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | 2025-07-25 | 6.3 | CVE-2025-8128 |
| zohaib167--Get Youtube Subs | The Get Youtube Subs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'channel', 'layout', and 'subs_count' parameters in all versions up to, and including, 3.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-24 | 6.4 | CVE-2025-7966 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| Akamai--Rate Control | Akamai Rate Control alpha before 2025 allows attackers to send requests above the stipulated thresholds because the rate is measured separately for each edge node. | 2025-07-25 | 3.7 | CVE-2025-54568 |
| code-projects--Church Donation System | A vulnerability was found in code-projects Church Donation System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/edit_members.php. The manipulation of the argument fname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 2025-07-25 | 3.5 | CVE-2025-8167 |
| code-projects--Public Chat Room | A vulnerability classified as problematic has been found in code-projects Public Chat Room 1.0. This affects an unknown part of the file /send_message.php. The manipulation of the argument chat_msg/your_name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-22 | 3.5 | CVE-2025-7951 |
| comex--shlex | The shlex crate before 1.2.1 for Rust allows unquoted and unescaped instances of the { and \xa0 characters, which may facilitate command injection. | 2025-07-27 | 3.2 | CVE-2024-58266 |
| Comodo--Dragon | A vulnerability classified as problematic was found in Comodo Dragon up to 134.0.6998.179. Affected by this vulnerability is an unknown functionality of the component HSTS Handler. The manipulation leads to security check for standard. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-26 | 3.1 | CVE-2025-8204 |
| Comodo--Dragon | A vulnerability, which was classified as problematic, has been found in Comodo Dragon up to 134.0.6998.179. Affected by this issue is some unknown functionality of the component IP DNS Leakage Detector. The manipulation leads to cleartext transmission of sensitive information. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-26 | 3.7 | CVE-2025-8205 |
| Comodo--Dragon | A vulnerability, which was classified as problematic, was found in Comodo Dragon up to 134.0.6998.179. This affects an unknown part of the component IP DNS Leakage Detector. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-26 | 3.1 | CVE-2025-8206 |
| CosmWasm--cosmwasm-std | The cosmwasm-std crate before 2.0.2 for Rust allows integer overflows that cause incorrect contract calculations. | 2025-07-27 | 3.7 | CVE-2024-58263 |
| CosmWasm--serde-json-wasm | The serde-json-wasm crate before 1.0.1 for Rust allows stack consumption via deeply nested JSON data. | 2025-07-27 | 3.2 | CVE-2024-58264 |
| D-Link--DCS-6010L | A vulnerability has been found in D-Link DCS-6010L 1.15.03 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /vb.htm of the component Management Application. The manipulation of the argument paratest leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-07-25 | 3.5 | CVE-2025-8155 |
| dalek-cryptography--curve25519-dalek | The curve25519-dalek crate before 4.1.3 for Rust has a constant-time operation on elliptic curve scalars that is removed by LLVM. | 2025-07-27 | 2.9 | CVE-2024-58262 |
| GNU--Binutils | A vulnerability has been found in GNU Binutils 2.44 and classified as problematic. This vulnerability affects the function bfd_elf_get_str_section of the file bfd/elf.c of the component BFD Library. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The name of the patch is db856d41004301b3a56438efd957ef5cabb91530. It is recommended to apply a patch to fix this issue. | 2025-07-27 | 3.3 | CVE-2025-8224 |
| GNU--Binutils | A vulnerability was found in GNU Binutils 2.44 and classified as problematic. This issue affects the function process_debug_info of the file binutils/dwarf.c of the component DWARF Section Handler. The manipulation leads to memory leak. Attacking locally is a requirement. The identifier of the patch is e51fdff7d2e538c0e5accdd65649ac68e6e0ddd4. It is recommended to apply a patch to fix this issue. | 2025-07-27 | 3.3 | CVE-2025-8225 |
| HCL Software--IEM | HCL IEM is affected by an improper invalidation of access or JWT token vulnerability. A token was not invalidated which may allow attackers to access sensitive data without authorization. | 2025-07-24 | 3.3 | CVE-2025-0249 |
| HCL Software--IEM | HCL IEM is affected by an authorization token sent in cookie vulnerability. A token used for authentication and authorization is being handled in a manner that may increase its exposure to security risks. | 2025-07-24 | 2.2 | CVE-2025-0250 |
| HCL Software--IEM | HCL IEM is affected by a concurrent login vulnerability. The application allows multiple concurrent sessions using the same user credentials, which may introduce security risks. | 2025-07-25 | 2.6 | CVE-2025-0251 |
| HCL Software--IEM | HCL IEM is affected by a password in cleartext vulnerability. Sensitive information is transmitted without adequate protection, potentially exposing it to unauthorized access during transit. | 2025-07-25 | 2.6 | CVE-2025-0252 |
| HCL Software--IEM | HCL IEM is affected by a cookie attribute not set vulnerability due to inconsistency of certain security-related configurations which could increase exposure to potential vulnerabilities. | 2025-07-25 | 2 | CVE-2025-0253 |
| jerryshensjf--JPACookieShop JPA | A vulnerability, which was classified as problematic, has been found in jerryshensjf JPACookieShop 蛋糕商城JPA版 up to 24a15c02b4f75042c9f7f615a3fed2ec1cefb999. Affected by this issue is some unknown functionality of the file GoodsController.java. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. Multiple endpoints are affected. | 2025-07-27 | 3.5 | CVE-2025-8222 |
| KoaJS--Koa | A vulnerability, which was classified as problematic, was found in KoaJS Koa up to 3.0.0. Affected is the function back in the library lib/response.js of the component HTTP Header Handler. The manipulation of the argument Referrer leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-25 | 3.5 | CVE-2025-8129 |
| macrozheng--mall | A vulnerability, which was classified as problematic, was found in macrozheng mall up to 1.0.3. Affected is an unknown function of the file /swagger-ui/index.html of the component Swagger UI. The manipulation of the argument configUrl leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor deleted the GitHub issue for this vulnerability without any explanation. Afterwards the vendor was contacted early about this disclosure via email but did not respond in any way. | 2025-07-26 | 3.5 | CVE-2025-8191 |
| mcginty--snow | The snow crate before 0.9.5 for Rust, when stateful TransportState is used, allows incrementing a nonce and thereby denying message delivery. | 2025-07-27 | 3.1 | CVE-2024-58265 |
| n/a--Roothub | A vulnerability was found in Roothub up to 2.6. It has been declared as problematic. Affected by this vulnerability is the function Edit of the file src/main/java/cn/roothub/web/admin/SystemConfigAdminController.java. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-26 | 3.5 | CVE-2025-8211 |
| PHPGurukul--Online Banquet Booking System | A vulnerability classified as problematic was found in PHPGurukul Online Banquet Booking System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/admin-profile.php. The manipulation of the argument adminname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-21 | 3.5 | CVE-2025-7924 |
| PHPGurukul--Online Banquet Booking System | A vulnerability, which was classified as problematic, was found in PHPGurukul Online Banquet Booking System 1.0. This affects an unknown part of the file /admin/booking-search.php. The manipulation of the argument searchdata leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-21 | 3.5 | CVE-2025-7926 |
| PHPGurukul--Taxi Stand Management System | A vulnerability has been found in PHPGurukul Taxi Stand Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/admin-profile.php. The manipulation of the argument adminname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-21 | 3.5 | CVE-2025-7942 |
| PHPGurukul--Taxi Stand Management System | A vulnerability has been found in PHPGurukul Taxi Stand Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/new-autoortaxi-entry-form.php. The manipulation of the argument registrationnumber/licensenumber leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-24 | 3.5 | CVE-2025-8115 |
| PHPGurukul--Time Table Generator System | A vulnerability, which was classified as problematic, was found in PHPGurukul Time Table Generator System 1.0. Affected is an unknown function of the file /admin/profile.php. The manipulation of the argument adminname leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-21 | 3.5 | CVE-2025-7941 |
| Red Hat--Red Hat Enterprise Linux 10 | A vulnerability was found in libssh, where an uninitialized variable exists under certain conditions in the privatekey_from_file() function. This flaw can be triggered if the file specified by the filename doesn't exist and may lead to possible signing failures or heap corruption. | 2025-07-22 | 3.6 | CVE-2025-4878 |
| Sanluan--PublicCMS | A vulnerability was found in Sanluan PublicCMS up to 5.202506.a. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file publiccms-parent/publiccms/src/main/resources/templates/admin/cmsDiy/preview.html. The manipulation of the argument url leads to open redirect. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The patch is named c1e79f124e3f4c458315d908ed7dee06f9f12a76/f1af17af004ca9345c6fe4d5936d87d008d26e75. It is recommended to apply a patch to fix this issue. | 2025-07-22 | 3.5 | CVE-2025-7949 |
| Sanluan--PublicCMS | A vulnerability, which was classified as problematic, has been found in Sanluan PublicCMS up to 5.202506.a. This issue affects some unknown processing of the file publiccms-parent/publiccms/src/main/webapp/resource/plugins/pdfjs/viewer.html. The manipulation of the argument File leads to open redirect. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The patch is named f1af17af004ca9345c6fe4d5936d87d008d26e75. It is recommended to apply a patch to fix this issue. | 2025-07-22 | 3.5 | CVE-2025-7953 |
| sequoia-pgp--sequoia | The sequoia-openpgp crate 1.13.0 before 1.21.0 for Rust allows an infinite loop of "Reading a cert: Invalid operation: Not a Key packet" messages for RawCertParser operations that encounter an unsupported primary key type. | 2025-07-27 | 2.9 | CVE-2024-58261 |
| WordPress--WordPress | WordPress 3.5 through 6.8.2 allows remote attackers to guess titles of private and draft posts via pingback.ping XML-RPC requests. NOTE: the Supplier is not changing this behavior. | 2025-07-21 | 3.7 | CVE-2025-54352 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| Ai2--Ai2 playground web service | Ai2 playground web service (playground.allenai.org) LLM chat through 2025-06-03 is vulnerable to Insecure Direct Object Reference (IDOR), allowing attackers to gain sensitvie information via enumerating thread keys in the URL. | 2025-07-22 | not yet calculated | CVE-2025-51865 |
| aimhubio--Aim | Path Traversal in restore_run_backup() in AIM 3.28.0 allows remote attackers to write arbitrary files to the server's filesystem via a crafted backup tar file submitted to the run_instruction API, which is extracted without path validation during restoration. | 2025-07-22 | not yet calculated | CVE-2025-51463 |
| aimhubio--Aim | Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js(). | 2025-07-22 | not yet calculated | CVE-2025-51464 |
| AlertEnterprise--Guardian | An issue was discovered in AlertEnterprise Guardian 4.1.14.2.2.1. One can bypass manager approval by changing the user ID in a Request%20Building%20Access requestSubmit API call. | 2025-07-22 | not yet calculated | CVE-2025-31511 |
| AlertEnterprise--Guardian | An issue was discovered in AlertEnterprise Guardian 4.1.14.2.2.1. One can bypass manager approval via isAddedByApprover in a Request%20Building%20Access requestSubmit API call. | 2025-07-22 | not yet calculated | CVE-2025-31512 |
| AlertEnterprise--Guardian | An issue was discovered in AlertEnterprise Guardian 4.1.14.2.2.1. One can elevate to administrator privileges via the IsAdminApprover parameter in a Request%20Building%20Access requestSubmit API call. | 2025-07-22 | not yet calculated | CVE-2025-31513 |
| Apache Software Foundation--Apache HTTP Server | A bug in Apache HTTP Server 2.4.64 results in all "RewriteCond expr ..." tests evaluating as "true". Users are recommended to upgrade to version 2.4.65, which fixes the issue. | 2025-07-23 | not yet calculated | CVE-2025-54090 |
| Apache Software Foundation--Apache Jena | Users with administrator access can create databases files outside the files area of the Fuseki server. This issue affects Apache Jena version up to 5.4.0. Users are recommended to upgrade to version 5.5.0, which fixes the issue. | 2025-07-21 | not yet calculated | CVE-2025-49656 |
| Apache Software Foundation--Apache Jena | File access paths in configuration files uploaded by users with administrator access are not validated. This issue affects Apache Jena version up to 5.4.0. Users are recommended to upgrade to version 5.5.0, which does not allow arbitrary configuration upload. | 2025-07-21 | not yet calculated | CVE-2025-50151 |
| Apwide--Golive | Apwide Golive 10.2.0 Jira plugin allows Server-Side Request Forgery (SSRF) via the test webhook function. | 2025-07-25 | not yet calculated | CVE-2025-45939 |
| Arm--Development Studio | Uncontrolled Search Path Element in Arm Development Studio before 2025 may allow an attacker to perform a DLL hijacking attack. Successful exploitation could lead to local arbitrary code execution in the context of the user running Arm Development Studio. | 2025-07-22 | not yet calculated | CVE-2025-7427 |
| Artica ST--Pandora FMS | An unauthenticated SQL injection vulnerability exists in Pandora FMS version 5.0 SP2 and earlier. The mobile/index.php endpoint fails to properly sanitize user input in the loginhash_data parameter, allowing attackers to extract administrator credentials or active session tokens via crafted requests. This occurs because input is directly concatenated into an SQL query without adequate validation, enabling SQL injection. After authentication is bypassed, a second vulnerability in the File Manager component permits arbitrary PHP file uploads. The file upload functionality does not enforce MIME-type or file extension restrictions, allowing authenticated users to upload web shells into a publicly accessible directory and achieve remote code execution. | 2025-07-25 | not yet calculated | CVE-2014-125115 |
| astronomer--dag-factory | dag-factory is a library for Apache Airflow® to construct DAGs declaratively via configuration files. In versions 0.23.0a8 and below, a high-severity vulnerability has been identified in the cicd.yml workflow within the astronomer/dag-factory GitHub repository. The workflow, specifically when triggered by pull_request_target, is susceptible to exploitation, allowing an attacker to execute arbitrary code within the GitHub Actions runner environment. This misconfiguration enables an attacker to establish a reverse shell, exfiltrate sensitive secrets, including the highly-privileged GITHUB_TOKEN, and ultimately gain full control over the repository. This is fixed in version 0.23.0a9. | 2025-07-26 | not yet calculated | CVE-2025-54415 |
| ASUS--MyASUS | An insecure sensitive key storage issue was found in MyASUS. potentially allowing unauthorized actor to obtain a token that could be used to communicate with certain services. Refer to the 'Security Update for for MyASUS' section on the ASUS Security Advisory for more information. | 2025-07-21 | not yet calculated | CVE-2025-4569 |
| ASUS--MyASUS | An insecure sensitive key storage issue was found in MyASUS. potentially allowing unauthorized actor to obtain a token that could be used to communicate with certain services. Refer to the 'Security Update for for MyASUS' section on the ASUS Security Advisory for more information. | 2025-07-21 | not yet calculated | CVE-2025-4570 |
| ASUSTOR--ABP and AES | The Windows service configuration of ABP and AES contains an unquoted ImagePath registry value vulnerability. This allows a local attacker to execute arbitrary code by placing a malicious executable in a predictable location such as C:\Program.exe. If the service runs with elevated privileges, exploitation results in privilege escalation to SYSTEM level. This vulnerability arises from an unquoted service path affecting systems where the executable resides in a path containing spaces. Affected products and versions include: ABP 2.0.7.6130 and earlier as well as AES 1.0.6.6133 and earlier. | 2025-07-23 | not yet calculated | CVE-2025-8070 |
| Atlassian--Sourcetree for Mac | This Medium severity ACE (Arbitrary Code Execution) vulnerability was introduced in version 4.2.8 of Sourcetree for Mac. This ACE (Arbitrary Code Execution) vulnerability, with a CVSS Score of 5.9, allows a locally authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and requires user interaction. Atlassian recommends that Sourcetree for Mac users upgrade to the latest version. If you are unable to do so, upgrade your instance to one of the specified supported fixed versions. See the release notes https://www.sourcetreeapp.com/download-archives . You can download the latest version of Sourcetree for Mac from the download center https://www.sourcetreeapp.com/download-archives . This vulnerability was found through the Atlassian Bug Bounty Program by Karol Mazurek (AFINE). | 2025-07-24 | not yet calculated | CVE-2025-22165 |
| Calibre Web--Calibre Web | ReDoS in strip_whitespaces() function in cps/string_helper.py in Calibre Web and Autocaliweb allows unauthenticated remote attackers to cause denial of service via specially crafted username parameter that triggers catastrophic backtracking during login. This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1. | 2025-07-24 | not yet calculated | CVE-2025-6998 |
| Calibre Web--Calibre Web | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Calibre Web, Autocaliweb allows Blind OS Command Injection.This issue affects Calibre Web: 0.6.24 (Nicolette); Autocaliweb: from 0.7.0 before 0.7.1. | 2025-07-24 | not yet calculated | CVE-2025-7404 |
| Capillary io--CapillaryScope | Lack of sensitive data encryption in CapillaryScope v2.5.0 of Capillary io, which stores both the proxy credentials and the JWT session token in plain text within different registry keys on the Windows operating system. Any authenticated local user with read access to the registry can extract these sensitive values. | 2025-07-24 | not yet calculated | CVE-2025-40680 |
| Chavara Family Welfare Centre--Chavara Matrimony Site | An issue in the OTP mechanism of Chavara Family Welfare Centre Chavara Matrimony Site v2.0 allows attackers to bypass authentication via supplying a crafted request. | 2025-07-25 | not yet calculated | CVE-2025-45777 |
| CNCF--Harbor | CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash and salt values. The q URL parameter allows a user to filter users by any column, and filter password=~ could be abused to leak out a user's password hash character by character. An attacker with administrator access could exploit this to leak highly sensitive information stored in the Harbor database. All endpoints that support the q URL parameter are vulnerable to this ORM leak attack. | 2025-07-25 | not yet calculated | CVE-2025-30086 |
| CommScope--Ruckus Unleashed | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the functions `stamgr_cfg_adpt_addStaFavourite` and `stamgr_cfg_adpt_addStaIot` pass a client hostname directly to snprintf as the format string. A remote attacker can exploit this flaw either by sending a crafted request to the authenticated endpoint `/admin/_conf.jsp`, or without authentication and without direct network access to the controller by spoofing the MAC address of a favourite station and embedding malicious format specifiers in the DHCP hostname field, resulting in unauthenticated format-string processing and arbitrary code execution on the controller. | 2025-07-21 | not yet calculated | CVE-2025-46121 |
| CommScope--Ruckus Unleashed | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, where the authenticated diagnostics API endpoint `/admin/_cmdstat.jsp` passes attacker-controlled input to the shell without adequate validation, enabling a remote attacker to specify a target by MAC address and execute arbitrary commands as root. | 2025-07-21 | not yet calculated | CVE-2025-46122 |
| CommScope--Ruckus Unleashed and Ruckus ZoneDirector | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where an authenticated attacker can disable the passphrase requirement for a hidden CLI command `!v54!` via a management API call and then invoke it to escape the restricted shell and obtain a root shell on the controller. | 2025-07-21 | not yet calculated | CVE-2025-46116 |
| CommScope--Ruckus Unleashed and Ruckus ZoneDirector | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where a hidden debug script `.ap_debug.sh` invoked from the restricted CLI does not properly sanitize its input, allowing an authenticated attacker to execute arbitrary commands as root on the controller or specified target. | 2025-07-21 | not yet calculated | CVE-2025-46117 |
| CommScope--Ruckus Unleashed and Ruckus ZoneDirector | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139 and in Ruckus ZoneDirector prior to 10.5.1.0.279, where hard-coded credentials for the ftpuser account provide FTP access to the controller, enabling a remote attacker to upload or retrieve arbitrary files from writable firmware directories and thereby expose sensitive information or compromise the controller. | 2025-07-21 | not yet calculated | CVE-2025-46118 |
| CommScope--Ruckus Unleashed and Ruckus ZoneDirector | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.27 and 200.18.7.1.323, and in Ruckus ZoneDirector prior to 10.5.1.0.282, where an authenticated request to the management endpoint `/admin/_cmdstat.jsp` discloses the administrator password in a trivially reversible obfuscated form. The same obfuscation method persists in configuration prior to 200.18.7.1.302, allowing anyone who obtains the system configuration to recover the plaintext credentials. | 2025-07-21 | not yet calculated | CVE-2025-46119 |
| CommScope--Ruckus Unleashed and Ruckus ZoneDirector | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.27 and 200.18.7.1.323, and in Ruckus ZoneDirector prior to 10.5.1.0.282, where a path-traversal flaw in the web interface lets the server execute attacker-supplied EJS templates outside permitted directories, allowing a remote unauthenticated attacker who can upload a template (e.g., via FTP) to escalate privileges and run arbitrary template code on the controller. | 2025-07-21 | not yet calculated | CVE-2025-46120 |
| CommScope--Ruckus Unleashed and Ruckus ZoneDirector | An issue was discovered in CommScope Ruckus Unleashed prior to 200.15.6.212.14 and 200.17.7.0.139, and in Ruckus ZoneDirector prior to 10.5.1.0.279, where the authenticated configuration endpoint `/admin/_conf.jsp` writes the Wi-Fi guest password to memory with snprintf using the attacker-supplied value as the format string; a crafted password therefore triggers uncontrolled format-string processing and enables remote code execution on the controller. | 2025-07-21 | not yet calculated | CVE-2025-46123 |
| Commvault--Commvault | A local privilege escalation vulnerability exists in Commvault for Windows versions 11.20.0, 11.28.0, 11.32.0, 11.34.0, and 11.36.0. In affected configurations, a local attacker who owns a client system with the file server agent installed can compromise any assigned Windows access nodes. This may allow unauthorized access or lateral movement within the backup infrastructure. The issue has been resolved in versions 11.32.60, 11.34.34, and 11.36.8. | 2025-07-25 | not yet calculated | CVE-2024-13975 |
| Commvault--Commvault | An SQL injection vulnerability exists in Commvault 11.32.0 - 11.32.93, 11.36.0 - 11.36.51, and 11.38.0 - 11.38.19 Web Server component that allows a remote, unauthenticated attacker to perform SQL Injection. The vulnerability impacts systems where the CommServe and Web Server roles are installed. Other Commvault components deployed in the same environment are not affected. | 2025-07-25 | not yet calculated | CVE-2025-34136 |
| Commvault--Commvault for Windows | A DLL injection vulnerability exists in Commvault for Windows 11.20.0, 11.28.0, 11.32.0, 11.34.0, and 11.36.0. During the installation of maintenance updates, an attacker with local access may exploit uncontrolled search path or DLL loading behavior to execute arbitrary code with elevated privileges. The vulnerability has been resolved in versions 11.20.202, 11.28.124, 11.32.65, 11.34.37, and 11.36.15. | 2025-07-25 | not yet calculated | CVE-2024-13976 |
| compojoom.com--CComment component for Joomla | A stored XSS vulnerability in CComment component 5.0.0-6.1.14 for Joomla was discovered. | 2025-07-23 | not yet calculated | CVE-2025-54297 |
| D-Link--DSP-W215 | A stack-based buffer overflow vulnerability in the my_cgi.cgi component of certain D-Link devices, including the DSP-W215 version 1.02, can be exploited via a specially crafted HTTP POST request to the /common/info.cgi endpoint. This flaw enables an unauthenticated attacker to achieve remote code execution with system-level privileges. | 2025-07-25 | not yet calculated | CVE-2014-125117 |
| D2iQ, Inc.--DC/OS Marathon | The Marathon UI in DC/OS < 1.9.0 allows unauthenticated users to deploy arbitrary Docker containers. Due to improper restriction of volume mount configurations, attackers can deploy a container that mounts the host's root filesystem (/) with read/write privileges. When using a malicious Docker image, the attacker can write to /etc/cron.d/ on the host, achieving arbitrary code execution with root privileges. This impacts any system where the Docker daemon honors Marathon container configurations without policy enforcement. | 2025-07-23 | not yet calculated | CVE-2017-20198 |
| dbgate--dbgate | DbGate is cross-platform database manager. In versions 6.4.3-premium-beta.5 and below, DbGate is vulnerable to a directory traversal flaw. The file parameter is not properly restricted to the intended uploads directory. As a result, the endpoint that lists files within the upload directory can be manipulated to access arbitrary files on the system. By supplying a crafted path to the file parameter, an attacker can read files outside the upload directory, potentially exposing sensitive system-level data. This is fixed in version 6.4.3-beta.8. | 2025-07-26 | not yet calculated | CVE-2025-50184 |
| dbgate--dbgate | DbGate is cross-platform database manager. In versions 6.6.0 and below, DbGate allows unauthorized file access due to insufficient validation of file paths and types. A user with application-level access can retrieve data from arbitrary files on the system, regardless of their location or file type. The plugin fails to enforce proper checks on content type and file extension before reading a file. As a result, even sensitive files accessible only to the root user can be read through the application interface. There is currently no fix for this issue. ``` POST /runners/load-reader HTTP/1.1 Host: <REPLACE ME> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:138.0) Gecko/20100101 Firefox/138.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: <REPLACE ME> Content-Type: application/json Authorization: Bearer <REPLACE ME> Content-Length: 127 Origin: http://192.168.124.119:3000 Connection: keep-alive Cookie: <REPLACE ME> Priority: u=0 Cache-Control: max-age=0 {"functionName":"reader@dbgate-plugin-csv","props":{"fileName":"/etc\/shadow","limitRows":100}} ``` The request payload:  Lines of the file being returned:  | 2025-07-26 | not yet calculated | CVE-2025-50185 |
| Devolutions--Server | Use of weak credentials in emergency authentication component in Devolutions Server allows an unauthenticated attacker to bypass authentication via brute forcing the short emergency codes generated by the server within a feasible timeframe. This issue affects the following versions : * Devolutions Server 2025.2.2.0 through 2025.2.3.0 * Devolutions Server 2025.1.11.0 and earlier | 2025-07-22 | not yet calculated | CVE-2025-6523 |
| Devolutions--Server | Improper access control in secure message component in Devolutions Server allows an authenticated user to steal unauthorized entries via the secure message entry attachment feature This issue affects the following versions : * Devolutions Server 2025.2.2.0 through 2025.2.4.0 * Devolutions Server 2025.1.11.0 and earlier | 2025-07-22 | not yet calculated | CVE-2025-6741 |
| Dicoogle Project--PACS Web Server | An unauthenticated path traversal vulnerability exists in Dicoogle PACS Web Server version 2.5.0 and possibly earlier. The vulnerability allows remote attackers to read arbitrary files on the underlying system by sending a crafted request to the /exportFile endpoint using the UID parameter. Successful exploitation can reveal sensitive files accessible by the web server user. | 2025-07-23 | not yet calculated | CVE-2018-25113 |
| dj-extensions.com--DJ-Flyer component for Joomla | A SQLi vulnerability in DJ-Flyer component 1.0-3.2 for Joomla was discovered. The issue allows privileged users to execute arbitrary SQL commands. | 2025-07-23 | not yet calculated | CVE-2025-50127 |
| dj-extensions.com--DJ-Reviews component for Joomla | A Reflected XSS vulnerability in DJ-Reviews component 1.0-1.3.6 for Joomla was discovered. | 2025-07-23 | not yet calculated | CVE-2025-54295 |
| Drupal--Block Attributes | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Block Attributes allows Cross-Site Scripting (XSS).This issue affects Block Attributes: from 0.0.0 before 1.1.0, from 2.0.0 before 2.0.1. | 2025-07-21 | not yet calculated | CVE-2025-7715 |
| Drupal--Cookies Addons | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Cookies Addons allows Cross-Site Scripting (XSS).This issue affects Cookies Addons: from 1.0.0 before 1.2.4. | 2025-07-21 | not yet calculated | CVE-2025-7392 |
| Drupal--File Download | Missing Authorization vulnerability in Drupal File Download allows Forceful Browsing.This issue affects File Download: from 0.0.0 before 1.9.0, from 2.0.0 before 2.0.1. | 2025-07-21 | not yet calculated | CVE-2025-7717 |
| Drupal--Mail Login | Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Mail Login allows Brute Force.This issue affects Mail Login: from 3.0.0 before 3.2.0, from 4.0.0 before 4.2.0. | 2025-07-21 | not yet calculated | CVE-2025-7393 |
| Drupal--Real-time SEO for Drupal | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Real-time SEO for Drupal allows Cross-Site Scripting (XSS).This issue affects Real-time SEO for Drupal: from 2.0.0 before 2.2.0. | 2025-07-21 | not yet calculated | CVE-2025-7716 |
| Eclipse Foundation--Jakarta Mail | In Jakarta Mail 2.0.2 it is possible to preform a SMTP Injection by utilizing the \r and \n UTF-8 characters to separate different messages. | 2025-07-21 | not yet calculated | CVE-2025-7962 |
| eosphoros-ai--DB-GPT | SQL Injection in editor_sql_run and query_ex in eosphoros-ai DB-GPT 0.7.0 allows remote attackers to execute arbitrary SQL statements via crafted input passed to the /v1/editor/sql/run or /v1/editor/chart/run endpoints, interacting with api_editor_v1.editor_sql_run, editor_chart_run, and datasource.rdbms.base.query_ex. | 2025-07-22 | not yet calculated | CVE-2025-51458 |
| eosphoros-ai--DB-GPT | File Upload vulnerability in agent.hub.controller.refresh_plugins in eosphoros-ai DB-GPT 0.7.0 allows remote attackers to execute arbitrary code via a malicious plugin ZIP file uploaded to the /v1/personal/agent/upload endpoint, interacting with plugin_hub._sanitize_filename and plugins_util.scan_plugins. | 2025-07-22 | not yet calculated | CVE-2025-51459 |
| ETQ--Reliance CG (legacy) | An authorization bypass vulnerability exists in ETQ Reliance (legacy CG and NXG SaaS platforms). By appending a specific URI suffix to certain API endpoints, an unauthenticated attacker can bypass access control checks and retrieve limited sensitive resources. The root cause was a misconfiguration in API authorization logic, which has since been corrected in SE.2025.1 and 2025.1.2. | 2025-07-22 | not yet calculated | CVE-2025-34140 |
| ETQ--Reliance CG (legacy) | A reflected cross-site scripting (XSS) vulnerability exists in ETQ Reliance CG (legacy) platform within the `SQLConverterServlet` component. This vulnerability requires user interaction, such as clicking a crafted link, and may result in execution of unauthorized scripts in the user's context. The affected servlet was unnecessarily exposed to authenticated users and has since been disabled in version SE.2025.1. | 2025-07-22 | not yet calculated | CVE-2025-34141 |
| ETQ--Reliance CG (legacy) | An XML External Entity (XXE) injection vulnerability exists in ETQ Reliance on the CG (legacy) platform within the `/resources/sessions/sso` endpoint. The SAML authentication handler processes XML input without disabling external entity resolution, allowing crafted SAML responses to invoke external entity references. This could enable attackers to retrieve sensitive files or perform server-side request forgery (SSRF). The issue was addressed by disabling external entity processing for the affected XML parser in versions SE.2025.1 and 2025.1.2. | 2025-07-22 | not yet calculated | CVE-2025-34142 |
| ETQ--Reliance CG (legacy) | An authentication bypass vulnerability exists in ETQ Reliance on the CG (legacy) platform. The application allowed login as the privileged internal SYSTEM user by manipulating the username field. The SYSTEM account does not require a password, enabling attackers with network access to the login page to obtain elevated access. Once authenticated, an attacker could achieve remote code execution by modifying Jython scripts within the application. This issue was resolved by introducing stricter validation logic to exclude internal accounts from public authentication workflows in version MP-4583. | 2025-07-22 | not yet calculated | CVE-2025-34143 |
| ETSI--Open-Source MANO | An issue in ETSI Open-Source MANO (OSM) v.14.x, v.15.x allows a remote attacker to escalate privileges via the /osm/admin/v1/users component | 2025-07-25 | not yet calculated | CVE-2024-48729 |
| ETSI--Open-Source MANO | An issue in ETSI Open-Source MANO (OSM) v.14.x, v.15.x allows a remote attacker to escalate privileges via not imposing any restrictions on the authentication attempts performed by an admin user | 2025-07-25 | not yet calculated | CVE-2024-48730 |
| Eveo--URVE Web Manager | An issue was discovered in Eveo URVE Web Manager 27.02.2025. The endpoint /_internal/redirect.php allows for Server-Side Request Forgery (SSRF). The endpoint takes a URL as input, sends a request to this address, and reflects the content in the response. This can be used to request endpoints only reachable by the application server. | 2025-07-21 | not yet calculated | CVE-2025-36845 |
| Eveo--URVE Web Manager | An issue was discovered in Eveo URVE Web Manager 27.02.2025. The application exposes a /_internal/pc/vpro.php localhost endpoint to unauthenticated users that is vulnerable to OS Command Injection. The endpoint takes an input parameter that is passed directly into the shell_exec() function of PHP. NOTE: this can be chained with CVE-2025-36845. | 2025-07-21 | not yet calculated | CVE-2025-36846 |
| Extreme Networks--ExtremeControl | In ExtremeControl before 25.5.12, a cross-site scripting (XSS) vulnerability was discovered in a login interface of the affected application. The issue stems from improper handling of user-supplied input within HTML attributes, allowing an attacker to inject script code that may execute in a user's browser under specific interaction conditions. Successful exploitation could lead to exposure of user data or unauthorized actions within the browser context. | 2025-07-21 | not yet calculated | CVE-2025-6235 |
| freescout-help-desk--freescout | FreeScout is a lightweight free open source help desk and shared inbox built with PHP (Laravel framework). In versions 1.8.185 and below, there is a critical deserialization vulnerability in the /conversation/ajax endpoint that allows authenticated users with knowledge of the APP_KEY to achieve remote code execution. The vulnerability occurs when the application processes the attachments_all and attachments POST parameters through the insecure Helper::decrypt() function, which performs unsafe deserialization of user-controlled data without proper validation. This flaw enables attackers to create arbitrary objects and manipulate their properties, leading to complete compromise of the web application. This is fixed in version 1.8.186. | 2025-07-26 | not yet calculated | CVE-2025-54366 |
| Gardyn--Gardyn 4 | An issue in Gardyn 4 allows a remote attacker to obtain sensitive information and execute arbitrary code via a request | 2025-07-25 | not yet calculated | CVE-2025-29628 |
| Gardyn--Gardyn 4 | An issue in Gardyn 4 allows a remote attacker to obtain sensitive information and execute arbitrary code via the Gardyn Home component | 2025-07-25 | not yet calculated | CVE-2025-29629 |
| Gardyn--Gardyn 4 | An issue in Gardyn 4 allows a remote attacker with the corresponding ssh private key can gain remote root access to affected devices | 2025-07-25 | not yet calculated | CVE-2025-29630 |
| Gardyn--Gardyn 4 | An issue in Gardyn 4 allows a remote attacker execute arbitrary code | 2025-07-25 | not yet calculated | CVE-2025-29631 |
| GetSimple CMS Project--GetSimple CMS | An authenticated remote code execution vulnerability exists in GetSimpleCMS version 3.2.1. The application's upload.php endpoint allows authenticated users to upload arbitrary files without proper validation of MIME types or extensions. By uploading a .pht file containing PHP code, an attacker can bypass blacklist-based restrictions and place executable code within the web root. A crafted request using a polyglot or disguised extension allows the attacker to execute the payload by accessing the file directly via the web server. This vulnerability exists due to the use of a blacklist for filtering file types instead of a whitelist. | 2025-07-25 | not yet calculated | CVE-2013-10032 |
| Gift Pad Co.,Ltd.--"region PAY" App for Android | Insertion of sensitive information into log file issue exists in "region PAY" App for Android prior to 1.5.28. If exploited, sensitive user information may be exposed to an attacker who has access to the application logs. | 2025-07-22 | not yet calculated | CVE-2025-52580 |
| goauthentik--authentik | authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked their accounts to OAuth/SAML providers can still retain partial access to the system despite their accounts being deactivated. They end up in a half-authenticated state where they cannot access the API but crucially they can authorize applications if they know the URL of the application. To workaround this issue, developers can add an expression policy to the user login stage on the respective authentication flow with the expression of return request.context["pending_user"].is_active. This modification ensures that the return statement only activates the user login stage when the user is active. This issue is fixed in versions authentik 2025.4.4 and 2025.6.4. | 2025-07-23 | not yet calculated | CVE-2025-53942 |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 138.0.7204.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-07-22 | not yet calculated | CVE-2025-8010 |
| Google--Chrome | Type Confusion in V8 in Google Chrome prior to 138.0.7204.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-07-22 | not yet calculated | CVE-2025-8011 |
| H3C--GR2200 MiniGR1A0V100R016 | In H3C GR2200 MiniGR1A0V100R016, the USERLIMIT_GLOBAL option is set to 0 in the /etc/bftpd.conf. This can cause DoS attacks when unlimited users are connected. | 2025-07-21 | not yet calculated | CVE-2025-44653 |
| haxtheweb--issues | HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of HAXcms uses an insecure default configuration designed for local development. The default configuration does not perform authorization or authentication checks. If a user were to deploy haxcms-nodejs without modifying the default settings, 'HAXCMS_DISABLE_JWT_CHECKS' would be set to 'true' and their deployment would lack session authentication. This is fixed in version 11.0.7. | 2025-07-21 | not yet calculated | CVE-2025-54127 |
| haxtheweb--issues | HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.7 and below, the NodeJS version of HAX CMS has a disabled Content Security Policy (CSP). This configuration is insecure for a production application because it does not protect against cross-site-scripting attacks. The contentSecurityPolicy value is explicitly disabled in the application's Helmet configuration in app.js. This is fixed in version 11.0.8. | 2025-07-21 | not yet calculated | CVE-2025-54128 |
| haxtheweb--issues | HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.8 and below, the HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFiles and saveFiles endpoints. This vulnerability exists because the application does not properly handle exceptions which occur as a result of changes to user-modifiable URL parameters. This is fixed in version 11.0.9. | 2025-07-21 | not yet calculated | CVE-2025-54134 |
| hMailServer--hMailServer | An issue in hMailServer v.5.8.6 allows a local attacker to obtain sensitive information via the hmailserver/installation/hMailServerInnoExtension.iss and hMailServer.ini components. | 2025-07-21 | not yet calculated | CVE-2025-52372 |
| hMailServer--hMailServer | Use of hardcoded cryptographic key in BlowFish.cpp in hMailServer 5.8.6 and 5.6.9-beta allows attacker to decrypt passwords used in database connections from hMailServer.ini config file. | 2025-07-21 | not yet calculated | CVE-2025-52373 |
| hMailServer--hMailServer | Use of hardcoded cryptographic key in Encryption.cs in hMailServer 5.8.6 and 5.6.9-beta allows attacker to decrypt passwords to other servers from hMailAdmin.exe.config file to access other hMailServer admin consoles with configured connections. | 2025-07-21 | not yet calculated | CVE-2025-52374 |
| HP Inc.--Certain HP DesignJet products | Certain HP DesignJet products may be vulnerable to information disclosure though printer's web interface allowing unauthenticated users to view sensitive print job information. | 2025-07-25 | not yet calculated | CVE-2025-3508 |
| HP Inc.--Poly Clariti Manager | A potential command injection vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.2. The vulnerability could allow a privileged user to submit arbitrary input. HP has addressed the issue in the latest software update. | 2025-07-22 | not yet calculated | CVE-2025-43020 |
| HP Inc.--Poly Clariti Manager | A potential security vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.1. The vulnerability could allow the use and retrieval of the default password. HP has addressed the issue in the latest software update. | 2025-07-22 | not yet calculated | CVE-2025-43021 |
| HP Inc.--Poly Clariti Manager | A potential SQL injection vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.1. The vulnerability could allow a privileged user to execute SQL commands. HP has addressed the issue in the latest software update. | 2025-07-22 | not yet calculated | CVE-2025-43022 |
| HP Inc.--Poly Clariti Manager | A potential security vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.1. The vulnerability could allow the retrieval of hardcoded cryptographic keys. HP has addressed the issue in the latest software update. | 2025-07-22 | not yet calculated | CVE-2025-43483 |
| HP Inc.--Poly Clariti Manager | A potential reflected cross-site scripting vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.1. The website does not validate or sanitize the user input before rendering it in the response. HP has addressed the issue in the latest software update. | 2025-07-22 | not yet calculated | CVE-2025-43484 |
| HP Inc.--Poly Clariti Manager | A potential security vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.2. The vulnerability could potentially allow a privileged user to retrieve credentials from the log files. HP has addressed the issue in the latest software update. | 2025-07-22 | not yet calculated | CVE-2025-43485 |
| HP Inc.--Poly Clariti Manager | A potential stored cross-site scripting vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.1. The website allows user input to be stored and rendered without proper sanitization. HP has addressed the issue in the latest software update. | 2025-07-22 | not yet calculated | CVE-2025-43486 |
| HP Inc.--Poly Clariti Manager | A potential privilege escalation through Sudo vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.2. The firmware flaw does not properly implement access controls. HP has addressed the issue in the latest software update. | 2025-07-22 | not yet calculated | CVE-2025-43487 |
| HP Inc.--Poly Clariti Manager | A potential security vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.2. The vulnerability could allow a bypass of the application's XSS filter by submitting untrusted characters. HP has addressed the issue in the latest software update. | 2025-07-22 | not yet calculated | CVE-2025-43488 |
| HP Inc.--Poly Clariti Manager | A potential security vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.1. The vulnerability could deserialize untrusted data without validation. HP has addressed the issue in the latest software update. | 2025-07-22 | not yet calculated | CVE-2025-43489 |
| huggingface--huggingface/smolagents | A sandbox escape vulnerability was identified in huggingface/smolagents version 1.14.0, allowing attackers to bypass the restricted execution environment and achieve remote code execution (RCE). The vulnerability stems from the local_python_executor.py module, which inadequately restricts Python code execution despite employing static and dynamic checks. Attackers can exploit whitelisted modules and functions to execute arbitrary code, compromising the host system. This flaw undermines the core security boundary intended to isolate untrusted code, posing risks such as unauthorized code execution, data leakage, and potential integration-level compromise. The issue is resolved in version 1.17.0. | 2025-07-27 | not yet calculated | CVE-2025-5120 |
| HybridAuth--HybridAuth | A remote code execution vulnerability exists in HybridAuth versions 2.0.9 through 2.2.2 due to insecure use of the install.php installation script. The script remains accessible after deployment and fails to sanitize input before writing to the application's config.php file. An unauthenticated attacker can inject arbitrary PHP code into config.php, which is later executed when the file is loaded. This allows attackers to achieve remote code execution on the server. Exploitation of this issue will overwrite the existing configuration, rendering the application non-functional. | 2025-07-25 | not yet calculated | CVE-2014-125116 |
| i-Ftp--i-Ftp | A stack-based buffer overflow vulnerability exists in i-Ftp version 2.20 due to improper handling of the Time attribute within Schedule.xml. By placing a specially crafted Schedule.xml file in the i-Ftp application directory, a remote attacker can trigger a buffer overflow during scheduled download parsing, potentially leading to arbitrary code execution or a crash. | 2025-07-25 | not yet calculated | CVE-2014-125114 |
| Imprivata--Enterprise Access Management | A vulnerability in Imprivata Enterprise Access Management (formerly Imprivata OneSign) allows bypassing the login screen of the shared kiosk workstation and allows unauthorized access to the underlying Windows system through the already logged-in autologon account due to insufficient handling of keyboard shortcuts. This issue affects Imprivata Enterprise Access Management versions 5.3 through 24.2. | 2025-07-23 | not yet calculated | CVE-2024-12310 |
| INVT--HMITool | INVT HMITool VPM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of INVT HMITool. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of VPM files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25044. | 2025-07-21 | not yet calculated | CVE-2025-7223 |
| INVT--HMITool | INVT HMITool VPM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of INVT HMITool. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of VPM files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25045. | 2025-07-21 | not yet calculated | CVE-2025-7224 |
| INVT--HMITool | INVT HMITool VPM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of INVT HMITool. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of VPM files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25047. | 2025-07-21 | not yet calculated | CVE-2025-7225 |
| INVT--HMITool | INVT HMITool VPM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of INVT HMITool. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of VPM files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25048. | 2025-07-21 | not yet calculated | CVE-2025-7226 |
| INVT--VT-Designer | INVT VT-Designer PM3 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of INVT VT-Designer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PM3 files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25550. | 2025-07-21 | not yet calculated | CVE-2025-7227 |
| INVT--VT-Designer | INVT VT-Designer PM3 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of INVT VT-Designer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PM3 files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25571. | 2025-07-21 | not yet calculated | CVE-2025-7228 |
| INVT--VT-Designer | INVT VT-Designer PM3 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of INVT VT-Designer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PM3 files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25722. | 2025-07-21 | not yet calculated | CVE-2025-7229 |
| INVT--VT-Designer | INVT VT-Designer PM3 File Parsing Type Confusion Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of INVT VT-Designer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PM3 files. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25723. | 2025-07-21 | not yet calculated | CVE-2025-7230 |
| INVT--VT-Designer | INVT VT-Designer PM3 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of INVT VT-Designer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PM3 files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated data structure. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25724. | 2025-07-21 | not yet calculated | CVE-2025-7231 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-26072. | 2025-07-21 | not yet calculated | CVE-2025-7233 |
| IrfanView--IrfanView | IrfanView CADImage Plugin CGM File Parsing Out-of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CGM files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26074. | 2025-07-21 | not yet calculated | CVE-2025-7234 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26075. | 2025-07-21 | not yet calculated | CVE-2025-7235 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26080. | 2025-07-21 | not yet calculated | CVE-2025-7236 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26083. | 2025-07-21 | not yet calculated | CVE-2025-7237 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26084. | 2025-07-21 | not yet calculated | CVE-2025-7238 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26085. | 2025-07-21 | not yet calculated | CVE-2025-7239 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26086. | 2025-07-21 | not yet calculated | CVE-2025-7240 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26087. | 2025-07-21 | not yet calculated | CVE-2025-7241 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26088. | 2025-07-21 | not yet calculated | CVE-2025-7242 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26091. | 2025-07-21 | not yet calculated | CVE-2025-7243 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26093. | 2025-07-21 | not yet calculated | CVE-2025-7244 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26095. | 2025-07-21 | not yet calculated | CVE-2025-7246 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26096. | 2025-07-21 | not yet calculated | CVE-2025-7247 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26098. | 2025-07-21 | not yet calculated | CVE-2025-7248 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26100. | 2025-07-21 | not yet calculated | CVE-2025-7249 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26107. | 2025-07-21 | not yet calculated | CVE-2025-7250 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26108. | 2025-07-21 | not yet calculated | CVE-2025-7251 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26109. | 2025-07-21 | not yet calculated | CVE-2025-7252 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26112. | 2025-07-21 | not yet calculated | CVE-2025-7253 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26113. | 2025-07-21 | not yet calculated | CVE-2025-7254 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26118. | 2025-07-21 | not yet calculated | CVE-2025-7255 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26119. | 2025-07-21 | not yet calculated | CVE-2025-7256 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26126. | 2025-07-21 | not yet calculated | CVE-2025-7257 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26127. | 2025-07-21 | not yet calculated | CVE-2025-7258 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26129. | 2025-07-21 | not yet calculated | CVE-2025-7260 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26130. | 2025-07-21 | not yet calculated | CVE-2025-7261 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26132. | 2025-07-21 | not yet calculated | CVE-2025-7262 |
| IrfanView--IrfanView | IrfanView CADImage Plugin CGM File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CGM files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26170. | 2025-07-21 | not yet calculated | CVE-2025-7263 |
| IrfanView--IrfanView | IrfanView CADImage Plugin CGM File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CGM files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26171. | 2025-07-21 | not yet calculated | CVE-2025-7264 |
| IrfanView--IrfanView | IrfanView CADImage Plugin CGM File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CGM files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26173. | 2025-07-21 | not yet calculated | CVE-2025-7265 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26174. | 2025-07-21 | not yet calculated | CVE-2025-7266 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26179. | 2025-07-21 | not yet calculated | CVE-2025-7267 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26182. | 2025-07-21 | not yet calculated | CVE-2025-7268 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26188. | 2025-07-21 | not yet calculated | CVE-2025-7269 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26189. | 2025-07-21 | not yet calculated | CVE-2025-7270 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26193. | 2025-07-21 | not yet calculated | CVE-2025-7271 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26198. | 2025-07-21 | not yet calculated | CVE-2025-7272 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26202. | 2025-07-21 | not yet calculated | CVE-2025-7273 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26203. | 2025-07-21 | not yet calculated | CVE-2025-7274 |
| IrfanView--IrfanView | IrfanView CADImage Plugin CGM File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CGM files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26204. | 2025-07-21 | not yet calculated | CVE-2025-7275 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26208. | 2025-07-21 | not yet calculated | CVE-2025-7276 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26209. | 2025-07-21 | not yet calculated | CVE-2025-7277 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26211. | 2025-07-21 | not yet calculated | CVE-2025-7278 |
| IrfanView--IrfanView | IrfanView CADImage Plugin CGM File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CGM files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26213. | 2025-07-21 | not yet calculated | CVE-2025-7279 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26214. | 2025-07-21 | not yet calculated | CVE-2025-7280 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26215. | 2025-07-21 | not yet calculated | CVE-2025-7281 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26216. | 2025-07-21 | not yet calculated | CVE-2025-7282 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26219. | 2025-07-21 | not yet calculated | CVE-2025-7283 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26220. | 2025-07-21 | not yet calculated | CVE-2025-7284 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26221. | 2025-07-21 | not yet calculated | CVE-2025-7285 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26222. | 2025-07-21 | not yet calculated | CVE-2025-7286 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26223. | 2025-07-21 | not yet calculated | CVE-2025-7287 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26224. | 2025-07-21 | not yet calculated | CVE-2025-7288 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26225. | 2025-07-21 | not yet calculated | CVE-2025-7289 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26226. | 2025-07-21 | not yet calculated | CVE-2025-7290 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26227. | 2025-07-21 | not yet calculated | CVE-2025-7291 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26228. | 2025-07-21 | not yet calculated | CVE-2025-7292 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26229. | 2025-07-21 | not yet calculated | CVE-2025-7293 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26230. | 2025-07-21 | not yet calculated | CVE-2025-7294 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26242. | 2025-07-21 | not yet calculated | CVE-2025-7295 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26243. | 2025-07-21 | not yet calculated | CVE-2025-7296 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26244. | 2025-07-21 | not yet calculated | CVE-2025-7297 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26246. | 2025-07-21 | not yet calculated | CVE-2025-7298 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26376. | 2025-07-21 | not yet calculated | CVE-2025-7299 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26377. | 2025-07-21 | not yet calculated | CVE-2025-7300 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26380. | 2025-07-21 | not yet calculated | CVE-2025-7301 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26381. | 2025-07-21 | not yet calculated | CVE-2025-7302 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26384. | 2025-07-21 | not yet calculated | CVE-2025-7303 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26385. | 2025-07-21 | not yet calculated | CVE-2025-7304 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26386. | 2025-07-21 | not yet calculated | CVE-2025-7305 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26387. | 2025-07-21 | not yet calculated | CVE-2025-7306 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26388. | 2025-07-21 | not yet calculated | CVE-2025-7307 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26389. | 2025-07-21 | not yet calculated | CVE-2025-7308 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26391. | 2025-07-21 | not yet calculated | CVE-2025-7309 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26393. | 2025-07-21 | not yet calculated | CVE-2025-7310 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26395. | 2025-07-21 | not yet calculated | CVE-2025-7311 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26398. | 2025-07-21 | not yet calculated | CVE-2025-7312 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26399. | 2025-07-21 | not yet calculated | CVE-2025-7313 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26400. | 2025-07-21 | not yet calculated | CVE-2025-7314 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26408. | 2025-07-21 | not yet calculated | CVE-2025-7315 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26410. | 2025-07-21 | not yet calculated | CVE-2025-7316 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26411. | 2025-07-21 | not yet calculated | CVE-2025-7317 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26412. | 2025-07-21 | not yet calculated | CVE-2025-7318 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26413. | 2025-07-21 | not yet calculated | CVE-2025-7319 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26418. | 2025-07-21 | not yet calculated | CVE-2025-7320 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26421. | 2025-07-21 | not yet calculated | CVE-2025-7321 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26423. | 2025-07-21 | not yet calculated | CVE-2025-7322 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DWG File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DWG files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26428. | 2025-07-21 | not yet calculated | CVE-2025-7323 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26430. | 2025-07-21 | not yet calculated | CVE-2025-7324 |
| IrfanView--IrfanView | IrfanView CADImage Plugin DXF File Parsing Memory Corruption Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of IrfanView CADImage Plugin. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of DXF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26434. | 2025-07-21 | not yet calculated | CVE-2025-7325 |
| IROAD--FX2 Dashcam | An issue was discovered on IROAD Dashcam FX2 devices. Dumping Files Over HTTP and RTSP Without Authentication can occur. It lacks authentication controls on its HTTP and RTSP interfaces, allowing attackers to retrieve sensitive files and video recordings. By connecting to http://192.168.10.1/mnt/extsd/event/, an attacker can download all stored video recordings in an unencrypted manner. Additionally, the RTSP stream on port 8554 is accessible without authentication, allowing an attacker to view live footage. | 2025-07-25 | not yet calculated | CVE-2025-30135 |
| Japheth--httpdasm | A path traversal vulnerability exists in httpdasm version 0.92, a lightweight Windows HTTP server, that allows unauthenticated attackers to read arbitrary files on the host system. By sending a specially crafted GET request containing a sequence of URL-encoded backslashes and directory traversal patterns, an attacker can escape the web root and access sensitive files outside of the intended directory. | 2025-07-23 | not yet calculated | CVE-2010-10012 |
| JHipster--JHipster | JHipster before v.8.9.0 allows privilege escalation via a modified authorities parameter. Upon registering in the JHipster portal and logging in as a standard user, the authorities parameter in the response from the api/account endpoint contains the value ROLE_USER. By manipulating the authorities parameter and changing its value to ROLE_ADMIN, the privilege is successfully escalated to an Admin level. This allowed the access to all admin-related functionalities in the application. | 2025-07-25 | not yet calculated | CVE-2025-43712 |
| Kaltura--Video Platform | A remote code execution vulnerability exists in Kaltura versions prior to 11.1.0-2 due to unsafe deserialization of user-controlled data within the keditorservices module. An unauthenticated remote attacker can exploit this issue by sending a specially crafted serialized PHP object in the kdata GET parameter to the redirectWidgetCmd endpoint. Successful exploitation leads to execution of arbitrary PHP code in the context of the web server process. | 2025-07-23 | not yet calculated | CVE-2016-15044 |
| Koha Community--Koha Library Management System | A Cross-Site Scripting (XSS) vulnerability exists in the OPAC search feature of Koha Library Management System v24.05. Unsanitized input entered in the search field is reflected in the search history interface, leading to the execution of arbitrary JavaScript in the browser context when the user interacts with the interface. | 2025-07-25 | not yet calculated | CVE-2025-52360 |
| Lakeside Software--SyStrack | LsiAgent.exe, a component of SysTrack from Lakeside Software, attempts to load several DLL files which are not present in the default installation. If a user-writable directory is present in the SYSTEM PATH environment variable, the user can write a malicious DLL to that directory with arbitrary code. This malicious DLL is executed in the context of NT AUTHORITY\SYSTEM upon service start or restart, due to the Windows default dynamic-link library search order, resulting in local elevation of privileges. | 2025-07-27 | not yet calculated | CVE-2025-6241 |
| Laser Romaes.r.l.--OpenBlow | A client-side security misconfiguration vulnerability exists in OpenBlow whistleblowing platform across multiple versions and default deployments, due to the absence of critical HTTP response headers including Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy. This omission weakens browser-level defenses and exposes users to cross-site scripting (XSS), clickjacking, and referer leakage. Although some instances attempt to enforce CSP via HTML <meta> tags, this method is ineffective, as modern browsers rely on header-based enforcement to reliably block inline scripts and untrusted resources. | 2025-07-25 | not yet calculated | CVE-2025-34114 |
| letta-ai--Letta | Remote Code Execution in letta.server.rest_api.routers.v1.tools.run_tool_from_source in letta-ai Letta 0.7.12 allows remote attackers to execute arbitrary Python code and system commands via crafted payloads to the /v1/tools/run endpoint, bypassing intended sandbox restrictions. | 2025-07-22 | not yet calculated | CVE-2025-51482 |
| lf-edge--ekuiper | LF Edge eKuiper is a lightweight IoT data analytics and stream processing engine running on resource-constraint edge devices. In versions before 2.2.1, there is a critical SQL Injection vulnerability in the getLast API functionality of the eKuiper project. This flaw allows unauthenticated remote attackers to execute arbitrary SQL statements on the underlying SQLite database by manipulating the table name input in an API request. Exploitation can lead to data theft, corruption, or deletion, and full database compromise. This is fixed in version 2.2.1. | 2025-07-24 | not yet calculated | CVE-2025-54379 |
| LG Innotek--Camera Model LNV5110R | An authentication vulnerability exists in the LG Innotek camera model LNV5110R firmware that allows a malicious actor to upload an HTTP POST request to the devices non-volatile storage. This action may result in remote code execution that allows an attacker to run arbitrary commands on the target device at the administrator privilege level. | 2025-07-24 | not yet calculated | CVE-2025-7742 |
| Linkify--Linkify | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Linkify (linkifyjs) allows XSS Targeting HTML Attributes and Manipulating User-Controlled Variables.This issue affects Linkify: from 4.3.1 before 4.3.2. | 2025-07-25 | not yet calculated | CVE-2025-8101 |
| Linksys--E2500 | In Linksys E2500 3.0.04.002, the chroot_local_user option is enabled in the vsftpd configuration file. This could lead to unauthorized access to system files, privilege escalation, or use of the compromised server as a pivot point for internal network attacks. | 2025-07-21 | not yet calculated | CVE-2025-44654 |
| Linksys--EA6350 | In Linksys EA6350 V2.1.2, the chroot_local_user option is enabled in the dynamically generated vsftpd configuration file. This could lead to unauthorized access to system files, privilege escalation, or use of the compromised server as a pivot point for internal network attacks. | 2025-07-21 | not yet calculated | CVE-2025-44657 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() If an exiting non-autoreaping task has already passed exit_notify() and calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent or debugger right after unlock_task_sighand(). If a concurrent posix_cpu_timer_del() runs at that moment, it won't be able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or lock_task_sighand() will fail. Add the tsk->exit_state check into run_posix_cpu_timers() to fix this. This fix is not needed if CONFIG_POSIX_CPU_TIMERS_TASK_WORK=y, because exit_task_work() is called before exit_notify(). But the check still makes sense, task_work_add(&tsk->posix_cputimers_work.work) will fail anyway in this case. | 2025-07-22 | not yet calculated | CVE-2025-38352 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix taking invalid lock on wedge If device wedges on e.g. GuC upload, the submission is not yet enabled and the state is not even initialized. Protect the wedge call so it does nothing in this case. It fixes the following splat: [] xe 0000:bf:00.0: [drm] device wedged, needs recovery [] ------------[ cut here ]------------ [] DEBUG_LOCKS_WARN_ON(lock->magic != lock) [] WARNING: CPU: 48 PID: 312 at kernel/locking/mutex.c:564 __mutex_lock+0x8a1/0xe60 ... [] RIP: 0010:__mutex_lock+0x8a1/0xe60 [] mutex_lock_nested+0x1b/0x30 [] xe_guc_submit_wedge+0x80/0x2b0 [xe] | 2025-07-25 | not yet calculated | CVE-2025-38353 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/gpu: Fix crash when throttling GPU immediately during boot There is a small chance that the GPU is already hot during boot. In that case, the call to of_devfreq_cooling_register() will immediately try to apply devfreq cooling, as seen in the following crash: Unable to handle kernel paging request at virtual address 0000000000014110 pc : a6xx_gpu_busy+0x1c/0x58 [msm] lr : msm_devfreq_get_dev_status+0xbc/0x140 [msm] Call trace: a6xx_gpu_busy+0x1c/0x58 [msm] (P) devfreq_simple_ondemand_func+0x3c/0x150 devfreq_update_target+0x44/0xd8 qos_max_notifier_call+0x30/0x84 blocking_notifier_call_chain+0x6c/0xa0 pm_qos_update_target+0xd0/0x110 freq_qos_apply+0x3c/0x74 apply_constraint+0x88/0x148 __dev_pm_qos_update_request+0x7c/0xcc dev_pm_qos_update_request+0x38/0x5c devfreq_cooling_set_cur_state+0x98/0xf0 __thermal_cdev_update+0x64/0xb4 thermal_cdev_update+0x4c/0x58 step_wise_manage+0x1f0/0x318 __thermal_zone_device_update+0x278/0x424 __thermal_cooling_device_register+0x2bc/0x308 thermal_of_cooling_device_register+0x10/0x1c of_devfreq_cooling_register_power+0x240/0x2bc of_devfreq_cooling_register+0x14/0x20 msm_devfreq_init+0xc4/0x1a0 [msm] msm_gpu_init+0x304/0x574 [msm] adreno_gpu_init+0x1c4/0x2e0 [msm] a6xx_gpu_init+0x5c8/0x9c8 [msm] adreno_bind+0x2a8/0x33c [msm] ... At this point we haven't initialized the GMU at all yet, so we cannot read the GMU registers inside a6xx_gpu_busy(). A similar issue was fixed before in commit 6694482a70e9 ("drm/msm: Avoid unclocked GMU register access in 6xx gpu_busy"): msm_devfreq_init() does call devfreq_suspend_device(), but unlike msm_devfreq_suspend(), it doesn't set the df->suspended flag accordingly. This means the df->suspended flag does not match the actual devfreq state after initialization and msm_devfreq_get_dev_status() will end up accessing GMU registers, causing the crash. Fix this by setting df->suspended correctly during initialization. Patchwork: https://patchwork.freedesktop.org/patch/650772/ | 2025-07-25 | not yet calculated | CVE-2025-38354 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe: Process deferred GGTT node removals on device unwind While we are indirectly draining our dedicated workqueue ggtt->wq that we use to complete asynchronous removal of some GGTT nodes, this happends as part of the managed-drm unwinding (ggtt_fini_early), which could be later then manage-device unwinding, where we could already unmap our MMIO/GMS mapping (mmio_fini). This was recently observed during unsuccessful VF initialization: [ ] xe 0000:00:02.1: probe with driver xe failed with error -62 [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747340 __xe_bo_unpin_map_no_vm (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747540 __xe_bo_unpin_map_no_vm (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747240 __xe_bo_unpin_map_no_vm (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747040 tiles_fini (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e746840 mmio_fini (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e747f40 xe_bo_pinned_fini (16 bytes) [ ] xe 0000:00:02.1: DEVRES REL ffff88811e746b40 devm_drm_dev_init_release (16 bytes) [ ] xe 0000:00:02.1: [drm:drm_managed_release] drmres release begin [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef81640 __fini_relay (8 bytes) [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef80d40 guc_ct_fini (8 bytes) [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef80040 __drmm_mutex_release (8 bytes) [ ] xe 0000:00:02.1: [drm:drm_managed_release] REL ffff88810ef80140 ggtt_fini_early (8 bytes) and this was leading to: [ ] BUG: unable to handle page fault for address: ffffc900058162a0 [ ] #PF: supervisor write access in kernel mode [ ] #PF: error_code(0x0002) - not-present page [ ] Oops: Oops: 0002 [#1] SMP NOPTI [ ] Tainted: [W]=WARN [ ] Workqueue: xe-ggtt-wq ggtt_node_remove_work_func [xe] [ ] RIP: 0010:xe_ggtt_set_pte+0x6d/0x350 [xe] [ ] Call Trace: [ ] <TASK> [ ] xe_ggtt_clear+0xb0/0x270 [xe] [ ] ggtt_node_remove+0xbb/0x120 [xe] [ ] ggtt_node_remove_work_func+0x30/0x50 [xe] [ ] process_one_work+0x22b/0x6f0 [ ] worker_thread+0x1e8/0x3d Add managed-device action that will explicitly drain the workqueue with all pending node removals prior to releasing MMIO/GSM mapping. (cherry picked from commit 89d2835c3680ab1938e22ad81b1c9f8c686bd391) | 2025-07-25 | not yet calculated | CVE-2025-38355 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/guc: Explicitly exit CT safe mode on unwind During driver probe we might be briefly using CT safe mode, which is based on a delayed work, but usually we are able to stop this once we have IRQ fully operational. However, if we abort the probe quite early then during unwind we might try to destroy the workqueue while there is still a pending delayed work that attempts to restart itself which triggers a WARN. This was recently observed during unsuccessful VF initialization: [ ] xe 0000:00:02.1: probe with driver xe failed with error -62 [ ] ------------[ cut here ]------------ [ ] workqueue: cannot queue safe_mode_worker_func [xe] on wq xe-g2h-wq [ ] WARNING: CPU: 9 PID: 0 at kernel/workqueue.c:2257 __queue_work+0x287/0x710 [ ] RIP: 0010:__queue_work+0x287/0x710 [ ] Call Trace: [ ] delayed_work_timer_fn+0x19/0x30 [ ] call_timer_fn+0xa1/0x2a0 Exit the CT safe mode on unwind to avoid that warning. (cherry picked from commit 2ddbb73ec20b98e70a5200cb85deade22ccea2ec) | 2025-07-25 | not yet calculated | CVE-2025-38356 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fuse: fix runtime warning on truncate_folio_batch_exceptionals() The WARN_ON_ONCE is introduced on truncate_folio_batch_exceptionals() to capture whether the filesystem has removed all DAX entries or not. And the fix has been applied on the filesystem xfs and ext4 by the commit 0e2f80afcfa6 ("fs/dax: ensure all pages are idle prior to filesystem unmount"). Apply the missed fix on filesystem fuse to fix the runtime warning: [ 2.011450] ------------[ cut here ]------------ [ 2.011873] WARNING: CPU: 0 PID: 145 at mm/truncate.c:89 truncate_folio_batch_exceptionals+0x272/0x2b0 [ 2.012468] Modules linked in: [ 2.012718] CPU: 0 UID: 1000 PID: 145 Comm: weston Not tainted 6.16.0-rc2-WSL2-STABLE #2 PREEMPT(undef) [ 2.013292] RIP: 0010:truncate_folio_batch_exceptionals+0x272/0x2b0 [ 2.013704] Code: 48 63 d0 41 29 c5 48 8d 1c d5 00 00 00 00 4e 8d 6c 2a 01 49 c1 e5 03 eb 09 48 83 c3 08 49 39 dd 74 83 41 f6 44 1c 08 01 74 ef <0f> 0b 49 8b 34 1e 48 89 ef e8 10 a2 17 00 eb df 48 8b 7d 00 e8 35 [ 2.014845] RSP: 0018:ffffa47ec33f3b10 EFLAGS: 00010202 [ 2.015279] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 2.015884] RDX: 0000000000000000 RSI: ffffa47ec33f3ca0 RDI: ffff98aa44f3fa80 [ 2.016377] RBP: ffff98aa44f3fbf0 R08: ffffa47ec33f3ba8 R09: 0000000000000000 [ 2.016942] R10: 0000000000000001 R11: 0000000000000000 R12: ffffa47ec33f3ca0 [ 2.017437] R13: 0000000000000008 R14: ffffa47ec33f3ba8 R15: 0000000000000000 [ 2.017972] FS: 000079ce006afa40(0000) GS:ffff98aade441000(0000) knlGS:0000000000000000 [ 2.018510] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2.018987] CR2: 000079ce03e74000 CR3: 000000010784f006 CR4: 0000000000372eb0 [ 2.019518] Call Trace: [ 2.019729] <TASK> [ 2.019901] truncate_inode_pages_range+0xd8/0x400 [ 2.020280] ? timerqueue_add+0x66/0xb0 [ 2.020574] ? get_nohz_timer_target+0x2a/0x140 [ 2.020904] ? timerqueue_add+0x66/0xb0 [ 2.021231] ? timerqueue_del+0x2e/0x50 [ 2.021646] ? __remove_hrtimer+0x39/0x90 [ 2.022017] ? srso_alias_untrain_ret+0x1/0x10 [ 2.022497] ? psi_group_change+0x136/0x350 [ 2.023046] ? _raw_spin_unlock+0xe/0x30 [ 2.023514] ? finish_task_switch.isra.0+0x8d/0x280 [ 2.024068] ? __schedule+0x532/0xbd0 [ 2.024551] fuse_evict_inode+0x29/0x190 [ 2.025131] evict+0x100/0x270 [ 2.025641] ? _atomic_dec_and_lock+0x39/0x50 [ 2.026316] ? __pfx_generic_delete_inode+0x10/0x10 [ 2.026843] __dentry_kill+0x71/0x180 [ 2.027335] dput+0xeb/0x1b0 [ 2.027725] __fput+0x136/0x2b0 [ 2.028054] __x64_sys_close+0x3d/0x80 [ 2.028469] do_syscall_64+0x6d/0x1b0 [ 2.028832] ? clear_bhb_loop+0x30/0x80 [ 2.029182] ? clear_bhb_loop+0x30/0x80 [ 2.029533] ? clear_bhb_loop+0x30/0x80 [ 2.029902] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 2.030423] RIP: 0033:0x79ce03d0d067 [ 2.030820] Code: b8 ff ff ff ff e9 3e ff ff ff 66 0f 1f 84 00 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 41 c3 48 83 ec 18 89 7c 24 0c e8 c3 a7 f8 ff [ 2.032354] RSP: 002b:00007ffef0498948 EFLAGS: 00000246 ORIG_RAX: 0000000000000003 [ 2.032939] RAX: ffffffffffffffda RBX: 00007ffef0498960 RCX: 000079ce03d0d067 [ 2.033612] RDX: 0000000000000003 RSI: 0000000000001000 RDI: 000000000000000d [ 2.034289] RBP: 00007ffef0498a30 R08: 000000000000000d R09: 0000000000000000 [ 2.034944] R10: 00007ffef0498978 R11: 0000000000000246 R12: 0000000000000001 [ 2.035610] R13: 00007ffef0498960 R14: 000079ce03e09ce0 R15: 0000000000000003 [ 2.036301] </TASK> [ 2.036532] ---[ end trace 0000000000000000 ]--- | 2025-07-25 | not yet calculated | CVE-2025-38357 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix race between async reclaim worker and close_ctree() Syzbot reported an assertion failure due to an attempt to add a delayed iput after we have set BTRFS_FS_STATE_NO_DELAYED_IPUT in the fs_info state: WARNING: CPU: 0 PID: 65 at fs/btrfs/inode.c:3420 btrfs_add_delayed_iput+0x2f8/0x370 fs/btrfs/inode.c:3420 Modules linked in: CPU: 0 UID: 0 PID: 65 Comm: kworker/u8:4 Not tainted 6.15.0-next-20250530-syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: btrfs-endio-write btrfs_work_helper RIP: 0010:btrfs_add_delayed_iput+0x2f8/0x370 fs/btrfs/inode.c:3420 Code: 4e ad 5d (...) RSP: 0018:ffffc9000213f780 EFLAGS: 00010293 RAX: ffffffff83c635b7 RBX: ffff888058920000 RCX: ffff88801c769e00 RDX: 0000000000000000 RSI: 0000000000000100 RDI: 0000000000000000 RBP: 0000000000000001 R08: ffff888058921b67 R09: 1ffff1100b12436c R10: dffffc0000000000 R11: ffffed100b12436d R12: 0000000000000001 R13: dffffc0000000000 R14: ffff88807d748000 R15: 0000000000000100 FS: 0000000000000000(0000) GS:ffff888125c53000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00002000000bd038 CR3: 000000006a142000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> btrfs_put_ordered_extent+0x19f/0x470 fs/btrfs/ordered-data.c:635 btrfs_finish_one_ordered+0x11d8/0x1b10 fs/btrfs/inode.c:3312 btrfs_work_helper+0x399/0xc20 fs/btrfs/async-thread.c:312 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x70e/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> This can happen due to a race with the async reclaim worker like this: 1) The async metadata reclaim worker enters shrink_delalloc(), which calls btrfs_start_delalloc_roots() with an nr_pages argument that has a value less than LONG_MAX, and that in turn enters start_delalloc_inodes(), which sets the local variable 'full_flush' to false because wbc->nr_to_write is less than LONG_MAX; 2) There it finds inode X in a root's delalloc list, grabs a reference for inode X (with igrab()), and triggers writeback for it with filemap_fdatawrite_wbc(), which creates an ordered extent for inode X; 3) The unmount sequence starts from another task, we enter close_ctree() and we flush the workqueue fs_info->endio_write_workers, which waits for the ordered extent for inode X to complete and when dropping the last reference of the ordered extent, with btrfs_put_ordered_extent(), when we call btrfs_add_delayed_iput() we don't add the inode to the list of delayed iputs because it has a refcount of 2, so we decrement it to 1 and return; 4) Shortly after at close_ctree() we call btrfs_run_delayed_iputs() which runs all delayed iputs, and then we set BTRFS_FS_STATE_NO_DELAYED_IPUT in the fs_info state; 5) The async reclaim worker, after calling filemap_fdatawrite_wbc(), now calls btrfs_add_delayed_iput() for inode X and there we trigger an assertion failure since the fs_info state has the flag BTRFS_FS_STATE_NO_DELAYED_IPUT set. Fix this by setting BTRFS_FS_STATE_NO_DELAYED_IPUT only after we wait for the async reclaim workers to finish, after we call cancel_work_sync() for them at close_ctree(), and by running delayed iputs after wait for the reclaim workers to finish and before setting the bit. This race was recently introduced by commit 19e60b2a95f5 ("btrfs: add extra warning if delayed iput is added when it's not allowed"). Without the new validation at btrfs_add_delayed_iput(), ---truncated--- | 2025-07-25 | not yet calculated | CVE-2025-38358 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: s390/mm: Fix in_atomic() handling in do_secure_storage_access() Kernel user spaces accesses to not exported pages in atomic context incorrectly try to resolve the page fault. With debug options enabled call traces like this can be seen: BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:1523 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 419074, name: qemu-system-s39 preempt_count: 1, expected: 0 RCU nest depth: 0, expected: 0 INFO: lockdep is turned off. Preemption disabled at: [<00000383ea47cfa2>] copy_page_from_iter_atomic+0xa2/0x8a0 CPU: 12 UID: 0 PID: 419074 Comm: qemu-system-s39 Tainted: G W 6.16.0-20250531.rc0.git0.69b3a602feac.63.fc42.s390x+debug #1 PREEMPT Tainted: [W]=WARN Hardware name: IBM 3931 A01 703 (LPAR) Call Trace: [<00000383e990d282>] dump_stack_lvl+0xa2/0xe8 [<00000383e99bf152>] __might_resched+0x292/0x2d0 [<00000383eaa7c374>] down_read+0x34/0x2d0 [<00000383e99432f8>] do_secure_storage_access+0x108/0x360 [<00000383eaa724b0>] __do_pgm_check+0x130/0x220 [<00000383eaa842e4>] pgm_check_handler+0x114/0x160 [<00000383ea47d028>] copy_page_from_iter_atomic+0x128/0x8a0 ([<00000383ea47d016>] copy_page_from_iter_atomic+0x116/0x8a0) [<00000383e9c45eae>] generic_perform_write+0x16e/0x310 [<00000383e9eb87f4>] ext4_buffered_write_iter+0x84/0x160 [<00000383e9da0de4>] vfs_write+0x1c4/0x460 [<00000383e9da123c>] ksys_write+0x7c/0x100 [<00000383eaa7284e>] __do_syscall+0x15e/0x280 [<00000383eaa8417e>] system_call+0x6e/0x90 INFO: lockdep is turned off. It is not allowed to take the mmap_lock while in atomic context. Therefore handle such a secure storage access fault as if the accessed page is not mapped: the uaccess function will return -EFAULT, and the caller has to deal with this. Usually this means that the access is retried in process context, which allows to resolve the page fault (or in this case export the page). | 2025-07-25 | not yet calculated | CVE-2025-38359 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add more checks for DSC / HUBP ONO guarantees [WHY] For non-zero DSC instances it's possible that the HUBP domain required to drive it for sequential ONO ASICs isn't met, potentially causing the logic to the tile to enter an undefined state leading to a system hang. [HOW] Add more checks to ensure that the HUBP domain matching the DSC instance is appropriately powered. (cherry picked from commit da63df07112e5a9857a8d2aaa04255c4206754ec) | 2025-07-25 | not yet calculated | CVE-2025-38360 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check dce_hwseq before dereferencing it [WHAT] hws was checked for null earlier in dce110_blank_stream, indicating hws can be null, and should be checked whenever it is used. (cherry picked from commit 79db43611ff61280b6de58ce1305e0b2ecf675ad) | 2025-07-25 | not yet calculated | CVE-2025-38361 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null pointer check for get_first_active_display() The function mod_hdcp_hdcp1_enable_encryption() calls the function get_first_active_display(), but does not check its return value. The return value is a null pointer if the display list is empty. This will lead to a null pointer dereference in mod_hdcp_hdcp2_enable_encryption(). Add a null pointer check for get_first_active_display() and return MOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null. | 2025-07-25 | not yet calculated | CVE-2025-38362 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/tegra: Fix a possible null pointer dereference In tegra_crtc_reset(), new memory is allocated with kzalloc(), but no check is performed. Before calling __drm_atomic_helper_crtc_reset, state should be checked to prevent possible null pointer dereference. | 2025-07-25 | not yet calculated | CVE-2025-38363 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() Temporarily clear the preallocation flag when explicitly requesting allocations. Pre-existing allocations are already counted against the request through mas_node_count_gfp(), but the allocations will not happen if the MA_STATE_PREALLOC flag is set. This flag is meant to avoid re-allocating in bulk allocation mode, and to detect issues with preallocation calculations. The MA_STATE_PREALLOC flag should also always be set on zero allocations so that detection of underflow allocations will print a WARN_ON() during consumption. User visible effect of this flaw is a WARN_ON() followed by a null pointer dereference when subsequent requests for larger number of nodes is ignored, such as the vma merge retry in mmap_region() caused by drivers altering the vma flags (which happens in v6.6, at least) | 2025-07-25 | not yet calculated | CVE-2025-38364 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix a race between renames and directory logging We have a race between a rename and directory inode logging that if it happens and we crash/power fail before the rename completes, the next time the filesystem is mounted, the log replay code will end up deleting the file that was being renamed. This is best explained following a step by step analysis of an interleaving of steps that lead into this situation. Consider the initial conditions: 1) We are at transaction N; 2) We have directories A and B created in a past transaction (< N); 3) We have inode X corresponding to a file that has 2 hardlinks, one in directory A and the other in directory B, so we'll name them as "A/foo_link1" and "B/foo_link2". Both hard links were persisted in a past transaction (< N); 4) We have inode Y corresponding to a file that as a single hard link and is located in directory A, we'll name it as "A/bar". This file was also persisted in a past transaction (< N). The steps leading to a file loss are the following and for all of them we are under transaction N: 1) Link "A/foo_link1" is removed, so inode's X last_unlink_trans field is updated to N, through btrfs_unlink() -> btrfs_record_unlink_dir(); 2) Task A starts a rename for inode Y, with the goal of renaming from "A/bar" to "A/baz", so we enter btrfs_rename(); 3) Task A inserts the new BTRFS_INODE_REF_KEY for inode Y by calling btrfs_insert_inode_ref(); 4) Because the rename happens in the same directory, we don't set the last_unlink_trans field of directoty A's inode to the current transaction id, that is, we don't cal btrfs_record_unlink_dir(); 5) Task A then removes the entries from directory A (BTRFS_DIR_ITEM_KEY and BTRFS_DIR_INDEX_KEY items) when calling __btrfs_unlink_inode() (actually the dir index item is added as a delayed item, but the effect is the same); 6) Now before task A adds the new entry "A/baz" to directory A by calling btrfs_add_link(), another task, task B is logging inode X; 7) Task B starts a fsync of inode X and after logging inode X, at btrfs_log_inode_parent() it calls btrfs_log_all_parents(), since inode X has a last_unlink_trans value of N, set at in step 1; 8) At btrfs_log_all_parents() we search for all parent directories of inode X using the commit root, so we find directories A and B and log them. Bu when logging direct A, we don't have a dir index item for inode Y anymore, neither the old name "A/bar" nor for the new name "A/baz" since the rename has deleted the old name but has not yet inserted the new name - task A hasn't called yet btrfs_add_link() to do that. Note that logging directory A doesn't fallback to a transaction commit because its last_unlink_trans has a lower value than the current transaction's id (see step 4); 9) Task B finishes logging directories A and B and gets back to btrfs_sync_file() where it calls btrfs_sync_log() to persist the log tree; 10) Task B successfully persisted the log tree, btrfs_sync_log() completed with success, and a power failure happened. We have a log tree without any directory entry for inode Y, so the log replay code deletes the entry for inode Y, name "A/bar", from the subvolume tree since it doesn't exist in the log tree and the log tree is authorative for its index (we logged a BTRFS_DIR_LOG_INDEX_KEY item that covers the index range for the dentry that corresponds to "A/bar"). Since there's no other hard link for inode Y and the log replay code deletes the name "A/bar", the file is lost. The issue wouldn't happen if task B synced the log only after task A called btrfs_log_new_name(), which would update the log with the new name for inode Y ("A/bar"). Fix this by pinning the log root during renames before removing the old directory entry, and unpinning af ---truncated--- | 2025-07-25 | not yet calculated | CVE-2025-38365 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Check validity of "num_cpu" from user space The maximum supported cpu number is EIOINTC_ROUTE_MAX_VCPUS about irqchip EIOINTC, here add validation about cpu number to avoid array pointer overflow. | 2025-07-25 | not yet calculated | CVE-2025-38366 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Avoid overflow with array index The variable index is modified and reused as array index when modify register EIOINTC_ENABLE. There will be array index overflow problem. | 2025-07-25 | not yet calculated | CVE-2025-38367 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: misc: tps6594-pfsm: Add NULL pointer check in tps6594_pfsm_probe() The returned value, pfsm->miscdev.name, from devm_kasprintf() could be NULL. A pointer check is added to prevent potential NULL pointer dereference. This is similar to the fix in commit 3027e7b15b02 ("ice: Fix some null pointer dereference issues in ice_ptp.c"). This issue is found by our static analysis tool. | 2025-07-25 | not yet calculated | CVE-2025-38368 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using Running IDXD workloads in a container with the /dev directory mounted can trigger a call trace or even a kernel panic when the parent process of the container is terminated. This issue occurs because, under certain configurations, Docker does not properly propagate the mount replica back to the original mount point. In this case, when the user driver detaches, the WQ is destroyed but it still calls destroy_workqueue() attempting to completes all pending work. It's necessary to check wq->wq and skip the drain if it no longer exists. | 2025-07-25 | not yet calculated | CVE-2025-38369 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix failure to rebuild free space tree using multiple transactions If we are rebuilding a free space tree, while modifying the free space tree we may need to allocate a new metadata block group. If we end up using multiple transactions for the rebuild, when we call btrfs_end_transaction() we enter btrfs_create_pending_block_groups() which calls add_block_group_free_space() to add items to the free space tree for the block group. Then later during the free space tree rebuild, at btrfs_rebuild_free_space_tree(), we may find such new block groups and call populate_free_space_tree() for them, which fails with -EEXIST because there are already items in the free space tree. Then we abort the transaction with -EEXIST at btrfs_rebuild_free_space_tree(). Notice that we say "may find" the new block groups because a new block group may be inserted in the block groups rbtree, which is being iterated by the rebuild process, before or after the current node where the rebuild process is currently at. Syzbot recently reported such case which produces a trace like the following: ------------[ cut here ]------------ BTRFS: Transaction aborted (error -17) WARNING: CPU: 1 PID: 7626 at fs/btrfs/free-space-tree.c:1341 btrfs_rebuild_free_space_tree+0x470/0x54c fs/btrfs/free-space-tree.c:1341 Modules linked in: CPU: 1 UID: 0 PID: 7626 Comm: syz.2.25 Not tainted 6.15.0-rc7-syzkaller-00085-gd7fa1af5b33e-dirty #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : btrfs_rebuild_free_space_tree+0x470/0x54c fs/btrfs/free-space-tree.c:1341 lr : btrfs_rebuild_free_space_tree+0x470/0x54c fs/btrfs/free-space-tree.c:1341 sp : ffff80009c4f7740 x29: ffff80009c4f77b0 x28: ffff0000d4c3f400 x27: 0000000000000000 x26: dfff800000000000 x25: ffff70001389eee8 x24: 0000000000000003 x23: 1fffe000182b6e7b x22: 0000000000000000 x21: ffff0000c15b73d8 x20: 00000000ffffffef x19: ffff0000c15b7378 x18: 1fffe0003386f276 x17: ffff80008f31e000 x16: ffff80008adbe98c x15: 0000000000000001 x14: 1fffe0001b281550 x13: 0000000000000000 x12: 0000000000000000 x11: ffff60001b281551 x10: 0000000000000003 x9 : 1c8922000a902c00 x8 : 1c8922000a902c00 x7 : ffff800080485878 x6 : 0000000000000000 x5 : 0000000000000001 x4 : 0000000000000001 x3 : ffff80008047843c x2 : 0000000000000001 x1 : ffff80008b3ebc40 x0 : 0000000000000001 Call trace: btrfs_rebuild_free_space_tree+0x470/0x54c fs/btrfs/free-space-tree.c:1341 (P) btrfs_start_pre_rw_mount+0xa78/0xe10 fs/btrfs/disk-io.c:3074 btrfs_remount_rw fs/btrfs/super.c:1319 [inline] btrfs_reconfigure+0x828/0x2418 fs/btrfs/super.c:1543 reconfigure_super+0x1d4/0x6f0 fs/super.c:1083 do_remount fs/namespace.c:3365 [inline] path_mount+0xb34/0xde0 fs/namespace.c:4200 do_mount fs/namespace.c:4221 [inline] __do_sys_mount fs/namespace.c:4432 [inline] __se_sys_mount fs/namespace.c:4409 [inline] __arm64_sys_mount+0x3e8/0x468 fs/namespace.c:4409 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 irq event stamp: 330 hardirqs last enabled at (329): [<ffff80008048590c>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1525 [inline] hardirqs last enabled at (329): [<ffff80008048590c>] finish_lock_switch+0xb0/0x1c0 kernel/sched/core.c:5130 hardirqs last disabled at (330): [<ffff80008adb9e60>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:511 softirqs last enabled at (10): [<ffff8000801fbf10>] local_bh_enable+0 ---truncated--- | 2025-07-25 | not yet calculated | CVE-2025-38370 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Disable interrupts before resetting the GPU Currently, an interrupt can be triggered during a GPU reset, which can lead to GPU hangs and NULL pointer dereference in an interrupt context as shown in the following trace: [ 314.035040] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000c0 [ 314.043822] Mem abort info: [ 314.046606] ESR = 0x0000000096000005 [ 314.050347] EC = 0x25: DABT (current EL), IL = 32 bits [ 314.055651] SET = 0, FnV = 0 [ 314.058695] EA = 0, S1PTW = 0 [ 314.061826] FSC = 0x05: level 1 translation fault [ 314.066694] Data abort info: [ 314.069564] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 314.075039] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 314.080080] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 314.085382] user pgtable: 4k pages, 39-bit VAs, pgdp=0000000102728000 [ 314.091814] [00000000000000c0] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 314.100511] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 314.106770] Modules linked in: v3d i2c_brcmstb vc4 snd_soc_hdmi_codec gpu_sched drm_shmem_helper drm_display_helper cec drm_dma_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm snd_timer snd backlight [ 314.129654] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1 Debian 1:6.12.25-1+rpt1 [ 314.139388] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT) [ 314.145211] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 314.152165] pc : v3d_irq+0xec/0x2e0 [v3d] [ 314.156187] lr : v3d_irq+0xe0/0x2e0 [v3d] [ 314.160198] sp : ffffffc080003ea0 [ 314.163502] x29: ffffffc080003ea0 x28: ffffffec1f184980 x27: 021202b000000000 [ 314.170633] x26: ffffffec1f17f630 x25: ffffff8101372000 x24: ffffffec1f17d9f0 [ 314.177764] x23: 000000000000002a x22: 000000000000002a x21: ffffff8103252000 [ 314.184895] x20: 0000000000000001 x19: 00000000deadbeef x18: 0000000000000000 [ 314.192026] x17: ffffff94e51d2000 x16: ffffffec1dac3cb0 x15: c306000000000000 [ 314.199156] x14: 0000000000000000 x13: b2fc982e03cc5168 x12: 0000000000000001 [ 314.206286] x11: ffffff8103f8bcc0 x10: ffffffec1f196868 x9 : ffffffec1dac3874 [ 314.213416] x8 : 0000000000000000 x7 : 0000000000042a3a x6 : ffffff810017a180 [ 314.220547] x5 : ffffffec1ebad400 x4 : ffffffec1ebad320 x3 : 00000000000bebeb [ 314.227677] x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 [ 314.234807] Call trace: [ 314.237243] v3d_irq+0xec/0x2e0 [v3d] [ 314.240906] __handle_irq_event_percpu+0x58/0x218 [ 314.245609] handle_irq_event+0x54/0xb8 [ 314.249439] handle_fasteoi_irq+0xac/0x240 [ 314.253527] handle_irq_desc+0x48/0x68 [ 314.257269] generic_handle_domain_irq+0x24/0x38 [ 314.261879] gic_handle_irq+0x48/0xd8 [ 314.265533] call_on_irq_stack+0x24/0x58 [ 314.269448] do_interrupt_handler+0x88/0x98 [ 314.273624] el1_interrupt+0x34/0x68 [ 314.277193] el1h_64_irq_handler+0x18/0x28 [ 314.281281] el1h_64_irq+0x64/0x68 [ 314.284673] default_idle_call+0x3c/0x168 [ 314.288675] do_idle+0x1fc/0x230 [ 314.291895] cpu_startup_entry+0x3c/0x50 [ 314.295810] rest_init+0xe4/0xf0 [ 314.299030] start_kernel+0x5e8/0x790 [ 314.302684] __primary_switched+0x80/0x90 [ 314.306691] Code: 940029eb 360ffc13 f9442ea0 52800001 (f9406017) [ 314.312775] ---[ end trace 0000000000000000 ]--- [ 314.317384] Kernel panic - not syncing: Oops: Fatal exception in interrupt [ 314.324249] SMP: stopping secondary CPUs [ 314.328167] Kernel Offset: 0x2b9da00000 from 0xffffffc080000000 [ 314.334076] PHYS_OFFSET: 0x0 [ 314.336946] CPU features: 0x08,00002013,c0200000,0200421b [ 314.342337] Memory Limit: none [ 314.345382] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- Before resetting the G ---truncated--- | 2025-07-25 | not yet calculated | CVE-2025-38371 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix unsafe xarray access in implicit ODP handling __xa_store() and __xa_erase() were used without holding the proper lock, which led to a lockdep warning due to unsafe RCU usage. This patch replaces them with xa_store() and xa_erase(), which perform the necessary locking internally. ============================= WARNING: suspicious RCPU usage 6.14.0-rc7_for_upstream_debug_2025_03_18_15_01 #1 Not tainted ----------------------------- ./include/linux/xarray.h:1211 suspicious rcu_dereference_protected() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 3 locks held by kworker/u136:0/219: at: process_one_work+0xbe4/0x15f0 process_one_work+0x75c/0x15f0 pagefault_mr+0x9a5/0x1390 [mlx5_ib] stack backtrace: CPU: 14 UID: 0 PID: 219 Comm: kworker/u136:0 Not tainted 6.14.0-rc7_for_upstream_debug_2025_03_18_15_01 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5_ib_page_fault mlx5_ib_eqe_pf_action [mlx5_ib] Call Trace: dump_stack_lvl+0xa8/0xc0 lockdep_rcu_suspicious+0x1e6/0x260 xas_create+0xb8a/0xee0 xas_store+0x73/0x14c0 __xa_store+0x13c/0x220 ? xa_store_range+0x390/0x390 ? spin_bug+0x1d0/0x1d0 pagefault_mr+0xcb5/0x1390 [mlx5_ib] ? _raw_spin_unlock+0x1f/0x30 mlx5_ib_eqe_pf_action+0x3be/0x2620 [mlx5_ib] ? lockdep_hardirqs_on_prepare+0x400/0x400 ? mlx5_ib_invalidate_range+0xcb0/0xcb0 [mlx5_ib] process_one_work+0x7db/0x15f0 ? pwq_dec_nr_in_flight+0xda0/0xda0 ? assign_work+0x168/0x240 worker_thread+0x57d/0xcd0 ? rescuer_thread+0xc40/0xc40 kthread+0x3b3/0x800 ? kthread_is_per_cpu+0xb0/0xb0 ? lock_downgrade+0x680/0x680 ? do_raw_spin_lock+0x12d/0x270 ? spin_bug+0x1d0/0x1d0 ? finish_task_switch.isra.0+0x284/0x9e0 ? lockdep_hardirqs_on_prepare+0x284/0x400 ? kthread_is_per_cpu+0xb0/0xb0 ret_from_fork+0x2d/0x70 ? kthread_is_per_cpu+0xb0/0xb0 ret_from_fork_asm+0x11/0x20 | 2025-07-25 | not yet calculated | CVE-2025-38372 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: IB/mlx5: Fix potential deadlock in MR deregistration The issue arises when kzalloc() is invoked while holding umem_mutex or any other lock acquired under umem_mutex. This is problematic because kzalloc() can trigger fs_reclaim_aqcuire(), which may, in turn, invoke mmu_notifier_invalidate_range_start(). This function can lead to mlx5_ib_invalidate_range(), which attempts to acquire umem_mutex again, resulting in a deadlock. The problematic flow: CPU0 | CPU1 ---------------------------------------|------------------------------------------------ mlx5_ib_dereg_mr() | → revoke_mr() | → mutex_lock(&umem_odp->umem_mutex) | | mlx5_mkey_cache_init() | → mutex_lock(&dev->cache.rb_lock) | → mlx5r_cache_create_ent_locked() | → kzalloc(GFP_KERNEL) | → fs_reclaim() | → mmu_notifier_invalidate_range_start() | → mlx5_ib_invalidate_range() | → mutex_lock(&umem_odp->umem_mutex) → cache_ent_find_and_store() | → mutex_lock(&dev->cache.rb_lock) | Additionally, when kzalloc() is called from within cache_ent_find_and_store(), we encounter the same deadlock due to re-acquisition of umem_mutex. Solve by releasing umem_mutex in dereg_mr() after umr_revoke_mr() and before acquiring rb_lock. This ensures that we don't hold umem_mutex while performing memory allocations that could trigger the reclaim path. This change prevents the deadlock by ensuring proper lock ordering and avoiding holding locks during memory allocation operations that could trigger the reclaim path. The following lockdep warning demonstrates the deadlock: python3/20557 is trying to acquire lock: ffff888387542128 (&umem_odp->umem_mutex){+.+.}-{4:4}, at: mlx5_ib_invalidate_range+0x5b/0x550 [mlx5_ib] but task is already holding lock: ffffffff82f6b840 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}, at: unmap_vmas+0x7b/0x1a0 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (mmu_notifier_invalidate_range_start){+.+.}-{0:0}: fs_reclaim_acquire+0x60/0xd0 mem_cgroup_css_alloc+0x6f/0x9b0 cgroup_init_subsys+0xa4/0x240 cgroup_init+0x1c8/0x510 start_kernel+0x747/0x760 x86_64_start_reservations+0x25/0x30 x86_64_start_kernel+0x73/0x80 common_startup_64+0x129/0x138 -> #2 (fs_reclaim){+.+.}-{0:0}: fs_reclaim_acquire+0x91/0xd0 __kmalloc_cache_noprof+0x4d/0x4c0 mlx5r_cache_create_ent_locked+0x75/0x620 [mlx5_ib] mlx5_mkey_cache_init+0x186/0x360 [mlx5_ib] mlx5_ib_stage_post_ib_reg_umr_init+0x3c/0x60 [mlx5_ib] __mlx5_ib_add+0x4b/0x190 [mlx5_ib] mlx5r_probe+0xd9/0x320 [mlx5_ib] auxiliary_bus_probe+0x42/0x70 really_probe+0xdb/0x360 __driver_probe_device+0x8f/0x130 driver_probe_device+0x1f/0xb0 __driver_attach+0xd4/0x1f0 bus_for_each_dev+0x79/0xd0 bus_add_driver+0xf0/0x200 driver_register+0x6e/0xc0 __auxiliary_driver_register+0x6a/0xc0 do_one_initcall+0x5e/0x390 do_init_module+0x88/0x240 init_module_from_file+0x85/0xc0 idempotent_init_module+0x104/0x300 __x64_sys_finit_module+0x68/0xc0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 -> #1 (&dev->cache.rb_lock){+.+.}-{4:4}: __mutex_lock+0x98/0xf10 __mlx5_ib_dereg_mr+0x6f2/0x890 [mlx5_ib] mlx5_ib_dereg_mr+0x21/0x110 [mlx5_ib] ib_dereg_mr_user+0x85/0x1f0 [ib_core] ---truncated--- | 2025-07-25 | not yet calculated | CVE-2025-38373 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: optee: ffa: fix sleep in atomic context The OP-TEE driver registers the function notif_callback() for FF-A notifications. However, this function is called in an atomic context leading to errors like this when processing asynchronous notifications: | BUG: sleeping function called from invalid context at kernel/locking/mutex.c:258 | in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 9, name: kworker/0:0 | preempt_count: 1, expected: 0 | RCU nest depth: 0, expected: 0 | CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.14.0-00019-g657536ebe0aa #13 | Hardware name: linux,dummy-virt (DT) | Workqueue: ffa_pcpu_irq_notification notif_pcpu_irq_work_fn | Call trace: | show_stack+0x18/0x24 (C) | dump_stack_lvl+0x78/0x90 | dump_stack+0x18/0x24 | __might_resched+0x114/0x170 | __might_sleep+0x48/0x98 | mutex_lock+0x24/0x80 | optee_get_msg_arg+0x7c/0x21c | simple_call_with_arg+0x50/0xc0 | optee_do_bottom_half+0x14/0x20 | notif_callback+0x3c/0x48 | handle_notif_callbacks+0x9c/0xe0 | notif_get_and_handle+0x40/0x88 | generic_exec_single+0x80/0xc0 | smp_call_function_single+0xfc/0x1a0 | notif_pcpu_irq_work_fn+0x2c/0x38 | process_one_work+0x14c/0x2b4 | worker_thread+0x2e4/0x3e0 | kthread+0x13c/0x210 | ret_from_fork+0x10/0x20 Fix this by adding work queue to process the notification in a non-atomic context. | 2025-07-25 | not yet calculated | CVE-2025-38374 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: virtio-net: ensure the received length does not exceed allocated size In xdp_linearize_page, when reading the following buffers from the ring, we forget to check the received length with the true allocate size. This can lead to an out-of-bound read. This commit adds that missing check. | 2025-07-25 | not yet calculated | CVE-2025-38375 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: udc: disconnect/reconnect from host when do suspend/resume Shawn and John reported a hang issue during system suspend as below: - USB gadget is enabled as Ethernet - There is data transfer over USB Ethernet (scp a big file between host and device) - Device is going in/out suspend (echo mem > /sys/power/state) The root cause is the USB device controller is suspended but the USB bus is still active which caused the USB host continues to transfer data with device and the device continues to queue USB requests (in this case, a delayed TCP ACK packet trigger the issue) after controller is suspended, however the USB controller clock is already gated off. Then if udc driver access registers after that point, the system will hang. The correct way to avoid such issue is to disconnect device from host when the USB bus is not at suspend state. Then the host will receive disconnect event and stop data transfer in time. To continue make USB gadget device work after system resume, this will reconnect device automatically. To make usb wakeup work if USB bus is already at suspend state, this will keep connection for it only when USB device controller has enabled wakeup capability. | 2025-07-25 | not yet calculated | CVE-2025-38376 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: rose: fix dangling neighbour pointers in rose_rt_device_down() There are two bugs in rose_rt_device_down() that can cause use-after-free: 1. The loop bound `t->count` is modified within the loop, which can cause the loop to terminate early and miss some entries. 2. When removing an entry from the neighbour array, the subsequent entries are moved up to fill the gap, but the loop index `i` is still incremented, causing the next entry to be skipped. For example, if a node has three neighbours (A, A, B) with count=3 and A is being removed, the second A is not checked. i=0: (A, A, B) -> (A, B) with count=2 ^ checked i=1: (A, B) -> (A, B) with count=2 ^ checked (B, not A!) i=2: (doesn't occur because i < count is false) This leaves the second A in the array with count=2, but the rose_neigh structure has been freed. Code that accesses these entries assumes that the first `count` entries are valid pointers, causing a use-after-free when it accesses the dangling pointer. Fix both issues by iterating over the array in reverse order with a fixed loop bound. This ensures that all entries are examined and that the removal of an entry doesn't affect subsequent iterations. | 2025-07-25 | not yet calculated | CVE-2025-38377 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe In probe appletb_kbd_probe() a "struct appletb_kbd *kbd" is allocated via devm_kzalloc() to store touch bar keyboard related data. Later on if backlight_device_get_by_name() finds a backlight device with name "appletb_backlight" a timer (kbd->inactivity_timer) is setup with appletb_inactivity_timer() and the timer is armed to run after appletb_tb_dim_timeout (60) seconds. A use-after-free is triggered when failure occurs after the timer is armed. This ultimately means probe failure occurs and as a result the "struct appletb_kbd *kbd" which is device managed memory is freed. After 60 seconds the timer will have expired and __run_timers will attempt to access the timer (kbd->inactivity_timer) however the kdb structure has been freed causing a use-after free. [ 71.636938] ================================================================== [ 71.637915] BUG: KASAN: slab-use-after-free in __run_timers+0x7ad/0x890 [ 71.637915] Write of size 8 at addr ffff8881178c5958 by task swapper/1/0 [ 71.637915] [ 71.637915] CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.16.0-rc2-00318-g739a6c93cc75-dirty #12 PREEMPT(voluntary) [ 71.637915] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 71.637915] Call Trace: [ 71.637915] <IRQ> [ 71.637915] dump_stack_lvl+0x53/0x70 [ 71.637915] print_report+0xce/0x670 [ 71.637915] ? __run_timers+0x7ad/0x890 [ 71.637915] kasan_report+0xce/0x100 [ 71.637915] ? __run_timers+0x7ad/0x890 [ 71.637915] __run_timers+0x7ad/0x890 [ 71.637915] ? __pfx___run_timers+0x10/0x10 [ 71.637915] ? update_process_times+0xfc/0x190 [ 71.637915] ? __pfx_update_process_times+0x10/0x10 [ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0 [ 71.637915] ? _raw_spin_lock_irq+0x80/0xe0 [ 71.637915] ? __pfx__raw_spin_lock_irq+0x10/0x10 [ 71.637915] run_timer_softirq+0x141/0x240 [ 71.637915] ? __pfx_run_timer_softirq+0x10/0x10 [ 71.637915] ? __pfx___hrtimer_run_queues+0x10/0x10 [ 71.637915] ? kvm_clock_get_cycles+0x18/0x30 [ 71.637915] ? ktime_get+0x60/0x140 [ 71.637915] handle_softirqs+0x1b8/0x5c0 [ 71.637915] ? __pfx_handle_softirqs+0x10/0x10 [ 71.637915] irq_exit_rcu+0xaf/0xe0 [ 71.637915] sysvec_apic_timer_interrupt+0x6c/0x80 [ 71.637915] </IRQ> [ 71.637915] [ 71.637915] Allocated by task 39: [ 71.637915] kasan_save_stack+0x33/0x60 [ 71.637915] kasan_save_track+0x14/0x30 [ 71.637915] __kasan_kmalloc+0x8f/0xa0 [ 71.637915] __kmalloc_node_track_caller_noprof+0x195/0x420 [ 71.637915] devm_kmalloc+0x74/0x1e0 [ 71.637915] appletb_kbd_probe+0x37/0x3c0 [ 71.637915] hid_device_probe+0x2d1/0x680 [ 71.637915] really_probe+0x1c3/0x690 [ 71.637915] __driver_probe_device+0x247/0x300 [ 71.637915] driver_probe_device+0x49/0x210 [...] [ 71.637915] [ 71.637915] Freed by task 39: [ 71.637915] kasan_save_stack+0x33/0x60 [ 71.637915] kasan_save_track+0x14/0x30 [ 71.637915] kasan_save_free_info+0x3b/0x60 [ 71.637915] __kasan_slab_free+0x37/0x50 [ 71.637915] kfree+0xcf/0x360 [ 71.637915] devres_release_group+0x1f8/0x3c0 [ 71.637915] hid_device_probe+0x315/0x680 [ 71.637915] really_probe+0x1c3/0x690 [ 71.637915] __driver_probe_device+0x247/0x300 [ 71.637915] driver_probe_device+0x49/0x210 [...] The root cause of the issue is that the timer is not disarmed on failure paths leading to it remaining active and accessing freed memory. To fix this call timer_delete_sync() to deactivate the timer. Another small issue is that timer_delete_sync is called unconditionally in appletb_kbd_remove(), fix this by checking for a valid kbd->backlight_dev before calling timer_delete_sync. | 2025-07-25 | not yet calculated | CVE-2025-38378 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix warning when reconnecting channel When reconnecting a channel in smb2_reconnect_server(), a dummy tcon is passed down to smb2_reconnect() with ->query_interface uninitialized, so we can't call queue_delayed_work() on it. Fix the following warning by ensuring that we're queueing the delayed worker from correct tcon. WARNING: CPU: 4 PID: 1126 at kernel/workqueue.c:2498 __queue_delayed_work+0x1d2/0x200 Modules linked in: cifs cifs_arc4 nls_ucs2_utils cifs_md4 [last unloaded: cifs] CPU: 4 UID: 0 PID: 1126 Comm: kworker/4:0 Not tainted 6.16.0-rc3 #5 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-4.fc42 04/01/2014 Workqueue: cifsiod smb2_reconnect_server [cifs] RIP: 0010:__queue_delayed_work+0x1d2/0x200 Code: 41 5e 41 5f e9 7f ee ff ff 90 0f 0b 90 e9 5d ff ff ff bf 02 00 00 00 e8 6c f3 07 00 89 c3 eb bd 90 0f 0b 90 e9 57 f> 0b 90 e9 65 fe ff ff 90 0f 0b 90 e9 72 fe ff ff 90 0f 0b 90 e9 RSP: 0018:ffffc900014afad8 EFLAGS: 00010003 RAX: 0000000000000000 RBX: ffff888124d99988 RCX: ffffffff81399cc1 RDX: dffffc0000000000 RSI: ffff888114326e00 RDI: ffff888124d999f0 RBP: 000000000000ea60 R08: 0000000000000001 R09: ffffed10249b3331 R10: ffff888124d9998f R11: 0000000000000004 R12: 0000000000000040 R13: ffff888114326e00 R14: ffff888124d999d8 R15: ffff888114939020 FS: 0000000000000000(0000) GS:ffff88829f7fe000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffe7a2b4038 CR3: 0000000120a6f000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: <TASK> queue_delayed_work_on+0xb4/0xc0 smb2_reconnect+0xb22/0xf50 [cifs] smb2_reconnect_server+0x413/0xd40 [cifs] ? __pfx_smb2_reconnect_server+0x10/0x10 [cifs] ? local_clock_noinstr+0xd/0xd0 ? local_clock+0x15/0x30 ? lock_release+0x29b/0x390 process_one_work+0x4c5/0xa10 ? __pfx_process_one_work+0x10/0x10 ? __list_add_valid_or_report+0x37/0x120 worker_thread+0x2f1/0x5a0 ? __kthread_parkme+0xde/0x100 ? __pfx_worker_thread+0x10/0x10 kthread+0x1fe/0x380 ? kthread+0x10f/0x380 ? __pfx_kthread+0x10/0x10 ? local_clock_noinstr+0xd/0xd0 ? ret_from_fork+0x1b/0x1f0 ? local_clock+0x15/0x30 ? lock_release+0x29b/0x390 ? rcu_is_watching+0x20/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x15b/0x1f0 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> irq event stamp: 1116206 hardirqs last enabled at (1116205): [<ffffffff8143af42>] __up_console_sem+0x52/0x60 hardirqs last disabled at (1116206): [<ffffffff81399f0e>] queue_delayed_work_on+0x6e/0xc0 softirqs last enabled at (1116138): [<ffffffffc04562fd>] __smb_send_rqst+0x42d/0x950 [cifs] softirqs last disabled at (1116136): [<ffffffff823d35e1>] release_sock+0x21/0xf0 | 2025-07-25 | not yet calculated | CVE-2025-38379 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: i2c/designware: Fix an initialization issue The i2c_dw_xfer_init() function requires msgs and msg_write_idx from the dev context to be initialized. amd_i2c_dw_xfer_quirk() inits msgs and msgs_num, but not msg_write_idx. This could allow an out of bounds access (of msgs). Initialize msg_write_idx before calling i2c_dw_xfer_init(). | 2025-07-25 | not yet calculated | CVE-2025-38380 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Input: cs40l50-vibra - fix potential NULL dereference in cs40l50_upload_owt() The cs40l50_upload_owt() function allocates memory via kmalloc() without checking for allocation failure, which could lead to a NULL pointer dereference. Return -ENOMEM in case allocation fails. | 2025-07-25 | not yet calculated | CVE-2025-38381 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix iteration of extrefs during log replay At __inode_add_ref() when processing extrefs, if we jump into the next label we have an undefined value of victim_name.len, since we haven't initialized it before we did the goto. This results in an invalid memory access in the next iteration of the loop since victim_name.len was not initialized to the length of the name of the current extref. Fix this by initializing victim_name.len with the current extref's name length. | 2025-07-25 | not yet calculated | CVE-2025-38382 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/vmalloc: fix data race in show_numa_info() The following data-race was found in show_numa_info(): ================================================================== BUG: KCSAN: data-race in vmalloc_info_show / vmalloc_info_show read to 0xffff88800971fe30 of 4 bytes by task 8289 on cpu 0: show_numa_info mm/vmalloc.c:4936 [inline] vmalloc_info_show+0x5a8/0x7e0 mm/vmalloc.c:5016 seq_read_iter+0x373/0xb40 fs/seq_file.c:230 proc_reg_read_iter+0x11e/0x170 fs/proc/inode.c:299 .... write to 0xffff88800971fe30 of 4 bytes by task 8287 on cpu 1: show_numa_info mm/vmalloc.c:4934 [inline] vmalloc_info_show+0x38f/0x7e0 mm/vmalloc.c:5016 seq_read_iter+0x373/0xb40 fs/seq_file.c:230 proc_reg_read_iter+0x11e/0x170 fs/proc/inode.c:299 .... value changed: 0x0000008f -> 0x00000000 ================================================================== According to this report,there is a read/write data-race because m->private is accessible to multiple CPUs. To fix this, instead of allocating the heap in proc_vmalloc_init() and passing the heap address to m->private, vmalloc_info_show() should allocate the heap. | 2025-07-25 | not yet calculated | CVE-2025-38383 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mtd: spinand: fix memory leak of ECC engine conf Memory allocated for the ECC engine conf is not released during spinand cleanup. Below kmemleak trace is seen for this memory leak: unreferenced object 0xffffff80064f00e0 (size 8): comm "swapper/0", pid 1, jiffies 4294937458 hex dump (first 8 bytes): 00 00 00 00 00 00 00 00 ........ backtrace (crc 0): kmemleak_alloc+0x30/0x40 __kmalloc_cache_noprof+0x208/0x3c0 spinand_ondie_ecc_init_ctx+0x114/0x200 nand_ecc_init_ctx+0x70/0xa8 nanddev_ecc_engine_init+0xec/0x27c spinand_probe+0xa2c/0x1620 spi_mem_probe+0x130/0x21c spi_probe+0xf0/0x170 really_probe+0x17c/0x6e8 __driver_probe_device+0x17c/0x21c driver_probe_device+0x58/0x180 __device_attach_driver+0x15c/0x1f8 bus_for_each_drv+0xec/0x150 __device_attach+0x188/0x24c device_initial_probe+0x10/0x20 bus_probe_device+0x11c/0x160 Fix the leak by calling nanddev_ecc_engine_cleanup() inside spinand_cleanup(). | 2025-07-25 | not yet calculated | CVE-2025-38384 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect Remove redundant netif_napi_del() call from disconnect path. A WARN may be triggered in __netif_napi_del_locked() during USB device disconnect: WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locked+0x2b4/0x350 This happens because netif_napi_del() is called in the disconnect path while NAPI is still enabled. However, it is not necessary to call netif_napi_del() explicitly, since unregister_netdev() will handle NAPI teardown automatically and safely. Removing the redundant call avoids triggering the warning. Full trace: lan78xx 1-1:1.0 enu1: Failed to read register index 0x000000c4. ret = -ENODEV lan78xx 1-1:1.0 enu1: Failed to set MAC down with error -ENODEV lan78xx 1-1:1.0 enu1: Link is Down lan78xx 1-1:1.0 enu1: Failed to read register index 0x00000120. ret = -ENODEV ------------[ cut here ]------------ WARNING: CPU: 0 PID: 11 at net/core/dev.c:7417 __netif_napi_del_locked+0x2b4/0x350 Modules linked in: flexcan can_dev fuse CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.0-rc2-00624-ge926949dab03 #9 PREEMPT Hardware name: SKOV IMX8MP CPU revC - bd500 (DT) Workqueue: usb_hub_wq hub_event pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __netif_napi_del_locked+0x2b4/0x350 lr : __netif_napi_del_locked+0x7c/0x350 sp : ffffffc085b673c0 x29: ffffffc085b673c0 x28: ffffff800b7f2000 x27: ffffff800b7f20d8 x26: ffffff80110bcf58 x25: ffffff80110bd978 x24: 1ffffff0022179eb x23: ffffff80110bc000 x22: ffffff800b7f5000 x21: ffffff80110bc000 x20: ffffff80110bcf38 x19: ffffff80110bcf28 x18: dfffffc000000000 x17: ffffffc081578940 x16: ffffffc08284cee0 x15: 0000000000000028 x14: 0000000000000006 x13: 0000000000040000 x12: ffffffb0022179e8 x11: 1ffffff0022179e7 x10: ffffffb0022179e7 x9 : dfffffc000000000 x8 : 0000004ffdde8619 x7 : ffffff80110bcf3f x6 : 0000000000000001 x5 : ffffff80110bcf38 x4 : ffffff80110bcf38 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 1ffffff0022179e7 x0 : 0000000000000000 Call trace: __netif_napi_del_locked+0x2b4/0x350 (P) lan78xx_disconnect+0xf4/0x360 usb_unbind_interface+0x158/0x718 device_remove+0x100/0x150 device_release_driver_internal+0x308/0x478 device_release_driver+0x1c/0x30 bus_remove_device+0x1a8/0x368 device_del+0x2e0/0x7b0 usb_disable_device+0x244/0x540 usb_disconnect+0x220/0x758 hub_event+0x105c/0x35e0 process_one_work+0x760/0x17b0 worker_thread+0x768/0xce8 kthread+0x3bc/0x690 ret_from_fork+0x10/0x20 irq event stamp: 211604 hardirqs last enabled at (211603): [<ffffffc0828cc9ec>] _raw_spin_unlock_irqrestore+0x84/0x98 hardirqs last disabled at (211604): [<ffffffc0828a9a84>] el1_dbg+0x24/0x80 softirqs last enabled at (211296): [<ffffffc080095f10>] handle_softirqs+0x820/0xbc8 softirqs last disabled at (210993): [<ffffffc080010288>] __do_softirq+0x18/0x20 ---[ end trace 0000000000000000 ]--- lan78xx 1-1:1.0 enu1: failed to kill vid 0081/0 | 2025-07-25 | not yet calculated | CVE-2025-38385 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ACPICA: Refuse to evaluate a method if arguments are missing As reported in [1], a platform firmware update that increased the number of method parameters and forgot to update a least one of its callers, caused ACPICA to crash due to use-after-free. Since this a result of a clear AML issue that arguably cannot be fixed up by the interpreter (it cannot produce missing data out of thin air), address it by making ACPICA refuse to evaluate a method if the caller attempts to pass fewer arguments than expected to it. | 2025-07-25 | not yet calculated | CVE-2025-38386 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert The obj_event may be loaded immediately after inserted, then if the list_head is not initialized then we may get a poisonous pointer. This fixes the crash below: mlx5_core 0000:03:00.0: MLX5E: StrdRq(1) RqSz(8) StrdSz(2048) RxCqeCmprss(0 enhanced) mlx5_core.sf mlx5_core.sf.4: firmware version: 32.38.3056 mlx5_core 0000:03:00.0 en3f0pf0sf2002: renamed from eth0 mlx5_core.sf mlx5_core.sf.4: Rate limit: 127 rates are supported, range: 0Mbps to 195312Mbps IPv6: ADDRCONF(NETDEV_CHANGE): en3f0pf0sf2002: link becomes ready Unable to handle kernel NULL pointer dereference at virtual address 0000000000000060 Mem abort info: ESR = 0x96000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=00000007760fb000 [0000000000000060] pgd=000000076f6d7003, p4d=000000076f6d7003, pud=0000000777841003, pmd=0000000000000000 Internal error: Oops: 96000006 [#1] SMP Modules linked in: ipmb_host(OE) act_mirred(E) cls_flower(E) sch_ingress(E) mptcp_diag(E) udp_diag(E) raw_diag(E) unix_diag(E) tcp_diag(E) inet_diag(E) binfmt_misc(E) bonding(OE) rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) isofs(E) cdrom(E) mst_pciconf(OE) ib_umad(OE) mlx5_ib(OE) ipmb_dev_int(OE) mlx5_core(OE) kpatch_15237886(OEK) mlxdevm(OE) auxiliary(OE) ib_uverbs(OE) ib_core(OE) psample(E) mlxfw(OE) tls(E) sunrpc(E) vfat(E) fat(E) crct10dif_ce(E) ghash_ce(E) sha1_ce(E) sbsa_gwdt(E) virtio_console(E) ext4(E) mbcache(E) jbd2(E) xfs(E) libcrc32c(E) mmc_block(E) virtio_net(E) net_failover(E) failover(E) sha2_ce(E) sha256_arm64(E) nvme(OE) nvme_core(OE) gpio_mlxbf3(OE) mlx_compat(OE) mlxbf_pmc(OE) i2c_mlxbf(OE) sdhci_of_dwcmshc(OE) pinctrl_mlxbf3(OE) mlxbf_pka(OE) gpio_generic(E) i2c_core(E) mmc_core(E) mlxbf_gige(OE) vitesse(E) pwr_mlxbf(OE) mlxbf_tmfifo(OE) micrel(E) mlxbf_bootctl(OE) virtio_ring(E) virtio(E) ipmi_devintf(E) ipmi_msghandler(E) [last unloaded: mst_pci] CPU: 11 PID: 20913 Comm: rte-worker-11 Kdump: loaded Tainted: G OE K 5.10.134-13.1.an8.aarch64 #1 Hardware name: https://www.mellanox.com BlueField-3 SmartNIC Main Card/BlueField-3 SmartNIC Main Card, BIOS 4.2.2.12968 Oct 26 2023 pstate: a0400089 (NzCv daIf +PAN -UAO -TCO BTYPE=--) pc : dispatch_event_fd+0x68/0x300 [mlx5_ib] lr : devx_event_notifier+0xcc/0x228 [mlx5_ib] sp : ffff80001005bcf0 x29: ffff80001005bcf0 x28: 0000000000000001 x27: ffff244e0740a1d8 x26: ffff244e0740a1d0 x25: ffffda56beff5ae0 x24: ffffda56bf911618 x23: ffff244e0596a480 x22: ffff244e0596a480 x21: ffff244d8312ad90 x20: ffff244e0596a480 x19: fffffffffffffff0 x18: 0000000000000000 x17: 0000000000000000 x16: ffffda56be66d620 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000040 x10: ffffda56bfcafb50 x9 : ffffda5655c25f2c x8 : 0000000000000010 x7 : 0000000000000000 x6 : ffff24545a2e24b8 x5 : 0000000000000003 x4 : ffff80001005bd28 x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff244e0596a480 x0 : ffff244d8312ad90 Call trace: dispatch_event_fd+0x68/0x300 [mlx5_ib] devx_event_notifier+0xcc/0x228 [mlx5_ib] atomic_notifier_call_chain+0x58/0x80 mlx5_eq_async_int+0x148/0x2b0 [mlx5_core] atomic_notifier_call_chain+0x58/0x80 irq_int_handler+0x20/0x30 [mlx5_core] __handle_irq_event_percpu+0x60/0x220 handle_irq_event_percpu+0x3c/0x90 handle_irq_event+0x58/0x158 handle_fasteoi_irq+0xfc/0x188 generic_handle_irq+0x34/0x48 ... | 2025-07-25 | not yet calculated | CVE-2025-38387 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: firmware: arm_ffa: Replace mutex with rwlock to avoid sleep in atomic context The current use of a mutex to protect the notifier hashtable accesses can lead to issues in the atomic context. It results in the below kernel warnings: | BUG: sleeping function called from invalid context at kernel/locking/mutex.c:258 | in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 9, name: kworker/0:0 | preempt_count: 1, expected: 0 | RCU nest depth: 0, expected: 0 | CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.14.0 #4 | Workqueue: ffa_pcpu_irq_notification notif_pcpu_irq_work_fn | Call trace: | show_stack+0x18/0x24 (C) | dump_stack_lvl+0x78/0x90 | dump_stack+0x18/0x24 | __might_resched+0x114/0x170 | __might_sleep+0x48/0x98 | mutex_lock+0x24/0x80 | handle_notif_callbacks+0x54/0xe0 | notif_get_and_handle+0x40/0x88 | generic_exec_single+0x80/0xc0 | smp_call_function_single+0xfc/0x1a0 | notif_pcpu_irq_work_fn+0x2c/0x38 | process_one_work+0x14c/0x2b4 | worker_thread+0x2e4/0x3e0 | kthread+0x13c/0x210 | ret_from_fork+0x10/0x20 To address this, replace the mutex with an rwlock to protect the notifier hashtable accesses. This ensures that read-side locking does not sleep and multiple readers can acquire the lock concurrently, avoiding unnecessary contention and potential deadlocks. Writer access remains exclusive, preserving correctness. This change resolves warnings from lockdep about potential sleep in atomic context. | 2025-07-25 | not yet calculated | CVE-2025-38388 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Fix timeline left held on VMA alloc error The following error has been reported sporadically by CI when a test unbinds the i915 driver on a ring submission platform: <4> [239.330153] ------------[ cut here ]------------ <4> [239.330166] i915 0000:00:02.0: [drm] drm_WARN_ON(dev_priv->mm.shrink_count) <4> [239.330196] WARNING: CPU: 1 PID: 18570 at drivers/gpu/drm/i915/i915_gem.c:1309 i915_gem_cleanup_early+0x13e/0x150 [i915] ... <4> [239.330640] RIP: 0010:i915_gem_cleanup_early+0x13e/0x150 [i915] ... <4> [239.330942] Call Trace: <4> [239.330944] <TASK> <4> [239.330949] i915_driver_late_release+0x2b/0xa0 [i915] <4> [239.331202] i915_driver_release+0x86/0xa0 [i915] <4> [239.331482] devm_drm_dev_init_release+0x61/0x90 <4> [239.331494] devm_action_release+0x15/0x30 <4> [239.331504] release_nodes+0x3d/0x120 <4> [239.331517] devres_release_all+0x96/0xd0 <4> [239.331533] device_unbind_cleanup+0x12/0x80 <4> [239.331543] device_release_driver_internal+0x23a/0x280 <4> [239.331550] ? bus_find_device+0xa5/0xe0 <4> [239.331563] device_driver_detach+0x14/0x20 ... <4> [357.719679] ---[ end trace 0000000000000000 ]--- If the test also unloads the i915 module then that's followed with: <3> [357.787478] ============================================================================= <3> [357.788006] BUG i915_vma (Tainted: G U W N ): Objects remaining on __kmem_cache_shutdown() <3> [357.788031] ----------------------------------------------------------------------------- <3> [357.788204] Object 0xffff888109e7f480 @offset=29824 <3> [357.788670] Allocated in i915_vma_instance+0xee/0xc10 [i915] age=292729 cpu=4 pid=2244 <4> [357.788994] i915_vma_instance+0xee/0xc10 [i915] <4> [357.789290] init_status_page+0x7b/0x420 [i915] <4> [357.789532] intel_engines_init+0x1d8/0x980 [i915] <4> [357.789772] intel_gt_init+0x175/0x450 [i915] <4> [357.790014] i915_gem_init+0x113/0x340 [i915] <4> [357.790281] i915_driver_probe+0x847/0xed0 [i915] <4> [357.790504] i915_pci_probe+0xe6/0x220 [i915] ... Closer analysis of CI results history has revealed a dependency of the error on a few IGT tests, namely: - igt@api_intel_allocator@fork-simple-stress-signal, - igt@api_intel_allocator@two-level-inception-interruptible, - igt@gem_linear_blits@interruptible, - igt@prime_mmap_coherency@ioctl-errors, which invisibly trigger the issue, then exhibited with first driver unbind attempt. All of the above tests perform actions which are actively interrupted with signals. Further debugging has allowed to narrow that scope down to DRM_IOCTL_I915_GEM_EXECBUFFER2, and ring_context_alloc(), specific to ring submission, in particular. If successful then that function, or its execlists or GuC submission equivalent, is supposed to be called only once per GEM context engine, followed by raise of a flag that prevents the function from being called again. The function is expected to unwind its internal errors itself, so it may be safely called once more after it returns an error. In case of ring submission, the function first gets a reference to the engine's legacy timeline and then allocates a VMA. If the VMA allocation fails, e.g. when i915_vma_instance() called from inside is interrupted with a signal, then ring_context_alloc() fails, leaving the timeline held referenced. On next I915_GEM_EXECBUFFER2 IOCTL, another reference to the timeline is got, and only that last one is put on successful completion. As a consequence, the legacy timeline, with its underlying engine status page's VMA object, is still held and not released on driver unbind. Get the legacy timeline only after successful allocation of the context engine's VMA. v2: Add a note on other submission methods (Krzysztof Karas): Both execlists and GuC submission use lrc_alloc() which seems free from a similar issue. (cherry picked from commit cc43422b3cc79eacff4c5a8ba0d224688ca9dd4f) | 2025-07-25 | not yet calculated | CVE-2025-38389 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: firmware: arm_ffa: Fix memory leak by freeing notifier callback node Commit e0573444edbf ("firmware: arm_ffa: Add interfaces to request notification callbacks") adds support for notifier callbacks by allocating and inserting a callback node into a hashtable during registration of notifiers. However, during unregistration, the code only removes the node from the hashtable without freeing the associated memory, resulting in a memory leak. Resolve the memory leak issue by ensuring the allocated notifier callback node is properly freed after it is removed from the hashtable entry. | 2025-07-25 | not yet calculated | CVE-2025-38390 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: typec: altmodes/displayport: do not index invalid pin_assignments A poorly implemented DisplayPort Alt Mode port partner can indicate that its pin assignment capabilities are greater than the maximum value, DP_PIN_ASSIGN_F. In this case, calls to pin_assignment_show will cause a BRK exception due to an out of bounds array access. Prevent for loop in pin_assignment_show from accessing invalid values in pin_assignments by adding DP_PIN_ASSIGN_MAX value in typec_dp.h and using i < DP_PIN_ASSIGN_MAX as a loop condition. | 2025-07-25 | not yet calculated | CVE-2025-38391 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: convert control queue mutex to a spinlock With VIRTCHNL2_CAP_MACFILTER enabled, the following warning is generated on module load: [ 324.701677] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578 [ 324.701684] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1582, name: NetworkManager [ 324.701689] preempt_count: 201, expected: 0 [ 324.701693] RCU nest depth: 0, expected: 0 [ 324.701697] 2 locks held by NetworkManager/1582: [ 324.701702] #0: ffffffff9f7be770 (rtnl_mutex){....}-{3:3}, at: rtnl_newlink+0x791/0x21e0 [ 324.701730] #1: ff1100216c380368 (_xmit_ETHER){....}-{2:2}, at: __dev_open+0x3f0/0x870 [ 324.701749] Preemption disabled at: [ 324.701752] [<ffffffff9cd23b9d>] __dev_open+0x3dd/0x870 [ 324.701765] CPU: 30 UID: 0 PID: 1582 Comm: NetworkManager Not tainted 6.15.0-rc5+ #2 PREEMPT(voluntary) [ 324.701771] Hardware name: Intel Corporation M50FCP2SBSTD/M50FCP2SBSTD, BIOS SE5C741.86B.01.01.0001.2211140926 11/14/2022 [ 324.701774] Call Trace: [ 324.701777] <TASK> [ 324.701779] dump_stack_lvl+0x5d/0x80 [ 324.701788] ? __dev_open+0x3dd/0x870 [ 324.701793] __might_resched.cold+0x1ef/0x23d <..> [ 324.701818] __mutex_lock+0x113/0x1b80 <..> [ 324.701917] idpf_ctlq_clean_sq+0xad/0x4b0 [idpf] [ 324.701935] ? kasan_save_track+0x14/0x30 [ 324.701941] idpf_mb_clean+0x143/0x380 [idpf] <..> [ 324.701991] idpf_send_mb_msg+0x111/0x720 [idpf] [ 324.702009] idpf_vc_xn_exec+0x4cc/0x990 [idpf] [ 324.702021] ? rcu_is_watching+0x12/0xc0 [ 324.702035] idpf_add_del_mac_filters+0x3ed/0xb50 [idpf] <..> [ 324.702122] __hw_addr_sync_dev+0x1cf/0x300 [ 324.702126] ? find_held_lock+0x32/0x90 [ 324.702134] idpf_set_rx_mode+0x317/0x390 [idpf] [ 324.702152] __dev_open+0x3f8/0x870 [ 324.702159] ? __pfx___dev_open+0x10/0x10 [ 324.702174] __dev_change_flags+0x443/0x650 <..> [ 324.702208] netif_change_flags+0x80/0x160 [ 324.702218] do_setlink.isra.0+0x16a0/0x3960 <..> [ 324.702349] rtnl_newlink+0x12fd/0x21e0 The sequence is as follows: rtnl_newlink()-> __dev_change_flags()-> __dev_open()-> dev_set_rx_mode() - > # disables BH and grabs "dev->addr_list_lock" idpf_set_rx_mode() -> # proceed only if VIRTCHNL2_CAP_MACFILTER is ON __dev_uc_sync() -> idpf_add_mac_filter -> idpf_add_del_mac_filters -> idpf_send_mb_msg() -> idpf_mb_clean() -> idpf_ctlq_clean_sq() # mutex_lock(cq_lock) Fix by converting cq_lock to a spinlock. All operations under the new lock are safe except freeing the DMA memory, which may use vunmap(). Fix by requesting a contiguous physical memory for the DMA mapping. | 2025-07-25 | not yet calculated | CVE-2025-38392 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN We found a few different systems hung up in writeback waiting on the same page lock, and one task waiting on the NFS_LAYOUT_DRAIN bit in pnfs_update_layout(), however the pnfs_layout_hdr's plh_outstanding count was zero. It seems most likely that this is another race between the waiter and waker similar to commit ed0172af5d6f ("SUNRPC: Fix a race to wake a sync task"). Fix it up by applying the advised barrier. | 2025-07-25 | not yet calculated | CVE-2025-38393 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: appletb-kbd: fix memory corruption of input_handler_list In appletb_kbd_probe an input handler is initialised and then registered with input core through input_register_handler(). When this happens input core will add the input handler (specifically its node) to the global input_handler_list. The input_handler_list is central to the functionality of input core and is traversed in various places in input core. An example of this is when a new input device is plugged in and gets registered with input core. The input_handler in probe is allocated as device managed memory. If a probe failure occurs after input_register_handler() the input_handler memory is freed, yet it will remain in the input_handler_list. This effectively means the input_handler_list contains a dangling pointer to data belonging to a freed input handler. This causes an issue when any other input device is plugged in - in my case I had an old PixArt HP USB optical mouse and I decided to plug it in after a failure occurred after input_register_handler(). This lead to the registration of this input device via input_register_device which involves traversing over every handler in the corrupted input_handler_list and calling input_attach_handler(), giving each handler a chance to bind to newly registered device. The core of this bug is a UAF which causes memory corruption of input_handler_list and to fix it we must ensure the input handler is unregistered from input core, this is done through input_unregister_handler(). [ 63.191597] ================================================================== [ 63.192094] BUG: KASAN: slab-use-after-free in input_attach_handler.isra.0+0x1a9/0x1e0 [ 63.192094] Read of size 8 at addr ffff888105ea7c80 by task kworker/0:2/54 [ 63.192094] [ 63.192094] CPU: 0 UID: 0 PID: 54 Comm: kworker/0:2 Not tainted 6.16.0-rc2-00321-g2aa6621d [ 63.192094] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.164 [ 63.192094] Workqueue: usb_hub_wq hub_event [ 63.192094] Call Trace: [ 63.192094] <TASK> [ 63.192094] dump_stack_lvl+0x53/0x70 [ 63.192094] print_report+0xce/0x670 [ 63.192094] kasan_report+0xce/0x100 [ 63.192094] input_attach_handler.isra.0+0x1a9/0x1e0 [ 63.192094] input_register_device+0x76c/0xd00 [ 63.192094] hidinput_connect+0x686d/0xad60 [ 63.192094] hid_connect+0xf20/0x1b10 [ 63.192094] hid_hw_start+0x83/0x100 [ 63.192094] hid_device_probe+0x2d1/0x680 [ 63.192094] really_probe+0x1c3/0x690 [ 63.192094] __driver_probe_device+0x247/0x300 [ 63.192094] driver_probe_device+0x49/0x210 [ 63.192094] __device_attach_driver+0x160/0x320 [ 63.192094] bus_for_each_drv+0x10f/0x190 [ 63.192094] __device_attach+0x18e/0x370 [ 63.192094] bus_probe_device+0x123/0x170 [ 63.192094] device_add+0xd4d/0x1460 [ 63.192094] hid_add_device+0x30b/0x910 [ 63.192094] usbhid_probe+0x920/0xe00 [ 63.192094] usb_probe_interface+0x363/0x9a0 [ 63.192094] really_probe+0x1c3/0x690 [ 63.192094] __driver_probe_device+0x247/0x300 [ 63.192094] driver_probe_device+0x49/0x210 [ 63.192094] __device_attach_driver+0x160/0x320 [ 63.192094] bus_for_each_drv+0x10f/0x190 [ 63.192094] __device_attach+0x18e/0x370 [ 63.192094] bus_probe_device+0x123/0x170 [ 63.192094] device_add+0xd4d/0x1460 [ 63.192094] usb_set_configuration+0xd14/0x1880 [ 63.192094] usb_generic_driver_probe+0x78/0xb0 [ 63.192094] usb_probe_device+0xaa/0x2e0 [ 63.192094] really_probe+0x1c3/0x690 [ 63.192094] __driver_probe_device+0x247/0x300 [ 63.192094] driver_probe_device+0x49/0x210 [ 63.192094] __device_attach_driver+0x160/0x320 [ 63.192094] bus_for_each_drv+0x10f/0x190 [ 63.192094] __device_attach+0x18e/0x370 [ 63.192094] bus_probe_device+0x123/0x170 [ 63.192094] device_add+0xd4d/0x1460 [ 63.192094] usb_new_device+0x7b4/0x1000 [ 63.192094] hub_event+0x234d/0x3 ---truncated--- | 2025-07-25 | not yet calculated | CVE-2025-38394 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods drvdata::gpiods is supposed to hold an array of 'gpio_desc' pointers. But the memory is allocated for only one pointer. This will lead to out-of-bounds access later in the code if 'config::ngpios' is > 1. So fix the code to allocate enough memory to hold 'config::ngpios' of GPIO descriptors. While at it, also move the check for memory allocation failure to be below the allocation to make it more readable. | 2025-07-25 | not yet calculated | CVE-2025-38395 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass Export anon_inode_make_secure_inode() to allow KVM guest_memfd to create anonymous inodes with proper security context. This replaces the current pattern of calling alloc_anon_inode() followed by inode_init_security_anon() for creating security context manually. This change also fixes a security regression in secretmem where the S_PRIVATE flag was not cleared after alloc_anon_inode(), causing LSM/SELinux checks to be bypassed for secretmem file descriptors. As guest_memfd currently resides in the KVM module, we need to export this symbol for use outside the core kernel. In the future, guest_memfd might be moved to core-mm, at which point the symbols no longer would have to be exported. When/if that happens is still unclear. | 2025-07-25 | not yet calculated | CVE-2025-38396 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-multipath: fix suspicious RCU usage warning When I run the NVME over TCP test in virtme-ng, I get the following "suspicious RCU usage" warning in nvme_mpath_add_sysfs_link(): ''' [ 5.024557][ T44] nvmet: Created nvm controller 1 for subsystem nqn.2025-06.org.nvmexpress.mptcp for NQN nqn.2014-08.org.nvmexpress:uuid:f7f6b5e0-ff97-4894-98ac-c85309e0bc77. [ 5.027401][ T183] nvme nvme0: creating 2 I/O queues. [ 5.029017][ T183] nvme nvme0: mapped 2/0/0 default/read/poll queues. [ 5.032587][ T183] nvme nvme0: new ctrl: NQN "nqn.2025-06.org.nvmexpress.mptcp", addr 127.0.0.1:4420, hostnqn: nqn.2014-08.org.nvmexpress:uuid:f7f6b5e0-ff97-4894-98ac-c85309e0bc77 [ 5.042214][ T25] [ 5.042440][ T25] ============================= [ 5.042579][ T25] WARNING: suspicious RCU usage [ 5.042705][ T25] 6.16.0-rc3+ #23 Not tainted [ 5.042812][ T25] ----------------------------- [ 5.042934][ T25] drivers/nvme/host/multipath.c:1203 RCU-list traversed in non-reader section!! [ 5.043111][ T25] [ 5.043111][ T25] other info that might help us debug this: [ 5.043111][ T25] [ 5.043341][ T25] [ 5.043341][ T25] rcu_scheduler_active = 2, debug_locks = 1 [ 5.043502][ T25] 3 locks held by kworker/u9:0/25: [ 5.043615][ T25] #0: ffff888008730948 ((wq_completion)async){+.+.}-{0:0}, at: process_one_work+0x7ed/0x1350 [ 5.043830][ T25] #1: ffffc900001afd40 ((work_completion)(&entry->work)){+.+.}-{0:0}, at: process_one_work+0xcf3/0x1350 [ 5.044084][ T25] #2: ffff888013ee0020 (&head->srcu){.+.+}-{0:0}, at: nvme_mpath_add_sysfs_link.part.0+0xb4/0x3a0 [ 5.044300][ T25] [ 5.044300][ T25] stack backtrace: [ 5.044439][ T25] CPU: 0 UID: 0 PID: 25 Comm: kworker/u9:0 Not tainted 6.16.0-rc3+ #23 PREEMPT(full) [ 5.044441][ T25] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 5.044442][ T25] Workqueue: async async_run_entry_fn [ 5.044445][ T25] Call Trace: [ 5.044446][ T25] <TASK> [ 5.044449][ T25] dump_stack_lvl+0x6f/0xb0 [ 5.044453][ T25] lockdep_rcu_suspicious.cold+0x4f/0xb1 [ 5.044457][ T25] nvme_mpath_add_sysfs_link.part.0+0x2fb/0x3a0 [ 5.044459][ T25] ? queue_work_on+0x90/0xf0 [ 5.044461][ T25] ? lockdep_hardirqs_on+0x78/0x110 [ 5.044466][ T25] nvme_mpath_set_live+0x1e9/0x4f0 [ 5.044470][ T25] nvme_mpath_add_disk+0x240/0x2f0 [ 5.044472][ T25] ? __pfx_nvme_mpath_add_disk+0x10/0x10 [ 5.044475][ T25] ? add_disk_fwnode+0x361/0x580 [ 5.044480][ T25] nvme_alloc_ns+0x81c/0x17c0 [ 5.044483][ T25] ? kasan_quarantine_put+0x104/0x240 [ 5.044487][ T25] ? __pfx_nvme_alloc_ns+0x10/0x10 [ 5.044495][ T25] ? __pfx_nvme_find_get_ns+0x10/0x10 [ 5.044496][ T25] ? rcu_read_lock_any_held+0x45/0xa0 [ 5.044498][ T25] ? validate_chain+0x232/0x4f0 [ 5.044503][ T25] nvme_scan_ns+0x4c8/0x810 [ 5.044506][ T25] ? __pfx_nvme_scan_ns+0x10/0x10 [ 5.044508][ T25] ? find_held_lock+0x2b/0x80 [ 5.044512][ T25] ? ktime_get+0x16d/0x220 [ 5.044517][ T25] ? kvm_clock_get_cycles+0x18/0x30 [ 5.044520][ T25] ? __pfx_nvme_scan_ns_async+0x10/0x10 [ 5.044522][ T25] async_run_entry_fn+0x97/0x560 [ 5.044523][ T25] ? rcu_is_watching+0x12/0xc0 [ 5.044526][ T25] process_one_work+0xd3c/0x1350 [ 5.044532][ T25] ? __pfx_process_one_work+0x10/0x10 [ 5.044536][ T25] ? assign_work+0x16c/0x240 [ 5.044539][ T25] worker_thread+0x4da/0xd50 [ 5.044545][ T25] ? __pfx_worker_thread+0x10/0x10 [ 5.044546][ T25] kthread+0x356/0x5c0 [ 5.044548][ T25] ? __pfx_kthread+0x10/0x10 [ 5.044549][ T25] ? ret_from_fork+0x1b/0x2e0 [ 5.044552][ T25] ? __lock_release.isra.0+0x5d/0x180 [ 5.044553][ T25] ? ret_from_fork+0x1b/0x2e0 [ 5.044555][ T25] ? rcu_is_watching+0x12/0xc0 [ 5.044557][ T25] ? __pfx_kthread+0x10/0x10 [ 5.04 ---truncated--- | 2025-07-25 | not yet calculated | CVE-2025-38397 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: spi: spi-qpic-snand: reallocate BAM transactions Using the mtd_nandbiterrs module for testing the driver occasionally results in weird things like below. 1. swiotlb mapping fails with the following message: [ 85.926216] qcom_snand 79b0000.spi: swiotlb buffer is full (sz: 4294967294 bytes), total 512 (slots), used 0 (slots) [ 85.932937] qcom_snand 79b0000.spi: failure in mapping desc [ 87.999314] qcom_snand 79b0000.spi: failure to write raw page [ 87.999352] mtd_nandbiterrs: error: write_oob failed (-110) Rebooting the board after this causes a panic due to a NULL pointer dereference. 2. If the swiotlb mapping does not fail, rebooting the board may result in a different panic due to a bad spinlock magic: [ 256.104459] BUG: spinlock bad magic on CPU#3, procd/2241 [ 256.104488] Unable to handle kernel paging request at virtual address ffffffff0000049b ... Investigating the issue revealed that these symptoms are results of memory corruption which is caused by out of bounds access within the driver. The driver uses a dynamically allocated structure for BAM transactions, which structure must have enough space for all possible variations of different flash operations initiated by the driver. The required space heavily depends on the actual number of 'codewords' which is calculated from the pagesize of the actual NAND chip. Although the qcom_nandc_alloc() function allocates memory for the BAM transactions during probe, but since the actual number of 'codewords' is not yet know the allocation is done for one 'codeword' only. Because of this, whenever the driver does a flash operation, and the number of the required transactions exceeds the size of the allocated arrays the driver accesses memory out of the allocated range. To avoid this, change the code to free the initially allocated BAM transactions memory, and allocate a new one once the actual number of 'codewords' required for a given NAND chip is known. | 2025-07-25 | not yet calculated | CVE-2025-38398 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() The function core_scsi3_decode_spec_i_port(), in its error code path, unconditionally calls core_scsi3_lunacl_undepend_item() passing the dest_se_deve pointer, which may be NULL. This can lead to a NULL pointer dereference if dest_se_deve remains unset. SPC-3 PR SPEC_I_PT: Unable to locate dest_tpg Unable to handle kernel paging request at virtual address dfff800000000012 Call trace: core_scsi3_lunacl_undepend_item+0x2c/0xf0 [target_core_mod] (P) core_scsi3_decode_spec_i_port+0x120c/0x1c30 [target_core_mod] core_scsi3_emulate_pro_register+0x6b8/0xcd8 [target_core_mod] target_scsi3_emulate_pr_out+0x56c/0x840 [target_core_mod] Fix this by adding a NULL check before calling core_scsi3_lunacl_undepend_item() | 2025-07-25 | not yet calculated | CVE-2025-38399 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. syzbot reported a warning below [1] following a fault injection in nfs_fs_proc_net_init(). [0] When nfs_fs_proc_net_init() fails, /proc/net/rpc/nfs is not removed. Later, rpc_proc_exit() tries to remove /proc/net/rpc, and the warning is logged as the directory is not empty. Let's handle the error of nfs_fs_proc_net_init() properly. [0]: FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 CPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:123) should_fail_ex (lib/fault-inject.c:73 lib/fault-inject.c:174) should_failslab (mm/failslab.c:46) kmem_cache_alloc_noprof (mm/slub.c:4178 mm/slub.c:4204) __proc_create (fs/proc/generic.c:427) proc_create_reg (fs/proc/generic.c:554) proc_create_net_data (fs/proc/proc_net.c:120) nfs_fs_proc_net_init (fs/nfs/client.c:1409) nfs_net_init (fs/nfs/inode.c:2600) ops_init (net/core/net_namespace.c:138) setup_net (net/core/net_namespace.c:443) copy_net_ns (net/core/net_namespace.c:576) create_new_namespaces (kernel/nsproxy.c:110) unshare_nsproxy_namespaces (kernel/nsproxy.c:218 (discriminator 4)) ksys_unshare (kernel/fork.c:3123) __x64_sys_unshare (kernel/fork.c:3190) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) </TASK> [1]: remove_proc_entry: removing non-empty directory 'net/rpc', leaking at least 'nfs' WARNING: CPU: 1 PID: 6120 at fs/proc/generic.c:727 remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727 Modules linked in: CPU: 1 UID: 0 PID: 6120 Comm: syz.2.27 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 RIP: 0010:remove_proc_entry+0x45e/0x530 fs/proc/generic.c:727 Code: 3c 02 00 0f 85 85 00 00 00 48 8b 93 d8 00 00 00 4d 89 f0 4c 89 e9 48 c7 c6 40 ba a2 8b 48 c7 c7 60 b9 a2 8b e8 33 81 1d ff 90 <0f> 0b 90 90 e9 5f fe ff ff e8 04 69 5e ff 90 48 b8 00 00 00 00 00 RSP: 0018:ffffc90003637b08 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff88805f534140 RCX: ffffffff817a92c8 RDX: ffff88807da99e00 RSI: ffffffff817a92d5 RDI: 0000000000000001 RBP: ffff888033431ac0 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000001 R12: ffff888033431a00 R13: ffff888033431ae4 R14: ffff888033184724 R15: dffffc0000000000 FS: 0000555580328500(0000) GS:ffff888124a62000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f71733743e0 CR3: 000000007f618000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> sunrpc_exit_net+0x46/0x90 net/sunrpc/sunrpc_syms.c:76 ops_exit_list net/core/net_namespace.c:200 [inline] ops_undo_list+0x2eb/0xab0 net/core/net_namespace.c:253 setup_net+0x2e1/0x510 net/core/net_namespace.c:457 copy_net_ns+0x2a6/0x5f0 net/core/net_namespace.c:574 create_new_namespaces+0x3ea/0xa90 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xc0/0x1f0 kernel/nsproxy.c:218 ksys_unshare+0x45b/0xa40 kernel/fork.c:3121 __do_sys_unshare kernel/fork.c:3192 [inline] __se_sys_unshare kernel/fork.c:3190 [inline] __x64_sys_unshare+0x31/0x40 kernel/fork.c:3190 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x490 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fa1a6b8e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c ---truncated--- | 2025-07-25 | not yet calculated | CVE-2025-38400 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mtk-sd: Prevent memory corruption from DMA map failure If msdc_prepare_data() fails to map the DMA region, the request is not prepared for data receiving, but msdc_start_data() proceeds the DMA with previous setting. Since this will lead a memory corruption, we have to stop the request operation soon after the msdc_prepare_data() fails to prepare it. | 2025-07-25 | not yet calculated | CVE-2025-38401 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: return 0 size for RSS key if not supported Returning -EOPNOTSUPP from function returning u32 is leading to cast and invalid size value as a result. -EOPNOTSUPP as a size probably will lead to allocation fail. Command: ethtool -x eth0 It is visible on all devices that don't have RSS caps set. [ 136.615917] Call Trace: [ 136.615921] <TASK> [ 136.615927] ? __warn+0x89/0x130 [ 136.615942] ? __alloc_frozen_pages_noprof+0x322/0x330 [ 136.615953] ? report_bug+0x164/0x190 [ 136.615968] ? handle_bug+0x58/0x90 [ 136.615979] ? exc_invalid_op+0x17/0x70 [ 136.615987] ? asm_exc_invalid_op+0x1a/0x20 [ 136.616001] ? rss_prepare_get.constprop.0+0xb9/0x170 [ 136.616016] ? __alloc_frozen_pages_noprof+0x322/0x330 [ 136.616028] __alloc_pages_noprof+0xe/0x20 [ 136.616038] ___kmalloc_large_node+0x80/0x110 [ 136.616072] __kmalloc_large_node_noprof+0x1d/0xa0 [ 136.616081] __kmalloc_noprof+0x32c/0x4c0 [ 136.616098] ? rss_prepare_get.constprop.0+0xb9/0x170 [ 136.616105] rss_prepare_get.constprop.0+0xb9/0x170 [ 136.616114] ethnl_default_doit+0x107/0x3d0 [ 136.616131] genl_family_rcv_msg_doit+0x100/0x160 [ 136.616147] genl_rcv_msg+0x1b8/0x2c0 [ 136.616156] ? __pfx_ethnl_default_doit+0x10/0x10 [ 136.616168] ? __pfx_genl_rcv_msg+0x10/0x10 [ 136.616176] netlink_rcv_skb+0x58/0x110 [ 136.616186] genl_rcv+0x28/0x40 [ 136.616195] netlink_unicast+0x19b/0x290 [ 136.616206] netlink_sendmsg+0x222/0x490 [ 136.616215] __sys_sendto+0x1fd/0x210 [ 136.616233] __x64_sys_sendto+0x24/0x30 [ 136.616242] do_syscall_64+0x82/0x160 [ 136.616252] ? __sys_recvmsg+0x83/0xe0 [ 136.616265] ? syscall_exit_to_user_mode+0x10/0x210 [ 136.616275] ? do_syscall_64+0x8e/0x160 [ 136.616282] ? __count_memcg_events+0xa1/0x130 [ 136.616295] ? count_memcg_events.constprop.0+0x1a/0x30 [ 136.616306] ? handle_mm_fault+0xae/0x2d0 [ 136.616319] ? do_user_addr_fault+0x379/0x670 [ 136.616328] ? clear_bhb_loop+0x45/0xa0 [ 136.616340] ? clear_bhb_loop+0x45/0xa0 [ 136.616349] ? clear_bhb_loop+0x45/0xa0 [ 136.616359] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 136.616369] RIP: 0033:0x7fd30ba7b047 [ 136.616376] Code: 0c 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 80 3d bd d5 0c 00 00 41 89 ca 74 10 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 71 c3 55 48 83 ec 30 44 89 4c 24 2c 4c 89 44 [ 136.616381] RSP: 002b:00007ffde1796d68 EFLAGS: 00000202 ORIG_RAX: 000000000000002c [ 136.616388] RAX: ffffffffffffffda RBX: 000055d7bd89f2a0 RCX: 00007fd30ba7b047 [ 136.616392] RDX: 0000000000000028 RSI: 000055d7bd89f3b0 RDI: 0000000000000003 [ 136.616396] RBP: 00007ffde1796e10 R08: 00007fd30bb4e200 R09: 000000000000000c [ 136.616399] R10: 0000000000000000 R11: 0000000000000202 R12: 000055d7bd89f340 [ 136.616403] R13: 000055d7bd89f3b0 R14: 000055d78943f200 R15: 0000000000000000 | 2025-07-25 | not yet calculated | CVE-2025-38402 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vsock/vmci: Clear the vmci transport packet properly when initializing it In vmci_transport_packet_init memset the vmci_transport_packet before populating the fields to avoid any uninitialised data being left in the structure. | 2025-07-25 | not yet calculated | CVE-2025-38403 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: typec: displayport: Fix potential deadlock The deadlock can occur due to a recursive lock acquisition of `cros_typec_altmode_data::mutex`. The call chain is as follows: 1. cros_typec_altmode_work() acquires the mutex 2. typec_altmode_vdm() -> dp_altmode_vdm() -> 3. typec_altmode_exit() -> cros_typec_altmode_exit() 4. cros_typec_altmode_exit() attempts to acquire the mutex again To prevent this, defer the `typec_altmode_exit()` call by scheduling it rather than calling it directly from within the mutex-protected context. | 2025-07-25 | not yet calculated | CVE-2025-38404 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvmet: fix memory leak of bio integrity If nvmet receives commands with metadata there is a continuous memory leak of kmalloc-128 slab or more precisely bio->bi_integrity. Since commit bf4c89fc8797 ("block: don't call bio_uninit from bio_endio") each user of bio_init has to use bio_uninit as well. Otherwise the bio integrity is not getting free. Nvmet uses bio_init for inline bios. Uninit the inline bio to complete deallocation of integrity in bio. | 2025-07-25 | not yet calculated | CVE-2025-38405 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath6kl: remove WARN on bad firmware input If the firmware gives bad input, that's nothing to do with the driver's stack at this point etc., so the WARN_ON() doesn't add any value. Additionally, this is one of the top syzbot reports now. Just print a message, and as an added bonus, print the sizes too. | 2025-07-25 | not yet calculated | CVE-2025-38406 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: riscv: cpu_ops_sbi: Use static array for boot_data Since commit 6b9f29b81b15 ("riscv: Enable pcpu page first chunk allocator"), if NUMA is enabled, the page percpu allocator may be used on very sparse configurations, or when requested on boot with percpu_alloc=page. In that case, percpu data gets put in the vmalloc area. However, sbi_hsm_hart_start() needs the physical address of a sbi_hart_boot_data, and simply assumes that __pa() would work. This causes the just started hart to immediately access an invalid address and hang. Fortunately, struct sbi_hart_boot_data is not too large, so we can simply allocate an array for boot_data statically, putting it in the kernel image. This fixes NUMA=y SMP boot on Sophgo SG2042. To reproduce on QEMU: Set CONFIG_NUMA=y and CONFIG_DEBUG_VIRTUAL=y, then run with: qemu-system-riscv64 -M virt -smp 2 -nographic \ -kernel arch/riscv/boot/Image \ -append "percpu_alloc=page" Kernel output: [ 0.000000] Booting Linux on hartid 0 [ 0.000000] Linux version 6.16.0-rc1 (dram@sakuya) (riscv64-unknown-linux-gnu-gcc (GCC) 14.2.1 20250322, GNU ld (GNU Binutils) 2.44) #11 SMP Tue Jun 24 14:56:22 CST 2025 ... [ 0.000000] percpu: 28 4K pages/cpu s85784 r8192 d20712 ... [ 0.083192] smp: Bringing up secondary CPUs ... [ 0.086722] ------------[ cut here ]------------ [ 0.086849] virt_to_phys used for non-linear address: (____ptrval____) (0xff2000000001d080) [ 0.088001] WARNING: CPU: 0 PID: 1 at arch/riscv/mm/physaddr.c:14 __virt_to_phys+0xae/0xe8 [ 0.088376] Modules linked in: [ 0.088656] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.16.0-rc1 #11 NONE [ 0.088833] Hardware name: riscv-virtio,qemu (DT) [ 0.088948] epc : __virt_to_phys+0xae/0xe8 [ 0.089001] ra : __virt_to_phys+0xae/0xe8 [ 0.089037] epc : ffffffff80021eaa ra : ffffffff80021eaa sp : ff2000000004bbc0 [ 0.089057] gp : ffffffff817f49c0 tp : ff60000001d60000 t0 : 5f6f745f74726976 [ 0.089076] t1 : 0000000000000076 t2 : 705f6f745f747269 s0 : ff2000000004bbe0 [ 0.089095] s1 : ff2000000001d080 a0 : 0000000000000000 a1 : 0000000000000000 [ 0.089113] a2 : 0000000000000000 a3 : 0000000000000000 a4 : 0000000000000000 [ 0.089131] a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000000000000 [ 0.089155] s2 : ffffffff8130dc00 s3 : 0000000000000001 s4 : 0000000000000001 [ 0.089174] s5 : ffffffff8185eff8 s6 : ff2000007f1eb000 s7 : ffffffff8002a2ec [ 0.089193] s8 : 0000000000000001 s9 : 0000000000000001 s10: 0000000000000000 [ 0.089211] s11: 0000000000000000 t3 : ffffffff8180a9f7 t4 : ffffffff8180a9f7 [ 0.089960] t5 : ffffffff8180a9f8 t6 : ff2000000004b9d8 [ 0.089984] status: 0000000200000120 badaddr: ffffffff80021eaa cause: 0000000000000003 [ 0.090101] [<ffffffff80021eaa>] __virt_to_phys+0xae/0xe8 [ 0.090228] [<ffffffff8001d796>] sbi_cpu_start+0x6e/0xe8 [ 0.090247] [<ffffffff8001a5da>] __cpu_up+0x1e/0x8c [ 0.090260] [<ffffffff8002a32e>] bringup_cpu+0x42/0x258 [ 0.090277] [<ffffffff8002914c>] cpuhp_invoke_callback+0xe0/0x40c [ 0.090292] [<ffffffff800294e0>] __cpuhp_invoke_callback_range+0x68/0xfc [ 0.090320] [<ffffffff8002a96a>] _cpu_up+0x11a/0x244 [ 0.090334] [<ffffffff8002aae6>] cpu_up+0x52/0x90 [ 0.090384] [<ffffffff80c09350>] bringup_nonboot_cpus+0x78/0x118 [ 0.090411] [<ffffffff80c11060>] smp_init+0x34/0xb8 [ 0.090425] [<ffffffff80c01220>] kernel_init_freeable+0x148/0x2e4 [ 0.090442] [<ffffffff80b83802>] kernel_init+0x1e/0x14c [ 0.090455] [<ffffffff800124ca>] ret_from_fork_kernel+0xe/0xf0 [ 0.090471] [<ffffffff80b8d9c2>] ret_from_fork_kernel_asm+0x16/0x18 [ 0.090560] ---[ end trace 0000000000000000 ]--- [ 1.179875] CPU1: failed to come online [ 1.190324] smp: Brought up 1 node, 1 CPU | 2025-07-25 | not yet calculated | CVE-2025-38407 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: genirq/irq_sim: Initialize work context pointers properly Initialize `ops` member's pointers properly by using kzalloc() instead of kmalloc() when allocating the simulation work context. Otherwise the pointers contain random content leading to invalid dereferencing. | 2025-07-25 | not yet calculated | CVE-2025-38408 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix another leak in the submit error path put_unused_fd() doesn't free the installed file, if we've already done fd_install(). So we need to also free the sync_file. Patchwork: https://patchwork.freedesktop.org/patch/653583/ | 2025-07-25 | not yet calculated | CVE-2025-38409 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm: Fix a fence leak in submit error path In error paths, we could unref the submit without calling drm_sched_entity_push_job(), so msm_job_free() will never get called. Since drm_sched_job_cleanup() will NULL out the s_fence, we can use that to detect this case. Patchwork: https://patchwork.freedesktop.org/patch/653584/ | 2025-07-25 | not yet calculated | CVE-2025-38410 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfs: Fix double put of request If a netfs request finishes during the pause loop, it will have the ref that belongs to the IN_PROGRESS flag removed at that point - however, if it then goes to the final wait loop, that will *also* put the ref because it sees that the IN_PROGRESS flag is clear and incorrectly assumes that this happened when it called the collector. In fact, since IN_PROGRESS is clear, we shouldn't call the collector again since it's done all the cleanup, such as calling ->ki_complete(). Fix this by making netfs_collect_in_app() just return, indicating that we're done if IN_PROGRESS is removed. | 2025-07-25 | not yet calculated | CVE-2025-38411 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks After retrieving WMI data blocks in sysfs callbacks, check for the validity of them before dereferencing their content. | 2025-07-25 | not yet calculated | CVE-2025-38412 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: virtio-net: xsk: rx: fix the frame's length check When calling buf_to_xdp, the len argument is the frame data's length without virtio header's length (vi->hdr_len). We check that len with xsk_pool_get_rx_frame_size() + vi->hdr_len to ensure the provided len does not larger than the allocated chunk size. The additional vi->hdr_len is because in virtnet_add_recvbuf_xsk, we use part of XDP_PACKET_HEADROOM for virtio header and ask the vhost to start placing data from hard_start + XDP_PACKET_HEADROOM - vi->hdr_len not hard_start + XDP_PACKET_HEADROOM But the first buffer has virtio_header, so the maximum frame's length in the first buffer can only be xsk_pool_get_rx_frame_size() not xsk_pool_get_rx_frame_size() + vi->hdr_len like in the current check. This commit adds an additional argument to buf_to_xdp differentiate between the first buffer and other ones to correctly calculate the maximum frame's length. | 2025-07-25 | not yet calculated | CVE-2025-38413 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850 GCC_GCC_PCIE_HOT_RST is wrongly defined for WCN7850, causing kernel crash on some specific platforms. Since this register is divergent for WCN7850 and QCN9274, move it to register table to allow different definitions. Then correct the register address for WCN7850 to fix this issue. Note IPQ5332 is not affected as it is not PCIe based device. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 | 2025-07-25 | not yet calculated | CVE-2025-38414 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Squashfs: check return result of sb_min_blocksize Syzkaller reports an "UBSAN: shift-out-of-bounds in squashfs_bio_read" bug. Syzkaller forks multiple processes which after mounting the Squashfs filesystem, issues an ioctl("/dev/loop0", LOOP_SET_BLOCK_SIZE, 0x8000). Now if this ioctl occurs at the same time another process is in the process of mounting a Squashfs filesystem on /dev/loop0, the failure occurs. When this happens the following code in squashfs_fill_super() fails. ---- msblk->devblksize = sb_min_blocksize(sb, SQUASHFS_DEVBLK_SIZE); msblk->devblksize_log2 = ffz(~msblk->devblksize); ---- sb_min_blocksize() returns 0, which means msblk->devblksize is set to 0. As a result, ffz(~msblk->devblksize) returns 64, and msblk->devblksize_log2 is set to 64. This subsequently causes the UBSAN: shift-out-of-bounds in fs/squashfs/block.c:195:36 shift exponent 64 is too large for 64-bit type 'u64' (aka 'unsigned long long') This commit adds a check for a 0 return by sb_min_blocksize(). | 2025-07-25 | not yet calculated | CVE-2025-38415 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFC: nci: uart: Set tty->disc_data only in success path Setting tty->disc_data before opening the NCI device means we need to clean it up on error paths. This also opens some short window if device starts sending data, even before NCIUARTSETDRIVER IOCTL succeeded (broken hardware?). Close the window by exposing tty->disc_data only on the success path, when opening of the NCI device and try_module_get() succeeds. The code differs in error path in one aspect: tty->disc_data won't be ever assigned thus NULL-ified. This however should not be relevant difference, because of "tty->disc_data=NULL" in nci_uart_tty_open(). | 2025-07-25 | not yet calculated | CVE-2025-38416 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ice: fix eswitch code memory leak in reset scenario Add simple eswitch mode checker in attaching VF procedure and allocate required port representor memory structures only in switchdev mode. The reset flows triggers VF (if present) detach/attach procedure. It might involve VF port representor(s) re-creation if the device is configured is switchdev mode (not legacy one). The memory was blindly allocated in current implementation, regardless of the mode and not freed if in legacy mode. Kmemeleak trace: unreferenced object (percpu) 0x7e3bce5b888458 (size 40): comm "bash", pid 1784, jiffies 4295743894 hex dump (first 32 bytes on cpu 45): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 0): pcpu_alloc_noprof+0x4c4/0x7c0 ice_repr_create+0x66/0x130 [ice] ice_repr_create_vf+0x22/0x70 [ice] ice_eswitch_attach_vf+0x1b/0xa0 [ice] ice_reset_all_vfs+0x1dd/0x2f0 [ice] ice_pci_err_resume+0x3b/0xb0 [ice] pci_reset_function+0x8f/0x120 reset_store+0x56/0xa0 kernfs_fop_write_iter+0x120/0x1b0 vfs_write+0x31c/0x430 ksys_write+0x61/0xd0 do_syscall_64+0x5b/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Testing hints (ethX is PF netdev): - create at least one VF echo 1 > /sys/class/net/ethX/device/sriov_numvfs - trigger the reset echo 1 > /sys/class/net/ethX/device/reset | 2025-07-25 | not yet calculated | CVE-2025-38417 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Release rproc->clean_table after rproc_attach() fails When rproc->state = RPROC_DETACHED is attached to remote processor through rproc_attach(), if rproc_handle_resources() returns failure, then the clean table should be released, otherwise the following memory leak will occur. unreferenced object 0xffff000086a99800 (size 1024): comm "kworker/u12:3", pid 59, jiffies 4294893670 (age 121.140s) hex dump (first 32 bytes): 00 00 00 00 00 80 00 00 00 00 00 00 00 00 10 00 ............ 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 ............ backtrace: [<000000008bbe4ca8>] slab_post_alloc_hook+0x98/0x3fc [<000000003b8a272b>] __kmem_cache_alloc_node+0x13c/0x230 [<000000007a507c51>] __kmalloc_node_track_caller+0x5c/0x260 [<0000000037818dae>] kmemdup+0x34/0x60 [<00000000610f7f57>] rproc_boot+0x35c/0x56c [<0000000065f8871a>] rproc_add+0x124/0x17c [<00000000497416ee>] imx_rproc_probe+0x4ec/0x5d4 [<000000003bcaa37d>] platform_probe+0x68/0xd8 [<00000000771577f9>] really_probe+0x110/0x27c [<00000000531fea59>] __driver_probe_device+0x78/0x12c [<0000000080036a04>] driver_probe_device+0x3c/0x118 [<000000007e0bddcb>] __device_attach_driver+0xb8/0xf8 [<000000000cf1fa33>] bus_for_each_drv+0x84/0xe4 [<000000001a53b53e>] __device_attach+0xfc/0x18c [<00000000d1a2a32c>] device_initial_probe+0x14/0x20 [<00000000d8f8b7ae>] bus_probe_device+0xb0/0xb4 unreferenced object 0xffff0000864c9690 (size 16): | 2025-07-25 | not yet calculated | CVE-2025-38418 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach() When rproc->state = RPROC_DETACHED and rproc_attach() is used to attach to the remote processor, if rproc_handle_resources() returns a failure, the resources allocated by imx_rproc_prepare() should be released, otherwise the following memory leak will occur. Since almost the same thing is done in imx_rproc_prepare() and rproc_resource_cleanup(), Function rproc_resource_cleanup() is able to deal with empty lists so it is better to fix the "goto" statements in rproc_attach(). replace the "unprepare_device" goto statement with "clean_up_resources" and get rid of the "unprepare_device" label. unreferenced object 0xffff0000861c5d00 (size 128): comm "kworker/u12:3", pid 59, jiffies 4294893509 (age 149.220s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 02 88 00 00 00 00 00 00 10 00 00 00 00 00 ............ backtrace: [<00000000f949fe18>] slab_post_alloc_hook+0x98/0x37c [<00000000adbfb3e7>] __kmem_cache_alloc_node+0x138/0x2e0 [<00000000521c0345>] kmalloc_trace+0x40/0x158 [<000000004e330a49>] rproc_mem_entry_init+0x60/0xf8 [<000000002815755e>] imx_rproc_prepare+0xe0/0x180 [<0000000003f61b4e>] rproc_boot+0x2ec/0x528 [<00000000e7e994ac>] rproc_add+0x124/0x17c [<0000000048594076>] imx_rproc_probe+0x4ec/0x5d4 [<00000000efc298a1>] platform_probe+0x68/0xd8 [<00000000110be6fe>] really_probe+0x110/0x27c [<00000000e245c0ae>] __driver_probe_device+0x78/0x12c [<00000000f61f6f5e>] driver_probe_device+0x3c/0x118 [<00000000a7874938>] __device_attach_driver+0xb8/0xf8 [<0000000065319e69>] bus_for_each_drv+0x84/0xe4 [<00000000db3eb243>] __device_attach+0xfc/0x18c [<0000000072e4e1a4>] device_initial_probe+0x14/0x20 | 2025-07-25 | not yet calculated | CVE-2025-38419 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: carl9170: do not ping device which has failed to load firmware Syzkaller reports [1, 2] crashes caused by an attempts to ping the device which has failed to load firmware. Since such a device doesn't pass 'ieee80211_register_hw()', an internal workqueue managed by 'ieee80211_queue_work()' is not yet created and an attempt to queue work on it causes null-ptr-deref. [1] https://syzkaller.appspot.com/bug?extid=9a4aec827829942045ff [2] https://syzkaller.appspot.com/bug?extid=0d8afba53e8fb2633217 | 2025-07-25 | not yet calculated | CVE-2025-38420 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd: pmf: Use device managed allocations If setting up smart PC fails for any reason then this can lead to a double free when unloading amd-pmf. This is because dev->buf was freed but never set to NULL and is again freed in amd_pmf_remove(). To avoid subtle allocation bugs in failures leading to a double free change all allocations into device managed allocations. | 2025-07-25 | not yet calculated | CVE-2025-38421 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices Maximum OTP and EEPROM size for hearthstone PCI1xxxx devices are 8 Kb and 64 Kb respectively. Adjust max size definitions and return correct EEPROM length based on device. Also prevent out-of-bound read/write. | 2025-07-25 | not yet calculated | CVE-2025-38422 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd9375: Fix double free of regulator supplies Driver gets regulator supplies in probe path with devm_regulator_bulk_get(), so should not call regulator_bulk_free() in error and remove paths to avoid double free. | 2025-07-25 | not yet calculated | CVE-2025-38423 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf: Fix sample vs do_exit() Baisheng Gao reported an ARM64 crash, which Mark decoded as being a synchronous external abort -- most likely due to trying to access MMIO in bad ways. The crash further shows perf trying to do a user stack sample while in exit_mmap()'s tlb_finish_mmu() -- i.e. while tearing down the address space it is trying to access. It turns out that we stop perf after we tear down the userspace mm; a receipie for disaster, since perf likes to access userspace for various reasons. Flip this order by moving up where we stop perf in do_exit(). Additionally, harden PERF_SAMPLE_CALLCHAIN and PERF_SAMPLE_STACK_USER to abort when the current task does not have an mm (exit_mm() makes sure to set current->mm = NULL; before commencing with the actual teardown). Such that CPU wide events don't trip on this same problem. | 2025-07-25 | not yet calculated | CVE-2025-38424 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: i2c: tegra: check msg length in SMBUS block read For SMBUS block read, do not continue to read if the message length passed from the device is '0' or greater than the maximum allowed bytes. | 2025-07-25 | not yet calculated | CVE-2025-38425 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Add basic validation for RAS header If RAS header read from EEPROM is corrupted, it could result in trying to allocate huge memory for reading the records. Add some validation to header fields. | 2025-07-25 | not yet calculated | CVE-2025-38426 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: video: screen_info: Relocate framebuffers behind PCI bridges Apply PCI host-bridge window offsets to screen_info framebuffers. Fixes invalid access to I/O memory. Resources behind a PCI host bridge can be relocated by a certain offset in the kernel's CPU address range used for I/O. The framebuffer memory range stored in screen_info refers to the CPU addresses as seen during boot (where the offset is 0). During boot up, firmware may assign a different memory offset to the PCI host bridge and thereby relocating the framebuffer address of the PCI graphics device as seen by the kernel. The information in screen_info must be updated as well. The helper pcibios_bus_to_resource() performs the relocation of the screen_info's framebuffer resource (given in PCI bus addresses). The result matches the I/O-memory resource of the PCI graphics device (given in CPU addresses). As before, we store away the information necessary to later update the information in screen_info itself. Commit 78aa89d1dfba ("firmware/sysfb: Update screen_info for relocated EFI framebuffers") added the code for updating screen_info. It is based on similar functionality that pre-existed in efifb. Efifb uses a pointer to the PCI resource, while the newer code does a memcpy of the region. Hence efifb sees any updates to the PCI resource and avoids the issue. v3: - Only use struct pci_bus_region for PCI bus addresses (Bjorn) - Clarify address semantics in commit messages and comments (Bjorn) v2: - Fixed tags (Takashi, Ivan) - Updated information on efifb | 2025-07-25 | not yet calculated | CVE-2025-38427 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Input: ims-pcu - check record size in ims_pcu_flash_firmware() The "len" variable comes from the firmware and we generally do trust firmware, but it's always better to double check. If the "len" is too large it could result in memory corruption when we do "memcpy(fragment->data, rec->data, len);" | 2025-07-25 | not yet calculated | CVE-2025-38428 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bus: mhi: ep: Update read pointer only after buffer is written Inside mhi_ep_ring_add_element, the read pointer (rd_offset) is updated before the buffer is written, potentially causing race conditions where the host sees an updated read pointer before the buffer is actually written. Updating rd_offset prematurely can lead to the host accessing an uninitialized or incomplete element, resulting in data corruption. Invoke the buffer write before updating rd_offset to ensure the element is fully written before signaling its availability. | 2025-07-25 | not yet calculated | CVE-2025-38429 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request If the request being processed is not a v4 compound request, then examining the cstate can have undefined results. This patch adds a check that the rpc procedure being executed (rq_procinfo) is the NFSPROC4_COMPOUND procedure. | 2025-07-25 | not yet calculated | CVE-2025-38430 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix regression with native SMB symlinks Some users and customers reported that their backup/copy tools started to fail when the directory being copied contained symlink targets that the client couldn't parse - even when those symlinks weren't followed. Fix this by allowing lstat(2) and readlink(2) to succeed even when the client can't resolve the symlink target, restoring old behavior. | 2025-07-25 | not yet calculated | CVE-2025-38431 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: netpoll: Initialize UDP checksum field before checksumming commit f1fce08e63fe ("netpoll: Eliminate redundant assignment") removed the initialization of the UDP checksum, which was wrong and broke netpoll IPv6 transmission due to bad checksumming. udph->check needs to be set before calling csum_ipv6_magic(). | 2025-07-25 | not yet calculated | CVE-2025-38432 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: riscv: fix runtime constant support for nommu kernels the `__runtime_fixup_32` function does not handle the case where `val` is zero correctly (as might occur when patching a nommu kernel and referring to a physical address below the 4GiB boundary whose upper 32 bits are all zero) because nothing in the existing logic prevents the code from taking the `else` branch of both nop-checks and emitting two `nop` instructions. This leaves random garbage in the register that is supposed to receive the upper 32 bits of the pointer instead of zero that when combined with the value for the lower 32 bits yields an invalid pointer and causes a kernel panic when that pointer is eventually accessed. The author clearly considered the fact that if the `lui` is converted into a `nop` that the second instruction needs to be adjusted to become an `li` instead of an `addi`, hence introducing the `addi_insn_mask` variable, but didn't follow that logic through fully to the case where the `else` branch executes. To fix it just adjust the logic to ensure that the second `else` branch is not taken if the first instruction will be patched to a `nop`. | 2025-07-25 | not yet calculated | CVE-2025-38433 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Revert "riscv: Define TASK_SIZE_MAX for __access_ok()" This reverts commit ad5643cf2f69 ("riscv: Define TASK_SIZE_MAX for __access_ok()"). This commit changes TASK_SIZE_MAX to be LONG_MAX to optimize access_ok(), because the previous TASK_SIZE_MAX (default to TASK_SIZE) requires some computation. The reasoning was that all user addresses are less than LONG_MAX, and all kernel addresses are greater than LONG_MAX. Therefore access_ok() can filter kernel addresses. Addresses between TASK_SIZE and LONG_MAX are not valid user addresses, but access_ok() let them pass. That was thought to be okay, because they are not valid addresses at hardware level. Unfortunately, one case is missed: get_user_pages_fast() happily accepts addresses between TASK_SIZE and LONG_MAX. futex(), for instance, uses get_user_pages_fast(). This causes the problem reported by Robert [1]. Therefore, revert this commit. TASK_SIZE_MAX is changed to the default: TASK_SIZE. This unfortunately reduces performance, because TASK_SIZE is more expensive to compute compared to LONG_MAX. But correctness first, we can think about optimization later, if required. | 2025-07-25 | not yet calculated | CVE-2025-38434 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: riscv: vector: Fix context save/restore with xtheadvector Previously only v0-v7 were correctly saved/restored, and the context of v8-v31 are damanged. Correctly save/restore v8-v31 to avoid breaking userspace. | 2025-07-25 | not yet calculated | CVE-2025-38435 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/scheduler: signal scheduled fence when kill job When an entity from application B is killed, drm_sched_entity_kill() removes all jobs belonging to that entity through drm_sched_entity_kill_jobs_work(). If application A's job depends on a scheduled fence from application B's job, and that fence is not properly signaled during the killing process, application A's dependency cannot be cleared. This leads to application A hanging indefinitely while waiting for a dependency that will never be resolved. Fix this issue by ensuring that scheduled fences are properly signaled when an entity is killed, allowing dependent applications to continue execution. | 2025-07-25 | not yet calculated | CVE-2025-38436 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix potential use-after-free in oplock/lease break ack If ksmbd_iov_pin_rsp return error, use-after-free can happen by accessing opinfo->state and opinfo_put and ksmbd_fd_put could called twice. | 2025-07-25 | not yet calculated | CVE-2025-38437 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. sof_pdata->tplg_filename can have address allocated by kstrdup() and can be overwritten. Memory leak was detected with kmemleak: unreferenced object 0xffff88812391ff60 (size 16): comm "kworker/4:1", pid 161, jiffies 4294802931 hex dump (first 16 bytes): 73 6f 66 2d 68 64 61 2d 67 65 6e 65 72 69 63 00 sof-hda-generic. backtrace (crc 4bf1675c): __kmalloc_node_track_caller_noprof+0x49c/0x6b0 kstrdup+0x46/0xc0 hda_machine_select.cold+0x1de/0x12cf [snd_sof_intel_hda_generic] sof_init_environment+0x16f/0xb50 [snd_sof] sof_probe_continue+0x45/0x7c0 [snd_sof] sof_probe_work+0x1e/0x40 [snd_sof] process_one_work+0x894/0x14b0 worker_thread+0x5e5/0xfb0 kthread+0x39d/0x760 ret_from_fork+0x31/0x70 ret_from_fork_asm+0x1a/0x30 | 2025-07-25 | not yet calculated | CVE-2025-38438 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT When transmitting an XDP_REDIRECT packet, call dma_unmap_len_set() with the proper length instead of 0. This bug triggers this warning on a system with IOMMU enabled: WARNING: CPU: 36 PID: 0 at drivers/iommu/dma-iommu.c:842 __iommu_dma_unmap+0x159/0x170 RIP: 0010:__iommu_dma_unmap+0x159/0x170 Code: a8 00 00 00 00 48 c7 45 b0 00 00 00 00 48 c7 45 c8 00 00 00 00 48 c7 45 a0 ff ff ff ff 4c 89 45 b8 4c 89 45 c0 e9 77 ff ff ff <0f> 0b e9 60 ff ff ff e8 8b bf 6a 00 66 66 2e 0f 1f 84 00 00 00 00 RSP: 0018:ff22d31181150c88 EFLAGS: 00010206 RAX: 0000000000002000 RBX: 00000000e13a0000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ff22d31181150cf0 R08: ff22d31181150ca8 R09: 0000000000000000 R10: 0000000000000000 R11: ff22d311d36c9d80 R12: 0000000000001000 R13: ff13544d10645010 R14: ff22d31181150c90 R15: ff13544d0b2bac00 FS: 0000000000000000(0000) GS:ff13550908a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005be909dacff8 CR3: 0008000173408003 CR4: 0000000000f71ef0 PKRU: 55555554 Call Trace: <IRQ> ? show_regs+0x6d/0x80 ? __warn+0x89/0x160 ? __iommu_dma_unmap+0x159/0x170 ? report_bug+0x17e/0x1b0 ? handle_bug+0x46/0x90 ? exc_invalid_op+0x18/0x80 ? asm_exc_invalid_op+0x1b/0x20 ? __iommu_dma_unmap+0x159/0x170 ? __iommu_dma_unmap+0xb3/0x170 iommu_dma_unmap_page+0x4f/0x100 dma_unmap_page_attrs+0x52/0x220 ? srso_alias_return_thunk+0x5/0xfbef5 ? xdp_return_frame+0x2e/0xd0 bnxt_tx_int_xdp+0xdf/0x440 [bnxt_en] __bnxt_poll_work_done+0x81/0x1e0 [bnxt_en] bnxt_poll+0xd3/0x1e0 [bnxt_en] | 2025-07-25 | not yet calculated | CVE-2025-38439 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix race between DIM disable and net_dim() There's a race between disabling DIM and NAPI callbacks using the dim pointer on the RQ or SQ. If NAPI checks the DIM state bit and sees it still set, it assumes `rq->dim` or `sq->dim` is valid. But if DIM gets disabled right after that check, the pointer might already be set to NULL, leading to a NULL pointer dereference in net_dim(). Fix this by calling `synchronize_net()` before freeing the DIM context. This ensures all in-progress NAPI callbacks are finished before the pointer is cleared. Kernel log: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... RIP: 0010:net_dim+0x23/0x190 ... Call Trace: <TASK> ? __die+0x20/0x60 ? page_fault_oops+0x150/0x3e0 ? common_interrupt+0xf/0xa0 ? sysvec_call_function_single+0xb/0x90 ? exc_page_fault+0x74/0x130 ? asm_exc_page_fault+0x22/0x30 ? net_dim+0x23/0x190 ? mlx5e_poll_ico_cq+0x41/0x6f0 [mlx5_core] ? sysvec_apic_timer_interrupt+0xb/0x90 mlx5e_handle_rx_dim+0x92/0xd0 [mlx5_core] mlx5e_napi_poll+0x2cd/0xac0 [mlx5_core] ? mlx5e_poll_ico_cq+0xe5/0x6f0 [mlx5_core] busy_poll_stop+0xa2/0x200 ? mlx5e_napi_poll+0x1d9/0xac0 [mlx5_core] ? mlx5e_trigger_irq+0x130/0x130 [mlx5_core] __napi_busy_loop+0x345/0x3b0 ? sysvec_call_function_single+0xb/0x90 ? asm_sysvec_call_function_single+0x16/0x20 ? sysvec_apic_timer_interrupt+0xb/0x90 ? pcpu_free_area+0x1e4/0x2e0 napi_busy_loop+0x11/0x20 xsk_recvmsg+0x10c/0x130 sock_recvmsg+0x44/0x70 __sys_recvfrom+0xbc/0x130 ? __schedule+0x398/0x890 __x64_sys_recvfrom+0x20/0x30 do_syscall_64+0x4c/0x100 entry_SYSCALL_64_after_hwframe+0x4b/0x53 ... ---[ end trace 0000000000000000 ]--- ... ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- | 2025-07-25 | not yet calculated | CVE-2025-38440 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() syzbot found a potential access to uninit-value in nf_flow_pppoe_proto() Blamed commit forgot the Ethernet header. BUG: KMSAN: uninit-value in nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_flow_offload_inet_hook+0x7e4/0x940 net/netfilter/nf_flow_table_inet.c:27 nf_hook_entry_hookfn include/linux/netfilter.h:157 [inline] nf_hook_slow+0xe1/0x3d0 net/netfilter/core.c:623 nf_hook_ingress include/linux/netfilter_netdev.h:34 [inline] nf_ingress net/core/dev.c:5742 [inline] __netif_receive_skb_core+0x4aff/0x70c0 net/core/dev.c:5837 __netif_receive_skb_one_core net/core/dev.c:5975 [inline] __netif_receive_skb+0xcc/0xac0 net/core/dev.c:6090 netif_receive_skb_internal net/core/dev.c:6176 [inline] netif_receive_skb+0x57/0x630 net/core/dev.c:6235 tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 tun_get_user+0x4ee0/0x6b40 drivers/net/tun.c:1938 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1984 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xb4b/0x1580 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline] | 2025-07-25 | not yet calculated | CVE-2025-38441 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: block: reject bs > ps block devices when THP is disabled If THP is disabled and when a block device with logical block size > page size is present, the following null ptr deref panic happens during boot: [ [13.2 mK AOSAN: null-ptr-deref in range [0x0000000000000000-0x0000000000K0 0 0[07] [ 13.017749] RIP: 0010:create_empty_buffers+0x3b/0x380 <snip> [ 13.025448] Call Trace: [ 13.025692] <TASK> [ 13.025895] block_read_full_folio+0x610/0x780 [ 13.026379] ? __pfx_blkdev_get_block+0x10/0x10 [ 13.027008] ? __folio_batch_add_and_move+0x1fa/0x2b0 [ 13.027548] ? __pfx_blkdev_read_folio+0x10/0x10 [ 13.028080] filemap_read_folio+0x9b/0x200 [ 13.028526] ? __pfx_filemap_read_folio+0x10/0x10 [ 13.029030] ? __filemap_get_folio+0x43/0x620 [ 13.029497] do_read_cache_folio+0x155/0x3b0 [ 13.029962] ? __pfx_blkdev_read_folio+0x10/0x10 [ 13.030381] read_part_sector+0xb7/0x2a0 [ 13.030805] read_lba+0x174/0x2c0 <snip> [ 13.045348] nvme_scan_ns+0x684/0x850 [nvme_core] [ 13.045858] ? __pfx_nvme_scan_ns+0x10/0x10 [nvme_core] [ 13.046414] ? _raw_spin_unlock+0x15/0x40 [ 13.046843] ? __switch_to+0x523/0x10a0 [ 13.047253] ? kvm_clock_get_cycles+0x14/0x30 [ 13.047742] ? __pfx_nvme_scan_ns_async+0x10/0x10 [nvme_core] [ 13.048353] async_run_entry_fn+0x96/0x4f0 [ 13.048787] process_one_work+0x667/0x10a0 [ 13.049219] worker_thread+0x63c/0xf60 As large folio support depends on THP, only allow bs > ps block devices if THP is enabled. | 2025-07-25 | not yet calculated | CVE-2025-38442 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nbd: fix uaf in nbd_genl_connect() error path There is a use-after-free issue in nbd: block nbd6: Receive control failed (result -104) block nbd6: shutting down sockets ================================================================== BUG: KASAN: slab-use-after-free in recv_work+0x694/0xa80 drivers/block/nbd.c:1022 Write of size 4 at addr ffff8880295de478 by task kworker/u33:0/67 CPU: 2 UID: 0 PID: 67 Comm: kworker/u33:0 Not tainted 6.15.0-rc5-syzkaller-00123-g2c89c1b655c0 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: nbd6-recv recv_work Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0xef/0x1a0 mm/kasan/generic.c:189 instrument_atomic_read_write include/linux/instrumented.h:96 [inline] atomic_dec include/linux/atomic/atomic-instrumented.h:592 [inline] recv_work+0x694/0xa80 drivers/block/nbd.c:1022 process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> nbd_genl_connect() does not properly stop the device on certain error paths after nbd_start_device() has been called. This causes the error path to put nbd->config while recv_work continue to use the config after putting it, leading to use-after-free in recv_work. This patch moves nbd_start_device() after the backend file creation. | 2025-07-25 | not yet calculated | CVE-2025-38443 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: raid10: cleanup memleak at raid10_make_request If raid10_read_request or raid10_write_request registers a new request and the REQ_NOWAIT flag is set, the code does not free the malloc from the mempool. unreferenced object 0xffff8884802c3200 (size 192): comm "fio", pid 9197, jiffies 4298078271 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 88 41 02 00 00 00 00 00 .........A...... 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc c1a049a2): __kmalloc+0x2bb/0x450 mempool_alloc+0x11b/0x320 raid10_make_request+0x19e/0x650 [raid10] md_handle_request+0x3b3/0x9e0 __submit_bio+0x394/0x560 __submit_bio_noacct+0x145/0x530 submit_bio_noacct_nocheck+0x682/0x830 __blkdev_direct_IO_async+0x4dc/0x6b0 blkdev_read_iter+0x1e5/0x3b0 __io_read+0x230/0x1110 io_read+0x13/0x30 io_issue_sqe+0x134/0x1180 io_submit_sqes+0x48c/0xe90 __do_sys_io_uring_enter+0x574/0x8b0 do_syscall_64+0x5c/0xe0 entry_SYSCALL_64_after_hwframe+0x76/0x7e V4: changing backing tree to see if CKI tests will pass. The patch code has not changed between any versions. | 2025-07-25 | not yet calculated | CVE-2025-38444 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/raid1: Fix stack memory use after return in raid1_reshape In the raid1_reshape function, newpool is allocated on the stack and assigned to conf->r1bio_pool. This results in conf->r1bio_pool.wait.head pointing to a stack address. Accessing this address later can lead to a kernel panic. Example access path: raid1_reshape() { // newpool is on the stack mempool_t newpool, oldpool; // initialize newpool.wait.head to stack address mempool_init(&newpool, ...); conf->r1bio_pool = newpool; } raid1_read_request() or raid1_write_request() { alloc_r1bio() { mempool_alloc() { // if pool->alloc fails remove_element() { --pool->curr_nr; } } } } mempool_free() { if (pool->curr_nr < pool->min_nr) { // pool->wait.head is a stack address // wake_up() will try to access this invalid address // which leads to a kernel panic return; wake_up(&pool->wait); } } Fix: reinit conf->r1bio_pool.wait after assigning newpool. | 2025-07-25 | not yet calculated | CVE-2025-38445 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data When num_parents is 4, __clk_register() occurs an out-of-bounds when accessing parent_names member. Use ARRAY_SIZE() instead of hardcode number here. BUG: KASAN: global-out-of-bounds in __clk_register+0x1844/0x20d8 Read of size 8 at addr ffff800086988e78 by task kworker/u24:3/59 Hardware name: NXP i.MX95 19X19 board (DT) Workqueue: events_unbound deferred_probe_work_func Call trace: dump_backtrace+0x94/0xec show_stack+0x18/0x24 dump_stack_lvl+0x8c/0xcc print_report+0x398/0x5fc kasan_report+0xd4/0x114 __asan_report_load8_noabort+0x20/0x2c __clk_register+0x1844/0x20d8 clk_hw_register+0x44/0x110 __clk_hw_register_mux+0x284/0x3a8 imx95_bc_probe+0x4f4/0xa70 | 2025-07-25 | not yet calculated | CVE-2025-38446 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/rmap: fix potential out-of-bounds page table access during batched unmap As pointed out by David[1], the batched unmap logic in try_to_unmap_one() may read past the end of a PTE table when a large folio's PTE mappings are not fully contained within a single page table. While this scenario might be rare, an issue triggerable from userspace must be fixed regardless of its likelihood. This patch fixes the out-of-bounds access by refactoring the logic into a new helper, folio_unmap_pte_batch(). The new helper correctly calculates the safe batch size by capping the scan at both the VMA and PMD boundaries. To simplify the code, it also supports partial batching (i.e., any number of pages from 1 up to the calculated safe maximum), as there is no strong reason to special-case for fully mapped folios. | 2025-07-25 | not yet calculated | CVE-2025-38447 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix race condition in TTY wakeup A race condition occurs when gs_start_io() calls either gs_start_rx() or gs_start_tx(), as those functions briefly drop the port_lock for usb_ep_queue(). This allows gs_close() and gserial_disconnect() to clear port.tty and port_usb, respectively. Use the null-safe TTY Port helper function to wake up TTY. Example CPU1: CPU2: gserial_connect() // lock gs_close() // await lock gs_start_rx() // unlock usb_ep_queue() gs_close() // lock, reset port.tty and unlock gs_start_rx() // lock tty_wakeup() // NPE | 2025-07-25 | not yet calculated | CVE-2025-38448 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/gem: Acquire references on GEM handles for framebuffers A GEM handle can be released while the GEM buffer object is attached to a DRM framebuffer. This leads to the release of the dma-buf backing the buffer object, if any. [1] Trying to use the framebuffer in further mode-setting operations leads to a segmentation fault. Most easily happens with driver that use shadow planes for vmap-ing the dma-buf during a page flip. An example is shown below. [ 156.791968] ------------[ cut here ]------------ [ 156.796830] WARNING: CPU: 2 PID: 2255 at drivers/dma-buf/dma-buf.c:1527 dma_buf_vmap+0x224/0x430 [...] [ 156.942028] RIP: 0010:dma_buf_vmap+0x224/0x430 [ 157.043420] Call Trace: [ 157.045898] <TASK> [ 157.048030] ? show_trace_log_lvl+0x1af/0x2c0 [ 157.052436] ? show_trace_log_lvl+0x1af/0x2c0 [ 157.056836] ? show_trace_log_lvl+0x1af/0x2c0 [ 157.061253] ? drm_gem_shmem_vmap+0x74/0x710 [ 157.065567] ? dma_buf_vmap+0x224/0x430 [ 157.069446] ? __warn.cold+0x58/0xe4 [ 157.073061] ? dma_buf_vmap+0x224/0x430 [ 157.077111] ? report_bug+0x1dd/0x390 [ 157.080842] ? handle_bug+0x5e/0xa0 [ 157.084389] ? exc_invalid_op+0x14/0x50 [ 157.088291] ? asm_exc_invalid_op+0x16/0x20 [ 157.092548] ? dma_buf_vmap+0x224/0x430 [ 157.096663] ? dma_resv_get_singleton+0x6d/0x230 [ 157.101341] ? __pfx_dma_buf_vmap+0x10/0x10 [ 157.105588] ? __pfx_dma_resv_get_singleton+0x10/0x10 [ 157.110697] drm_gem_shmem_vmap+0x74/0x710 [ 157.114866] drm_gem_vmap+0xa9/0x1b0 [ 157.118763] drm_gem_vmap_unlocked+0x46/0xa0 [ 157.123086] drm_gem_fb_vmap+0xab/0x300 [ 157.126979] drm_atomic_helper_prepare_planes.part.0+0x487/0xb10 [ 157.133032] ? lockdep_init_map_type+0x19d/0x880 [ 157.137701] drm_atomic_helper_commit+0x13d/0x2e0 [ 157.142671] ? drm_atomic_nonblocking_commit+0xa0/0x180 [ 157.147988] drm_mode_atomic_ioctl+0x766/0xe40 [...] [ 157.346424] ---[ end trace 0000000000000000 ]--- Acquiring GEM handles for the framebuffer's GEM buffer objects prevents this from happening. The framebuffer's cleanup later puts the handle references. Commit 1a148af06000 ("drm/gem-shmem: Use dma_buf from GEM object instance") triggers the segmentation fault easily by using the dma-buf field more widely. The underlying issue with reference counting has been present before. v2: - acquire the handle instead of the BO (Christian) - fix comment style (Christian) - drop the Fixes tag (Christian) - rename err_ gotos - add missing Link tag | 2025-07-25 | not yet calculated | CVE-2025-38449 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload() Add a NULL check for msta->vif before accessing its members to prevent a kernel panic in AP mode deployment. This also fix the issue reported in [1]. The crash occurs when this function is triggered before the station is fully initialized. The call trace shows a page fault at mt7925_sta_set_decap_offload() due to accessing resources when msta->vif is NULL. Fix this by adding an early return if msta->vif is NULL and also check wcid.sta is ready. This ensures we only proceed with decap offload configuration when the station's state is properly initialized. [14739.655703] Unable to handle kernel paging request at virtual address ffffffffffffffa0 [14739.811820] CPU: 0 UID: 0 PID: 895854 Comm: hostapd Tainted: G [14739.821394] Tainted: [C]=CRAP, [O]=OOT_MODULE [14739.825746] Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT) [14739.831577] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [14739.838538] pc : mt7925_sta_set_decap_offload+0xc0/0x1b8 [mt7925_common] [14739.845271] lr : mt7925_sta_set_decap_offload+0x58/0x1b8 [mt7925_common] [14739.851985] sp : ffffffc085efb500 [14739.855295] x29: ffffffc085efb500 x28: 0000000000000000 x27: ffffff807803a158 [14739.862436] x26: ffffff8041ececb8 x25: 0000000000000001 x24: 0000000000000001 [14739.869577] x23: 0000000000000001 x22: 0000000000000008 x21: ffffff8041ecea88 [14739.876715] x20: ffffff8041c19ca0 x19: ffffff8078031fe0 x18: 0000000000000000 [14739.883853] x17: 0000000000000000 x16: ffffffe2aeac1110 x15: 000000559da48080 [14739.890991] x14: 0000000000000001 x13: 0000000000000000 x12: 0000000000000000 [14739.898130] x11: 0a10020001008e88 x10: 0000000000001a50 x9 : ffffffe26457bfa0 [14739.905269] x8 : ffffff8042013bb0 x7 : ffffff807fb6cbf8 x6 : dead000000000100 [14739.912407] x5 : dead000000000122 x4 : ffffff80780326c8 x3 : 0000000000000000 [14739.919546] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffffff8041ececb8 [14739.926686] Call trace: [14739.929130] mt7925_sta_set_decap_offload+0xc0/0x1b8 [mt7925_common] [14739.935505] ieee80211_check_fast_rx+0x19c/0x510 [mac80211] [14739.941344] _sta_info_move_state+0xe4/0x510 [mac80211] [14739.946860] sta_info_move_state+0x1c/0x30 [mac80211] [14739.952116] sta_apply_auth_flags.constprop.0+0x90/0x1b0 [mac80211] [14739.958708] sta_apply_parameters+0x234/0x5e0 [mac80211] [14739.964332] ieee80211_add_station+0xdc/0x190 [mac80211] [14739.969950] nl80211_new_station+0x46c/0x670 [cfg80211] [14739.975516] genl_family_rcv_msg_doit+0xdc/0x150 [14739.980158] genl_rcv_msg+0x218/0x298 [14739.983830] netlink_rcv_skb+0x64/0x138 [14739.987670] genl_rcv+0x40/0x60 [14739.990816] netlink_unicast+0x314/0x380 [14739.994742] netlink_sendmsg+0x198/0x3f0 [14739.998664] __sock_sendmsg+0x64/0xc0 [14740.002324] ____sys_sendmsg+0x260/0x298 [14740.006242] ___sys_sendmsg+0xb4/0x110 | 2025-07-25 | not yet calculated | CVE-2025-38450 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: md/md-bitmap: fix GPF in bitmap_get_stats() The commit message of commit 6ec1f0239485 ("md/md-bitmap: fix stats collection for external bitmaps") states: Remove the external bitmap check as the statistics should be available regardless of bitmap storage location. Return -EINVAL only for invalid bitmap with no storage (neither in superblock nor in external file). But, the code does not adhere to the above, as it does only check for a valid super-block for "internal" bitmaps. Hence, we observe: Oops: GPF, probably for non-canonical address 0x1cd66f1f40000028 RIP: 0010:bitmap_get_stats+0x45/0xd0 Call Trace: seq_read_iter+0x2b9/0x46a seq_read+0x12f/0x180 proc_reg_read+0x57/0xb0 vfs_read+0xf6/0x380 ksys_read+0x6d/0xf0 do_syscall_64+0x8c/0x1b0 entry_SYSCALL_64_after_hwframe+0x76/0x7e We fix this by checking the existence of a super-block for both the internal and external case. | 2025-07-25 | not yet calculated | CVE-2025-38451 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ethernet: rtsn: Fix a null pointer dereference in rtsn_probe() Add check for the return value of rcar_gen4_ptp_alloc() to prevent potential null pointer dereference. | 2025-07-25 | not yet calculated | CVE-2025-38452 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/msg_ring: ensure io_kiocb freeing is deferred for RCU syzbot reports that defer/local task_work adding via msg_ring can hit a request that has been freed: CPU: 1 UID: 0 PID: 19356 Comm: iou-wrk-19354 Not tainted 6.16.0-rc4-syzkaller-00108-g17bbde2e1716 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 io_req_local_work_add io_uring/io_uring.c:1184 [inline] __io_req_task_work_add+0x589/0x950 io_uring/io_uring.c:1252 io_msg_remote_post io_uring/msg_ring.c:103 [inline] io_msg_data_remote io_uring/msg_ring.c:133 [inline] __io_msg_ring_data+0x820/0xaa0 io_uring/msg_ring.c:151 io_msg_ring_data io_uring/msg_ring.c:173 [inline] io_msg_ring+0x134/0xa00 io_uring/msg_ring.c:314 __io_issue_sqe+0x17e/0x4b0 io_uring/io_uring.c:1739 io_issue_sqe+0x165/0xfd0 io_uring/io_uring.c:1762 io_wq_submit_work+0x6e9/0xb90 io_uring/io_uring.c:1874 io_worker_handle_work+0x7cd/0x1180 io_uring/io-wq.c:642 io_wq_worker+0x42f/0xeb0 io_uring/io-wq.c:696 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> which is supposed to be safe with how requests are allocated. But msg ring requests alloc and free on their own, and hence must defer freeing to a sane time. Add an rcu_head and use kfree_rcu() in both spots where requests are freed. Only the one in io_msg_tw_complete() is strictly required as it has been visible on the other ring, but use it consistently in the other spot as well. This should not cause any other issues outside of KASAN rightfully complaining about it. | 2025-07-25 | not yet calculated | CVE-2025-38453 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: ad1816a: Fix potential NULL pointer deref in snd_card_ad1816a_pnp() Use pr_warn() instead of dev_warn() when 'pdev' is NULL to avoid a potential NULL pointer dereference. | 2025-07-25 | not yet calculated | CVE-2025-38454 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight Reject migration of SEV{-ES} state if either the source or destination VM is actively creating a vCPU, i.e. if kvm_vm_ioctl_create_vcpu() is in the section between incrementing created_vcpus and online_vcpus. The bulk of vCPU creation runs _outside_ of kvm->lock to allow creating multiple vCPUs in parallel, and so sev_info.es_active can get toggled from false=>true in the destination VM after (or during) svm_vcpu_create(), resulting in an SEV{-ES} VM effectively having a non-SEV{-ES} vCPU. The issue manifests most visibly as a crash when trying to free a vCPU's NULL VMSA page in an SEV-ES VM, but any number of things can go wrong. BUG: unable to handle page fault for address: ffffebde00000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP KASAN NOPTI CPU: 227 UID: 0 PID: 64063 Comm: syz.5.60023 Tainted: G U O 6.15.0-smp-DEV #2 NONE Tainted: [U]=USER, [O]=OOT_MODULE Hardware name: Google, Inc. Arcadia_IT_80/Arcadia_IT_80, BIOS 12.52.0-0 10/28/2024 RIP: 0010:constant_test_bit arch/x86/include/asm/bitops.h:206 [inline] RIP: 0010:arch_test_bit arch/x86/include/asm/bitops.h:238 [inline] RIP: 0010:_test_bit include/asm-generic/bitops/instrumented-non-atomic.h:142 [inline] RIP: 0010:PageHead include/linux/page-flags.h:866 [inline] RIP: 0010:___free_pages+0x3e/0x120 mm/page_alloc.c:5067 Code: <49> f7 06 40 00 00 00 75 05 45 31 ff eb 0c 66 90 4c 89 f0 4c 39 f0 RSP: 0018:ffff8984551978d0 EFLAGS: 00010246 RAX: 0000777f80000001 RBX: 0000000000000000 RCX: ffffffff918aeb98 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffffebde00000000 RBP: 0000000000000000 R08: ffffebde00000007 R09: 1ffffd7bc0000000 R10: dffffc0000000000 R11: fffff97bc0000001 R12: dffffc0000000000 R13: ffff8983e19751a8 R14: ffffebde00000000 R15: 1ffffd7bc0000000 FS: 0000000000000000(0000) GS:ffff89ee661d3000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffebde00000000 CR3: 000000793ceaa000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000b5f DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Call Trace: <TASK> sev_free_vcpu+0x413/0x630 arch/x86/kvm/svm/sev.c:3169 svm_vcpu_free+0x13a/0x2a0 arch/x86/kvm/svm/svm.c:1515 kvm_arch_vcpu_destroy+0x6a/0x1d0 arch/x86/kvm/x86.c:12396 kvm_vcpu_destroy virt/kvm/kvm_main.c:470 [inline] kvm_destroy_vcpus+0xd1/0x300 virt/kvm/kvm_main.c:490 kvm_arch_destroy_vm+0x636/0x820 arch/x86/kvm/x86.c:12895 kvm_put_kvm+0xb8e/0xfb0 virt/kvm/kvm_main.c:1310 kvm_vm_release+0x48/0x60 virt/kvm/kvm_main.c:1369 __fput+0x3e4/0x9e0 fs/file_table.c:465 task_work_run+0x1a9/0x220 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0x7f0/0x25b0 kernel/exit.c:953 do_group_exit+0x203/0x2d0 kernel/exit.c:1102 get_signal+0x1357/0x1480 kernel/signal.c:3034 arch_do_signal_or_restart+0x40/0x690 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x67/0xb0 kernel/entry/common.c:218 do_syscall_64+0x7c/0x150 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f87a898e969 </TASK> Modules linked in: gq(O) gsmi: Log Shutdown Reason 0x03 CR2: ffffebde00000000 ---[ end trace 0000000000000000 ]--- Deliberately don't check for a NULL VMSA when freeing the vCPU, as crashing the host is likely desirable due to the VMSA being consumed by hardware. E.g. if KVM manages to allow VMRUN on the vCPU, hardware may read/write a bogus VMSA page. Accessing P ---truncated--- | 2025-07-25 | not yet calculated | CVE-2025-38455 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() The "intf" list iterator is an invalid pointer if the correct "intf->intf_num" is not found. Calling atomic_dec(&intf->nr_users) on and invalid pointer will lead to memory corruption. We don't really need to call atomic_dec() if we haven't called atomic_add_return() so update the if (intf->in_shutdown) path as well. | 2025-07-25 | not yet calculated | CVE-2025-38456 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: Abort __tc_modify_qdisc if parent class does not exist Lion's patch [1] revealed an ancient bug in the qdisc API. Whenever a user creates/modifies a qdisc specifying as a parent another qdisc, the qdisc API will, during grafting, detect that the user is not trying to attach to a class and reject. However grafting is performed after qdisc_create (and thus the qdiscs' init callback) is executed. In qdiscs that eventually call qdisc_tree_reduce_backlog during init or change (such as fq, hhf, choke, etc), an issue arises. For example, executing the following commands: sudo tc qdisc add dev lo root handle a: htb default 2 sudo tc qdisc add dev lo parent a: handle beef fq Qdiscs such as fq, hhf, choke, etc unconditionally invoke qdisc_tree_reduce_backlog() in their control path init() or change() which then causes a failure to find the child class; however, that does not stop the unconditional invocation of the assumed child qdisc's qlen_notify with a null class. All these qdiscs make the assumption that class is non-null. The solution is ensure that qdisc_leaf() which looks up the parent class, and is invoked prior to qdisc_create(), should return failure on not finding the class. In this patch, we leverage qdisc_leaf to return ERR_PTRs whenever the parentid doesn't correspond to a class, so that we can detect it earlier on and abort before qdisc_create is called. [1] https://lore.kernel.org/netdev/d912cbd7-193b-4269-9857-525bee8bbb6a@gmail.com/ | 2025-07-25 | not yet calculated | CVE-2025-38457 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix NULL pointer dereference in vcc_sendmsg() atmarpd_dev_ops does not implement the send method, which may cause crash as bellow. BUG: kernel NULL pointer dereference, address: 0000000000000000 PGD 0 P4D 0 Oops: Oops: 0010 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5324 Comm: syz.0.0 Not tainted 6.15.0-rc6-syzkaller-00346-g5723cc3450bc #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:0x0 Code: Unable to access opcode bytes at 0xffffffffffffffd6. RSP: 0018:ffffc9000d3cf778 EFLAGS: 00010246 RAX: 1ffffffff1910dd1 RBX: 00000000000000c0 RCX: dffffc0000000000 RDX: ffffc9000dc82000 RSI: ffff88803e4c4640 RDI: ffff888052cd0000 RBP: ffffc9000d3cf8d0 R08: ffff888052c9143f R09: 1ffff1100a592287 R10: dffffc0000000000 R11: 0000000000000000 R12: 1ffff92001a79f00 R13: ffff888052cd0000 R14: ffff88803e4c4640 R15: ffffffff8c886e88 FS: 00007fbc762566c0(0000) GS:ffff88808d6c2000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffffffffd6 CR3: 0000000041f1b000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> vcc_sendmsg+0xa10/0xc50 net/atm/common.c:644 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 ____sys_sendmsg+0x52d/0x830 net/socket.c:2566 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2620 __sys_sendmmsg+0x227/0x430 net/socket.c:2709 __do_sys_sendmmsg net/socket.c:2736 [inline] __se_sys_sendmmsg net/socket.c:2733 [inline] __x64_sys_sendmmsg+0xa0/0xc0 net/socket.c:2733 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf6/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f | 2025-07-25 | not yet calculated | CVE-2025-38458 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix infinite recursive call of clip_push(). syzbot reported the splat below. [0] This happens if we call ioctl(ATMARP_MKIP) more than once. During the first call, clip_mkip() sets clip_push() to vcc->push(), and the second call copies it to clip_vcc->old_push(). Later, when the socket is close()d, vcc_destroy_socket() passes NULL skb to clip_push(), which calls clip_vcc->old_push(), triggering the infinite recursion. Let's prevent the second ioctl(ATMARP_MKIP) by checking vcc->user_back, which is allocated by the first call as clip_vcc. Note also that we use lock_sock() to prevent racy calls. [0]: BUG: TASK stack guard page was hit at ffffc9000d66fff8 (stack is ffffc9000d670000..ffffc9000d678000) Oops: stack guard page: 0000 [#1] SMP KASAN NOPTI CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.16.0-rc4-syzkaller #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:clip_push+0x5/0x720 net/atm/clip.c:191 Code: e0 8f aa 8c e8 1c ad 5b fa eb ae 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 <41> 57 41 56 41 55 41 54 53 48 83 ec 20 48 89 f3 49 89 fd 48 bd 00 RSP: 0018:ffffc9000d670000 EFLAGS: 00010246 RAX: 1ffff1100235a4a5 RBX: ffff888011ad2508 RCX: ffff8880003c0000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888037f01000 RBP: dffffc0000000000 R08: ffffffff8fa104f7 R09: 1ffffffff1f4209e R10: dffffc0000000000 R11: ffffffff8a99b300 R12: ffffffff8a99b300 R13: ffff888037f01000 R14: ffff888011ad2500 R15: ffff888037f01578 FS: 000055557ab6d500(0000) GS:ffff88808d250000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffc9000d66fff8 CR3: 0000000043172000 CR4: 0000000000352ef0 Call Trace: <TASK> clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 ... clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 clip_push+0x6dc/0x720 net/atm/clip.c:200 vcc_destroy_socket net/atm/common.c:183 [inline] vcc_release+0x157/0x460 net/atm/common.c:205 __sock_release net/socket.c:647 [inline] sock_close+0xc0/0x240 net/socket.c:1391 __fput+0x449/0xa70 fs/file_table.c:465 task_work_run+0x1d1/0x260 kernel/task_work.c:227 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] exit_to_user_mode_loop+0xec/0x110 kernel/entry/common.c:114 exit_to_user_mode_prepare include/linux/entry-common.h:330 [inline] syscall_exit_to_user_mode_work include/linux/entry-common.h:414 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:449 [inline] do_syscall_64+0x2bd/0x3b0 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7ff31c98e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fffb5aa1f78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 0000000000012747 RCX: 00007ff31c98e929 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00007ff31cbb7ba0 R08: 0000000000000001 R09: 0000000db5aa226f R10: 00007ff31c7ff030 R11: 0000000000000246 R12: 00007ff31cbb608c R13: 00007ff31cbb6080 R14: ffffffffffffffff R15: 00007fffb5aa2090 </TASK> Modules linked in: | 2025-07-25 | not yet calculated | CVE-2025-38459 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix potential null-ptr-deref in to_atmarpd(). atmarpd is protected by RTNL since commit f3a0592b37b8 ("[ATM]: clip causes unregister hang"). However, it is not enough because to_atmarpd() is called without RTNL, especially clip_neigh_solicit() / neigh_ops->solicit() is unsleepable. Also, there is no RTNL dependency around atmarpd. Let's use a private mutex and RCU to protect access to atmarpd in to_atmarpd(). | 2025-07-25 | not yet calculated | CVE-2025-38460 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_* TOCTOU Transport assignment may race with module unload. Protect new_transport from becoming a stale pointer. This also takes care of an insecure call in vsock_use_local_transport(); add a lockdep assert. BUG: unable to handle page fault for address: fffffbfff8056000 Oops: Oops: 0000 [#1] SMP KASAN RIP: 0010:vsock_assign_transport+0x366/0x600 Call Trace: vsock_connect+0x59c/0xc40 __sys_connect+0xe8/0x100 __x64_sys_connect+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 | 2025-07-25 | not yet calculated | CVE-2025-38461 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport_{g2h,h2g} TOCTOU vsock_find_cid() and vsock_dev_do_ioctl() may race with module unload. transport_{g2h,h2g} may become NULL after the NULL check. Introduce vsock_transport_local_cid() to protect from a potential null-ptr-deref. KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] RIP: 0010:vsock_find_cid+0x47/0x90 Call Trace: __vsock_bind+0x4b2/0x720 vsock_bind+0x90/0xe0 __sys_bind+0x14d/0x1e0 __x64_sys_bind+0x6e/0xc0 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 KASAN: null-ptr-deref in range [0x0000000000000118-0x000000000000011f] RIP: 0010:vsock_dev_do_ioctl.isra.0+0x58/0xf0 Call Trace: __x64_sys_ioctl+0x12d/0x190 do_syscall_64+0x92/0x1c0 entry_SYSCALL_64_after_hwframe+0x4b/0x53 | 2025-07-25 | not yet calculated | CVE-2025-38462 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tcp: Correct signedness in skb remaining space calculation Syzkaller reported a bug [1] where sk->sk_forward_alloc can overflow. When we send data, if an skb exists at the tail of the write queue, the kernel will attempt to append the new data to that skb. However, the code that checks for available space in the skb is flawed: ''' copy = size_goal - skb->len ''' The types of the variables involved are: ''' copy: ssize_t (s64 on 64-bit systems) size_goal: int skb->len: unsigned int ''' Due to C's type promotion rules, the signed size_goal is converted to an unsigned int to match skb->len before the subtraction. The result is an unsigned int. When this unsigned int result is then assigned to the s64 copy variable, it is zero-extended, preserving its non-negative value. Consequently, copy is always >= 0. Assume we are sending 2GB of data and size_goal has been adjusted to a value smaller than skb->len. The subtraction will result in copy holding a very large positive integer. In the subsequent logic, this large value is used to update sk->sk_forward_alloc, which can easily cause it to overflow. The syzkaller reproducer uses TCP_REPAIR to reliably create this condition. However, this can also occur in real-world scenarios. The tcp_bound_to_half_wnd() function can also reduce size_goal to a small value. This would cause the subsequent tcp_wmem_schedule() to set sk->sk_forward_alloc to a value close to INT_MAX. Further memory allocation requests would then cause sk_forward_alloc to wrap around and become negative. [1]: https://syzkaller.appspot.com/bug?extid=de6565462ab540f50e47 | 2025-07-25 | not yet calculated | CVE-2025-38463 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tipc: Fix use-after-free in tipc_conn_close(). syzbot reported a null-ptr-deref in tipc_conn_close() during netns dismantle. [0] tipc_topsrv_stop() iterates tipc_net(net)->topsrv->conn_idr and calls tipc_conn_close() for each tipc_conn. The problem is that tipc_conn_close() is called after releasing the IDR lock. At the same time, there might be tipc_conn_recv_work() running and it could call tipc_conn_close() for the same tipc_conn and release its last ->kref. Once we release the IDR lock in tipc_topsrv_stop(), there is no guarantee that the tipc_conn is alive. Let's hold the ref before releasing the lock and put the ref after tipc_conn_close() in tipc_topsrv_stop(). [0]: BUG: KASAN: use-after-free in tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 Read of size 8 at addr ffff888099305a08 by task kworker/u4:3/435 CPU: 0 PID: 435 Comm: kworker/u4:3 Not tainted 4.19.204-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2ef lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1b9 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 tipc_conn_close+0x122/0x140 net/tipc/topsrv.c:165 tipc_topsrv_stop net/tipc/topsrv.c:701 [inline] tipc_topsrv_exit_net+0x27b/0x5c0 net/tipc/topsrv.c:722 ops_exit_list+0xa5/0x150 net/core/net_namespace.c:153 cleanup_net+0x3b4/0x8b0 net/core/net_namespace.c:553 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Allocated by task 23: kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] tipc_conn_alloc+0x43/0x4f0 net/tipc/topsrv.c:192 tipc_topsrv_accept+0x1b5/0x280 net/tipc/topsrv.c:470 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Freed by task 23: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x210 mm/slab.c:3822 tipc_conn_kref_release net/tipc/topsrv.c:150 [inline] kref_put include/linux/kref.h:70 [inline] conn_put+0x2cd/0x3a0 net/tipc/topsrv.c:155 process_one_work+0x864/0x1570 kernel/workqueue.c:2153 worker_thread+0x64c/0x1130 kernel/workqueue.c:2296 kthread+0x33f/0x460 kernel/kthread.c:259 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff888099305a00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 8 bytes inside of 512-byte region [ffff888099305a00, ffff888099305c00) The buggy address belongs to the page: page:ffffea000264c140 count:1 mapcount:0 mapping:ffff88813bff0940 index:0x0 flags: 0xfff00000000100(slab) raw: 00fff00000000100 ffffea00028b6b88 ffffea0002cd2b08 ffff88813bff0940 raw: 0000000000000000 ffff888099305000 0000000100000006 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888099305900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff888099305a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888099305a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888099305b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb | 2025-07-25 | not yet calculated | CVE-2025-38464 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netlink: Fix wraparounds of sk->sk_rmem_alloc. Netlink has this pattern in some places if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) atomic_add(skb->truesize, &sk->sk_rmem_alloc); , which has the same problem fixed by commit 5a465a0da13e ("udp: Fix multiple wraparounds of sk->sk_rmem_alloc."). For example, if we set INT_MAX to SO_RCVBUFFORCE, the condition is always false as the two operands are of int. Then, a single socket can eat as many skb as possible until OOM happens, and we can see multiple wraparounds of sk->sk_rmem_alloc. Let's fix it by using atomic_add_return() and comparing the two variables as unsigned int. Before: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port -1668710080 0 rtnl:nl_wraparound/293 * After: [root@fedora ~]# ss -f netlink Recv-Q Send-Q Local Address:Port Peer Address:Port 2147483072 0 rtnl:nl_wraparound/290 * ^ `--- INT_MAX - 576 | 2025-07-25 | not yet calculated | CVE-2025-38465 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf: Revert to requiring CAP_SYS_ADMIN for uprobes Jann reports that uprobes can be used destructively when used in the middle of an instruction. The kernel only verifies there is a valid instruction at the requested offset, but due to variable instruction length cannot determine if this is an instruction as seen by the intended execution stream. Additionally, Mark Rutland notes that on architectures that mix data in the text segment (like arm64), a similar things can be done if the data word is 'mistaken' for an instruction. As such, require CAP_SYS_ADMIN for uprobes. | 2025-07-25 | not yet calculated | CVE-2025-38466 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling If there's support for another console device (such as a TTY serial), the kernel occasionally panics during boot. The panic message and a relevant snippet of the call stack is as follows: Unable to handle kernel NULL pointer dereference at virtual address 000000000000000 Call trace: drm_crtc_handle_vblank+0x10/0x30 (P) decon_irq_handler+0x88/0xb4 [...] Otherwise, the panics don't happen. This indicates that it's some sort of race condition. Add a check to validate if the drm device can handle vblanks before calling drm_crtc_handle_vblank() to avoid this. | 2025-07-25 | not yet calculated | CVE-2025-38467 |
| Luxion--KeyShot | Luxion KeyShot 3DM File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Luxion KeyShot. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of 3DM files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26473. | 2025-07-21 | not yet calculated | CVE-2025-7222 |
| LuxSoft--LuxCal | A reflected cross-site scripting (XSS) vulnerability was discovered in index.php on Luxcal 4.5.2 which allows an unauthenticated attacker to steal other users' data. | 2025-07-21 | not yet calculated | CVE-2020-26799 |
| marshmallow-packages--nova-tiptap | marshmallow-packages/nova-tiptap is a rich text editor for Laravel Nova based on tiptap. Prior to 5.7.0, a vulnerability was discovered in the marshmallow-packages/nova-tiptap Laravel Nova package that allows unauthenticated users to upload arbitrary files to any Laravel disk configured in the application. The vulnerability is due to missing authentication middleware (Nova and Nova.Auth) on the /nova-tiptap/api/file upload endpoint, the lack of validation on uploaded files (no MIME/type or extension restrictions), and the ability for an attacker to choose the disk parameter dynamically. This means an attacker can craft a custom form and send a POST request to /nova-tiptap/api/file, supplying a valid CSRF token, and upload executable or malicious files (e.g., .php, binaries) to public disks such as local, public, or s3. If a publicly accessible storage path is used (e.g. S3 with public access, or Laravel's public disk), the attacker may gain the ability to execute or distribute arbitrary files - amounting to a potential Remote Code Execution (RCE) vector in some environments. This vulnerability was fixed in 5.7.0. | 2025-07-21 | not yet calculated | CVE-2025-54082 |
| MicroWorld--eScan Web Management Console | A command injection vulnerability exists in the eScan Web Management Console version 5.5-2. The application fails to properly sanitize the 'pass' parameter when processing login requests to login.php, allowing an authenticated attacker with a valid username to inject arbitrary commands via a specially crafted password value. Successful exploitation results in remote code execution. Privilege escalation to root is possible by abusing the runasroot utility with mwconf-level privileges. | 2025-07-25 | not yet calculated | CVE-2014-125118 |
| Mitel--6800 Series, 6900 Series, and 6900w Series SIP Phones, 6970 Conference Unit | A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit through 6.4 SP4, could allow an unauthenticated attacker to perform a file upload attack due to missing authentication mechanisms. A successful exploit could allow an attacker to upload arbitrary WAV files, which may potentially exhaust the phone's storage without affecting the phone's availability or operation. | 2025-07-23 | not yet calculated | CVE-2025-47187 |
| mooj.org--ProFiles component for Joomla | A stored XSS vulnerability in ProFiles component 1.0-1.5.0 for Joomla was discovered. | 2025-07-23 | not yet calculated | CVE-2025-54296 |
| Mozilla--Firefox | On 64-bit platforms IonMonkey-JIT only wrote 32 bits of the 64-bit return value space on the stack. Baseline-JIT, however, read the entire 64 bits. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. | 2025-07-22 | not yet calculated | CVE-2025-8027 |
| Mozilla--Firefox | On arm64, a WASM `br_table` instruction with a lot of entries could lead to the label being too far from the instruction causing truncation and incorrect computation of the branch address. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. | 2025-07-22 | not yet calculated | CVE-2025-8028 |
| Mozilla--Firefox | Thunderbird executed `javascript:` URLs when used in `object` and `embed` tags. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. | 2025-07-22 | not yet calculated | CVE-2025-8029 |
| Mozilla--Firefox | Insufficient escaping in the "Copy as cURL" feature could potentially be used to trick a user into executing unexpected code. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. | 2025-07-22 | not yet calculated | CVE-2025-8030 |
| Mozilla--Firefox | The `username:password` part was not correctly stripped from URLs in CSP reports potentially leaking HTTP Basic Authentication credentials. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. | 2025-07-22 | not yet calculated | CVE-2025-8031 |
| Mozilla--Firefox | XSLT document loading did not correctly propagate the source document which bypassed its CSP. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. | 2025-07-22 | not yet calculated | CVE-2025-8032 |
| Mozilla--Firefox | The JavaScript engine did not handle closed generators correctly and it was possible to resume them leading to a nullptr deref. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. | 2025-07-22 | not yet calculated | CVE-2025-8033 |
| Mozilla--Firefox | Memory safety bugs present in Firefox ESR 115.25, Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 141, Firefox ESR < 115.26, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. | 2025-07-22 | not yet calculated | CVE-2025-8034 |
| Mozilla--Firefox | Memory safety bugs present in Firefox ESR 128.12, Thunderbird ESR 128.12, Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 141, Firefox ESR < 128.13, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird < 128.13, and Thunderbird < 140.1. | 2025-07-22 | not yet calculated | CVE-2025-8035 |
| Mozilla--Firefox | Thunderbird cached CORS preflight responses across IP address changes. This allowed circumventing CORS with DNS rebinding. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1. | 2025-07-22 | not yet calculated | CVE-2025-8036 |
| Mozilla--Firefox | Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the shadowed cookie included the `Secure` attribute. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1. | 2025-07-22 | not yet calculated | CVE-2025-8037 |
| Mozilla--Firefox | Thunderbird ignored paths when checking the validity of navigations in a frame. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1. | 2025-07-22 | not yet calculated | CVE-2025-8038 |
| Mozilla--Firefox | In some cases search terms persisted in the URL bar even after navigating away from the search page. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1. | 2025-07-22 | not yet calculated | CVE-2025-8039 |
| Mozilla--Firefox | Memory safety bugs present in Firefox ESR 140.0, Thunderbird ESR 140.0, Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, and Thunderbird < 140.1. | 2025-07-22 | not yet calculated | CVE-2025-8040 |
| Mozilla--Firefox | Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability affects Firefox < 141 and Thunderbird < 141. | 2025-07-22 | not yet calculated | CVE-2025-8043 |
| Mozilla--Firefox | Memory safety bugs present in Firefox 140 and Thunderbird 140. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 141 and Thunderbird < 141. | 2025-07-22 | not yet calculated | CVE-2025-8044 |
| n/a--2FAuth | A group deletion race condition in 2FAuth v5.5.0 causes data inconsistencies and orphaned accounts when a group is deleted while other operations are pending. | 2025-07-24 | not yet calculated | CVE-2025-45731 |
| n/a--AIBOX | A reflected cross-site scripting (XSS) vulnerability exists in AIBOX LLM chat (chat.aibox365.cn) through 2025-05-27, allowing attackers to hijack accounts through stolen JWT tokens. | 2025-07-22 | not yet calculated | CVE-2025-51864 |
| n/a--Chaindesk | Stored Cross-Site Scripting (XSS) vulnerability in Chaindesk thru 2025-05-26 in its agent chat component. An attacker can achieve arbitrary client-side script execution by crafting an AI agent whose system prompt instructs the underlying Large Language Model (LLM) to embed malicious script payloads (e.g., SVG-based XSS) into its chat responses. When a user interacts with such a malicious agent or accesses a direct link to a conversation containing an XSS payload, the script executes in the user's browser. Successful exploitation can lead to the theft of sensitive information, such as JWT session tokens, potentially resulting in account hijacking. | 2025-07-22 | not yet calculated | CVE-2025-51859 |
| n/a--ChatGPT Unli | Self Cross Site Scripting (XSS) vulnerability in ChatGPT Unli (ChatGPTUnli.com) thru 2025-05-26 allows attackers to execute arbitrary code via a crafted SVG file to the chat interface. | 2025-07-22 | not yet calculated | CVE-2025-51863 |
| n/a--ChatPlayground.ai | Self Cross-Site Scripting (XSS) vulnerability in ChatPlayground.ai through 2025-05-24, allows attackers to execute arbitrary code and gain sensitive information via a crafted SVG file contents sent through the chat component. | 2025-07-22 | not yet calculated | CVE-2025-51858 |
| n/a--CloudClassroom-PHP Project | CloudClassroom-PHP Project v1.0 was discovered to contain a SQL injection vulnerability via the viewid parameter. | 2025-07-25 | not yet calculated | CVE-2025-44608 |
| n/a--CodeIgniter4 | A stored cross-site scripting (XSS) vulnerability in CodeIgniter4 v4.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the debugbar_time parameter. | 2025-07-25 | not yet calculated | CVE-2025-45406 |
| n/a--Dagster | Local File Inclusion in dagster._grpc.impl.get_notebook_data in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebook_path field of ExternalNotebookData requests, bypassing the intended extension-based check. | 2025-07-22 | not yet calculated | CVE-2025-51481 |
| n/a--Deepfiction AI | Insecure Direct Object Reference (IDOR) vulnerability in Deepfiction AI (deepfiction.ai) thru June 3, 2025, allowing attackers to chat with the LLM using other users' credits via sensitive information gained by the /browse/stories endpoint. | 2025-07-22 | not yet calculated | CVE-2025-51867 |
| n/a--Dippy | Insecure Direct Object Reference (IDOR) vulnerability in Dippy (chat.dippy.ai) v2 allows attackers to gain sensitive information via the conversation_id parameter to the conversation_history endpoint. | 2025-07-21 | not yet calculated | CVE-2025-51868 |
| n/a--grav | Cross Site Scripting vulnerability in grav v.1.7.48, v.1.7.47 and v.1.7.46 allows an attacker to execute arbitrary code via the onerror attribute of the img element | 2025-07-25 | not yet calculated | CVE-2025-46198 |
| n/a--grav | Cross Site Scripting vulnerability in grav v.1.7.48 and before allows an attacker to execute arbitrary code via a crafted script to the form fields | 2025-07-25 | not yet calculated | CVE-2025-46199 |
| n/a--Headwind MDM | Headwind MDM before 5.33.1 makes configuration details accessible to unauthorized users. The Configuration profile is exposed to the Observer user role, revealing the password requires to escape out of the MDM controlled device's profile. | 2025-07-21 | not yet calculated | CVE-2025-43720 |
| n/a--Institute-of-Current-Students | A reflected cross-site scripting (XSS) vulnerability exists in Institute-of-Current-Students v1.0 via the email parameter in the /postquerypublic endpoint. The application fails to properly sanitize user input before reflecting it in the HTML response. This allows unauthenticated attackers to inject and execute arbitrary JavaScript code in the context of the victim's browser by tricking them into visiting a crafted URL or submitting a malicious form. Successful exploitation may lead to session hijacking, credential theft, or other client-side attacks. | 2025-07-25 | not yet calculated | CVE-2025-51411 |
| n/a--LBRY desktop | A URL redirection in lbry-desktop v0.53.9 allows attackers to redirect victim users to attacker-controlled pages. | 2025-07-23 | not yet calculated | CVE-2025-50477 |
| n/a--Liner | Insecure Direct Object Reference (IDOR) vulnerability in Liner thru 2025-06-03 allows attackers to gain sensitive information via crafted space_id, thread_id, and message_id parameters to the v1/space/{space_id}/thread/{thread_id}/message/{message_id} endpoint. | 2025-07-21 | not yet calculated | CVE-2025-51869 |
| n/a--Live Helper Chat | A stored cross-site scripting (XSS) vulnerability in Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Telegram Bot Username parameter. | 2025-07-21 | not yet calculated | CVE-2025-51396 |
| n/a--Live Helper Chat | A stored cross-site scripting (XSS) vulnerability in the Facebook Chat module of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Surname parameter under the Recipient' Lists. | 2025-07-21 | not yet calculated | CVE-2025-51397 |
| n/a--Live Helper Chat | A stored cross-site scripting (XSS) vulnerability in the Facebook registration page of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter. | 2025-07-21 | not yet calculated | CVE-2025-51398 |
| n/a--Live Helper Chat | A stored cross-site scripting (XSS) vulnerability in the Personal Canned Messages of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. | 2025-07-21 | not yet calculated | CVE-2025-51400 |
| n/a--Live Helper Chat | A stored cross-site scripting (XSS) vulnerability in the chat transfer function of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the operator name parameter. | 2025-07-21 | not yet calculated | CVE-2025-51401 |
| n/a--Live Helper Chat | A stored cross-site scripting (XSS) vulnerability in the department assignment editing module of of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Alias Nick parameter. | 2025-07-21 | not yet calculated | CVE-2025-51403 |
| n/a--Mezzanine CMS | A cross-site scripting (XSS) vulnerability in the component /blog/blogpost/add of Mezzanine CMS v6.1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into a blog post. | 2025-07-23 | not yet calculated | CVE-2025-50481 |
| n/a--Onyx Enterprise Edition | Authorization bypass in update_user_group in onyx-dot-app Onyx Enterprise Edition 0.27.0 allows remote authenticated attackers to modify arbitrary user groups via crafted PATCH requests to the /api/manage/admin/user-group/id endpoint, bypassing intended curator-group assignment checks. | 2025-07-22 | not yet calculated | CVE-2025-51479 |
| n/a--OpenCart | OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via the blog editor. The vulnerability arises because input in the blog's editor is not properly sanitized or escaped before being rendered. This allows attackers to inject malicious JavaScript code | 2025-07-25 | not yet calculated | CVE-2025-45892 |
| n/a--OpenCart | OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via SVG file uploads used in blog posts. The vulnerability arises because SVG files uploaded through the media manager are not properly sanitized. Attackers can craft a malicious SVG file containing embedded JavaScript | 2025-07-25 | not yet calculated | CVE-2025-45893 |
| n/a--Pinokio | A URL redirection in Pinokio v3.6.23 allows attackers to redirect victim users to attacker-controlled pages. | 2025-07-23 | not yet calculated | CVE-2025-44109 |
| n/a--RAGFlow | Stored Cross-site Scripting (XSS) vulnerability in api.apps.dialog_app.set_dialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw. | 2025-07-22 | not yet calculated | CVE-2025-51462 |
| n/a--TelegAI | Stored Cross-Site Scripting (XSS) in TelegAI (telegai.com) 2025-05-26 in its chat component and character container component. An attacker can achieve arbitrary client-side script execution by crafting an AI Character with SVG XSS payloads in either description, greeting, example dialog, or system prompt(instructing the LLM to embed XSS payload in its chat response). When a user interacts with such a malicious AI Character or just browse its profile, the script executes in the user's browser. Successful exploitation can lead to the theft of sensitive information, such as session tokens, potentially resulting in account hijacking. | 2025-07-22 | not yet calculated | CVE-2025-51860 |
| n/a--TelegAI | Insecure Direct Object Reference (IDOR) vulnerability in TelegAI (telegai.com) thru 2025-05-26 in its chat component. An attacker can exploit this IDOR to tamper other users' conversation. Additionally, malicious contents and XSS payloads can be injected, leading to phishing attack, user spoofing and account hijacking via XSS. | 2025-07-22 | not yet calculated | CVE-2025-51862 |
| n/a--vBulletin | vBulletin 3.8.7 is vulnerable to a denial-of-service condition via the misc.php?do=buddylist endpoint. If an authenticated user has a sufficiently large buddy list, processing the list can consume excessive memory, exhausting system resources and crashing the forum. | 2025-07-23 | not yet calculated | CVE-2025-46171 |
| Netgear--R7000 and EAX80 | In Netgear R7000 V1.3.1.64_10.1.36 and EAX80 V1.0.1.70_1.0.2, the USERLIMIT_GLOBAL option is set to 0 in the bftpd.conf configuration file. This can cause DoS attacks when unlimited users are connected. | 2025-07-21 | not yet calculated | CVE-2025-44650 |
| Netgear--RAX30 | In Netgear RAX30 V1.0.10.94_3, the USERLIMIT_GLOBAL option is set to 0 in multiple bftpd-related configuration files. This can cause DoS attacks when unlimited users are connected. | 2025-07-21 | not yet calculated | CVE-2025-44652 |
| Netgear--RAX30 | In Netgear RAX30 V1.0.10.94, a PHP-FPM misconfiguration vulnerability is caused by not following the specification to only limit FPM to .php extensions. An attacker may exploit this by uploading malicious scripts disguised with alternate extensions and tricking the web server into executing them as PHP, bypassing security mechanisms based on file extension filtering. This may lead to remote code execution (RCE), information disclosure, or full system compromise. | 2025-07-21 | not yet calculated | CVE-2025-44658 |
| Nokia--WaveSuite NOC | The web application allows user input to pass unfiltered to a command executed on the underlying operating system. The vulnerable component is bound to the network stack and the set of possible attackers extends up to and including the entire Internet. An attacker with low privileged access to the application has the potential to execute commands on the operating system under the context of the webserver. | 2025-07-21 | not yet calculated | CVE-2025-24936 |
| Nokia--WaveSuite NOC | File contents could be read from the local file system by an attacker. Additionally, malicious code could be inserted in the file, leading to a full compromise of the web application and the container it is running on. The vulnerable component is bound to the network stack and the set of possible attackers extends up to and including the entire Internet. The web application allows arbitrary files to be included in a file that was downloadable and executable by the web server. | 2025-07-21 | not yet calculated | CVE-2025-24937 |
| Nokia--WaveSuite NOC | The web application allows user input to pass unfiltered to a command executed on the underlying operating system. An attacker with high privileged access (administrator) to the application has the potential execute commands on the operating system under the context of the webserver. The vulnerable component is bound to the network stack and the set of possible attackers extends up to and including the entire Internet. Has the potential to inject command while creating a new User from User Management. | 2025-07-21 | not yet calculated | CVE-2025-24938 |
| Ollama--Ollama | Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint. | 2025-07-22 | not yet calculated | CVE-2025-51471 |
| ONNX--ONNX | Path Traversal vulnerability in onnx.external_data_helper.save_external_data in ONNX 1.17.0 allows attackers to overwrite arbitrary files by supplying crafted external_data.location paths containing traversal sequences, bypassing intended directory restrictions. | 2025-07-22 | not yet calculated | CVE-2025-51480 |
| osCommerce--Online Merchant | A remote code execution vulnerability exists within osCommerce Online Merchant version 2.3.4.1 due to insecure default configuration and missing authentication in the installer workflow. By default, the /install/ directory remains accessible after installation. An unauthenticated attacker can invoke install_4.php, submit crafted POST data, and inject arbitrary PHP code into the configure.php file. When the application later includes this file, the injected payload is executed, resulting in full server-side compromise. | 2025-07-23 | not yet calculated | CVE-2018-25114 |
| ParkingDoor--ParkingDoor | Incorrect authentication vulnerability in ParkingDoor. Through this vulnerability it is possible to operate the device without the access being logged in the application and even if the access permissions have been revoked. | 2025-07-21 | not yet calculated | CVE-2025-41100 |
| PCL-Community--PCL2-CE | PCL (Plain Craft Launcher) Community Edition is a Minecraft launcher. In PCL CE versions 2.12.0-beta.5 to 2.12.0-beta.9, the login credentials used during the third-party login process are accidentally recorded in the local log file. Although the log file is not automatically uploaded or shared, if the user manually sends the log file, there is a risk of leakage. This is fixed in version 2.12.0-beta.10. | 2025-07-23 | not yet calculated | CVE-2025-54120 |
| PHProxy--PHProxy | Server-Side Request Forgery (SSRF) vulnerability exists in the URL processing functionality of PHProxy version 1.1.1 and prior. The input validation for the _proxurl parameter can be bypassed, allowing a remote, unauthenticated attacker to submit a specially crafted URL | 2025-07-21 | not yet calculated | CVE-2025-52362 |
| Pluck--CMS | In Pluck CMS 4.7.20-dev, an authenticated attacker can upload or create a crafted PHP file under the albums module directory and access it via the module routing logic in albums.site.php, resulting in arbitrary command execution through a GET parameter. | 2025-07-23 | not yet calculated | CVE-2025-46099 |
| RARLab--WinRAR | A filename spoofing vulnerability exists in WinRAR when opening specially crafted ZIP archives. The issue arises due to inconsistencies between the Central Directory and Local File Header entries in ZIP files. When viewed in WinRAR, the file name from the Central Directory is displayed to the user, while the file from the Local File Header is extracted and executed. An attacker can leverage this flaw to spoof filenames and trick users into executing malicious payloads under the guise of harmless files, potentially leading to remote code execution. | 2025-07-25 | not yet calculated | CVE-2014-125119 |
| rennf93--fastapi-guard | fastapi-guard is a security library for FastAPI that provides middleware to control IPs, log requests, detect penetration attempts and more. In version 3.0.1, the regular expression patched to mitigate the ReDoS vulnerability by limiting the length of string fails to catch inputs that exceed this limit. This type of patch fails to detect cases in which the string representing the attributes of a <script> tag exceeds 100 characters. As a result, most of the regex patterns present in version 3.0.1 can be bypassed. This is fixed in version 3.0.2. | 2025-07-23 | not yet calculated | CVE-2025-54365 |
| rommapp--romm | RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. In versions 4.0.0-beta.3 and below, an authenticated arbitrary file write vulnerability exists in the /api/saves endpoint. This can lead to Remote Code Execution on the system. The vulnerability permits arbitrary file write operations, allowing attackers to create or modify files at any filesystem location with user-supplied content. A user with viewer role or Scope.ASSETS_WRITE permission or above is required to pass authentication checks. The vulnerability is fixed in version 4.0.0-beta.4. | 2025-07-21 | not yet calculated | CVE-2025-54071 |
| Salesforce--Tableau Server | Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (tab-doc api modules) allows Interface Manipulation (data access to the production database cluster).This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19. | 2025-07-25 | not yet calculated | CVE-2025-52446 |
| Salesforce--Tableau Server | Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (set-initial-sql tabdoc command modules) allows Interface Manipulation (data access to the production database cluster). This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19. | 2025-07-25 | not yet calculated | CVE-2025-52447 |
| Salesforce--Tableau Server | Authorization Bypass Through User-Controlled Key vulnerability in Salesforce Tableau Server on Windows, Linux (validate-initial-sql api modules) allows Interface Manipulation (data access to the production database cluster). This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19. | 2025-07-25 | not yet calculated | CVE-2025-52448 |
| Salesforce--Tableau Server | Unrestricted Upload of File with Dangerous Type vulnerability in Salesforce Tableau Server on Windows, Linux (Extensible Protocol Service modules) allows Alternative Execution Due to Deceptive Filenames (RCE). This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19. | 2025-07-25 | not yet calculated | CVE-2025-52449 |
| Salesforce--Tableau Server | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Salesforce Tableau Server on Windows, Linux (tabdoc api - duplicate-data-source modules) allows Absolute Path Traversal. This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19. | 2025-07-25 | not yet calculated | CVE-2025-52452 |
| Salesforce--Tableau Server | Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server on Windows, Linux (Flow Data Source modules) allows Resource Location Spoofing. This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19. | 2025-07-25 | not yet calculated | CVE-2025-52453 |
| Salesforce--Tableau Server | Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server on Windows, Linux (Amazon S3 Connector modules) allows Resource Location Spoofing. This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19. | 2025-07-25 | not yet calculated | CVE-2025-52454 |
| Salesforce--Tableau Server | Server-Side Request Forgery (SSRF) vulnerability in Salesforce Tableau Server on Windows, Linux (EPS Server modules) allows Resource Location Spoofing. This issue affects Tableau Server: before 2025.1.3, before 2024.2.12, before 2023.3.19. | 2025-07-25 | not yet calculated | CVE-2025-52455 |
| Samsung--Security Manager | A client-side remote code execution vulnerability exists in Samsung Security Manager versions 1.32 and 1.4, due to improper restrictions on the PUT method exposed by the bundled Apache ActiveMQ instance (running on port 8161). An attacker can exploit this flaw through a Cross-Origin Resource Sharing (CORS) bypass combined with JavaScript-triggered file uploads to the web server, ultimately resulting in arbitrary code execution with SYSTEM privileges. This vulnerability bypasses the server-side mitigations introduced in ZDI-15-156 and ZDI-16-481 by shifting the exploitation to the client-side. This product is now known as Hanwha Wisenet SSM and it is unknown if current versions are affected. | 2025-07-25 | not yet calculated | CVE-2016-15046 |
| Sensaphone--WEB600 Monitoring System | Cross Site Scripting vulnerability in Sensaphone WEB600 Monitoring System v.1.6.5.H and before allows a remote attacker to execute arbitrary code via a crafted GET requests to /@.xml, placing payloads in the g7200, g7300, g4601, and g1F02 parameters. | 2025-07-21 | not yet calculated | CVE-2024-55040 |
| SIGNUM-NET--FARA | Use of hard-coded, the same among all vulnerable installations SQLite credentials vulnerability in SIGNUM-NET FARA allows to read and manipulate local-stored database.This issue affects FARA: through 5.0.80.34. | 2025-07-21 | not yet calculated | CVE-2025-4049 |
| silabs.com--OpenThread | In high traffic environments, a Silicon Labs OpenThread RCP (see impacted versions) fails to clear the SPI transmit buffer and may send a corrupt packet over SPI to its host, causing the host to reset the RCP which results in a denial of service. | 2025-07-25 | not yet calculated | CVE-2025-2329 |
| silabs.com--WiseConnect | The following APIs for the Silcon Labs SiWx91x prior to vesion 3.4.0 failed to check the size of the output buffer of the caller which could lead to data corruption on the host (Cortex-M4) application. sl_si91x_aes sl_si91x_gcm sl_si91x_ccm sl_si91x_sha | 2025-07-25 | not yet calculated | CVE-2025-3873 |
| Sitecore--Experience Manager (XM) | A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow remote code execution or unauthorized access to information. This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 9.2 Initial Release through 10.4 Initial Release. PaaS and containerized solutions are similarly affected. | 2025-07-25 | not yet calculated | CVE-2025-34138 |
| Sitecore--Experience Manager (XM) | A vulnerability exists in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud that could allow an unauthenticated attacker to read arbitrary files. This vulnerability affects all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release through 10.4 Initial Release and later. This issue affects Content Management (CM) and standalone instances. PaaS and containerized solutions are also affected. | 2025-07-25 | not yet calculated | CVE-2025-34139 |
| Sitecore--Experience Platform | A cross-site scripting (XSS) vulnerability exists in Sitecore Experience Platform (XP) 7.5 - 10.2 and CMS 7.2 - 7.2 Update-6 that may allow authenticated Sitecore Shell users to be tricked into executing custom JS code. Managed Cloud Standard customers who run the affected Sitecore Experience Platform / CMS versions are also affected. | 2025-07-25 | not yet calculated | CVE-2022-4979 |
| Sitecore--Experience Platform (XP) | Sitecore Experience Platform (XP) prior to 8.0 Initial Release (rev. 141212) and Content Management System (CMS) prior to 7.2 Update-3 (rev. 141226) and prior to 7.5 Update-1 (rev. 150130) contain a vulnerability that may allow an attacker to download files under the web root of the site when the name of the file is already known via a specially-crafted URL. Affected files do not include .config, .aspx or .cs files. The issue does not allow for directory browsing. | 2025-07-25 | not yet calculated | CVE-2015-10142 |
| Sitecore--JSS React Sample Application | An information disclosure vulnerability exits in Sitecore JSS React Sample Application 11.0.0 - 14.0.1 that may cause page content intended for one user to be shown to another user. | 2025-07-25 | not yet calculated | CVE-2020-36850 |
| skops-dev--skops | skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain a inconsistency in the OperatorFuncNode which can be exploited to hide the execution of untrusted operator methods. This can then be used in a code reuse attack to invoke seemingly safe functions and escalate to arbitrary code execution with minimal and misleading trusted types. This is fixed in version 0.12.0. | 2025-07-26 | not yet calculated | CVE-2025-54412 |
| skops-dev--skops | skops is a Python library which helps users share and ship their scikit-learn based models. Versions 0.11.0 and below contain an inconsistency in MethodNode, which can be exploited to access unexpected object fields through dot notation. This can be used to achieve arbitrary code execution at load time. While this issue may seem similar to GHSA-m7f4-hrc6-fwg3, it is actually more severe, as it relies on fewer assumptions about trusted types. This is fixed in version 12.0.0. | 2025-07-26 | not yet calculated | CVE-2025-54413 |
| SKTelecom--com.skt.prod.dialer | The com.skt.prod.dialer application through 12.5.0 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.skt.prod.dialer.activities.outgoingcall.OutgoingCallInternalBroadcaster component. | 2025-07-21 | not yet calculated | CVE-2025-43977 |
| SoftPerfect Pty Ltd--Connection Quality Monitor | SoftPerfect Pty Ltd Connection Quality Monitor v1.1 was discovered to store all credentials in plaintext. | 2025-07-24 | not yet calculated | CVE-2025-45702 |
| SonicWall--SMA 100 Series | A Stack-based buffer overflow vulnerability in the SMA100 series web interface allows remote, unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution. | 2025-07-23 | not yet calculated | CVE-2025-40596 |
| SonicWall--SMA 100 Series | A Heap-based buffer overflow vulnerability in the SMA100 series web interface allows remote, unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution. | 2025-07-23 | not yet calculated | CVE-2025-40597 |
| SonicWall--SMA 100 Series | A Reflected cross-site scripting (XSS) vulnerability exists in the SMA100 series web interface, allowing a remote unauthenticated attacker to potentially execute arbitrary JavaScript code. | 2025-07-23 | not yet calculated | CVE-2025-40598 |
| SonicWall--SMA 100 Series | An authenticated arbitrary file upload vulnerability exists in the SMA 100 series web management interface. A remote attacker with administrative privileges can exploit this flaw to upload arbitrary files to the system, potentially leading to remote code execution. | 2025-07-23 | not yet calculated | CVE-2025-40599 |
| stackideas.com--Komento component for Joomla | A SQLi vulnerability in Komento component 4.0.0-4.0.7for Joomla was discovered. The issue allows unprivileged users to execute arbitrary SQL commands. | 2025-07-23 | not yet calculated | CVE-2025-54294 |
| Steppschuh--Remote Control Collection Server | Remote Control Server, maintained by Steppschuh, 3.1.1.12 allows unauthenticated remote code execution when authentication is disabled, which is the default configuration. The server exposes a custom UDP-based control protocol that accepts remote keyboard input events without verification. An attacker on the same network can issue a sequence of keystroke commands to launch a system shell and execute arbitrary commands, resulting in full system compromise. | 2025-07-23 | not yet calculated | CVE-2022-4978 |
| SUSE--openSUSE Tumbleweed | A Reliance on Untrusted Inputs in a Security Decision vulnerability in the logrotate configuration for openSUSEs mailman3 package allows potential escalation from mailman to root. This issue affects openSUSE Tumbleweed: from ? before 3.3.10-2.1. | 2025-07-23 | not yet calculated | CVE-2025-53882 |
| SYNCK GRAPHICA--Real-time Bus Tracking System | Improper validation of specified quantity in input issue exists in Real-time Bus Tracking System versions prior to 1.1. If exploited, a denial of service (DoS) condition may be caused by an attacker who can log in to the administrative page of the affected product. | 2025-07-23 | not yet calculated | CVE-2025-43881 |
| tawk.to--Live Chat | Cross Site Scripting vulnerability in tawk.to Live Chat v.1.6.1 allows a remote attacker to execute arbitrary code via the web application stores and displays user-supplied input without proper input validation or encoding | 2025-07-25 | not yet calculated | CVE-2025-45960 |
| TecharoHQ--anubis | Anubis is a Web AI Firewall Utility that weighs the soul of users' connections using one or more challenges in order to protect upstream resources from scraper bots. In versions 1.21.2 and below, attackers can craft malicious pass-challenge pages that cause a user to execute arbitrary JavaScript code or trigger other nonstandard schemes. An incomplete version of this fix was tagged at 1.21.2 and then the release process was aborted upon final testing. To work around this issue: block any requests to the /.within.website/x/cmd/anubis/api/pass-challenge route with the ?redir= parameter set to anything that doesn't start with the URL scheme http, https, or no scheme (local path redirect). This was fixed in version 1.21.3. | 2025-07-26 | not yet calculated | CVE-2025-54414 |
| Tenda--AC8V4 | Tenda AC8V4 V16.03.34.06` was discovered to contain stack overflow at /goform/fast_setting_wifi_set. The manipulation of the argument `timeZone` leads to stack-based buffer overflow. | 2025-07-24 | not yet calculated | CVE-2025-51082 |
| Tenda--AC8V4 | Tenda AC8V4 V16.03.34.06` was discovered to contain stack overflow at /goform/SetSysTimeCfg. The manipulation of the argument `timeZone` and `timeType` leads to stack-based buffer overflow. | 2025-07-24 | not yet calculated | CVE-2025-51085 |
| Tenda--AC8V4 | Tenda AC8V4 V16.03.34.06` was discovered to contain stack overflow at /goform/saveParentControlInfo. The manipulation of the argument time leads to stack-based buffer overflow. | 2025-07-24 | not yet calculated | CVE-2025-51087 |
| Tenda--AC8V4 | Tenda AC8V4 V16.03.34.06` was discovered to contain stack overflow at /goform/WifiGuestSet. The manipulation of the argument `shareSpeed` leads to stack-based buffer overflow. | 2025-07-24 | not yet calculated | CVE-2025-51088 |
| Tenda--AC8V4 | Tenda AC8V4 V16.03.34.06` was discovered to contain heap overflow at /goform/GetParentControlInfo.The manipulation of the argument `mac` leads to heap-based buffer overflow. | 2025-07-24 | not yet calculated | CVE-2025-51089 |
| TextNow, Inc.--com.enflick.android.tn2ndLine | The com.enflick.android.tn2ndLine application through 24.17.1.0 for Android enables any installed application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.enflick.android.TextNow.activities.DialerActivity component. | 2025-07-21 | not yet calculated | CVE-2025-43976 |
| The GNU C Library--glibc | The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by a malloc failure or by using an interposed malloc that injects random malloc failures. The double free can allow buffer manipulation depending of how the regex is constructed. This issue affects all architectures and ABIs supported by the GNU C library. | 2025-07-23 | not yet calculated | CVE-2025-8058 |
| TOTOLink--A7100RU, A950RG, and T10 | In TOTOLink A7100RU V7.4, A950RG V5.9, and T10 V5.9, the chroot_local_user option is enabled in the vsftpd.conf. This could lead to unauthorized access to system files, privilege escalation, or use of the compromised server as a pivot point for internal network attacks. | 2025-07-21 | not yet calculated | CVE-2025-44655 |
| TP-Link Systems Inc.--VIGI NVR1104H-4P V1 | A command injection vulnerability exists that can be exploited after authentication in VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2.This issue affects VIGI NVR1104H-4P V1: before 1.1.5 Build 250518; VIGI NVR2016H-16MP V2: before 1.3.1 Build 250407. | 2025-07-22 | not yet calculated | CVE-2025-7723 |
| TP-Link Systems Inc.--VIGI NVR1104H-4P V1 | An unauthenticated OS command injection vulnerability exists in VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2.This issue affects VIGI NVR1104H-4P V1: before 1.1.5 Build 250518; VIGI NVR2016H-16MP V2: before 1.3.1 Build 250407. | 2025-07-22 | not yet calculated | CVE-2025-7724 |
| TransformerOptimus --SuperAGI | Code Injection in AgentTemplate.eval_agent_config in TransformerOptimus SuperAGI 0.0.14 allows remote attackers to execute arbitrary Python code via malicious values in agent template configurations such as the goal, constraints, or instruction field, which are evaluated using eval() without validation during template loading or updates. | 2025-07-22 | not yet calculated | CVE-2025-51472 |
| TransformerOptimus--SuperAGI | Arbitrary File Overwrite (AFO) in superagi.controllers.resources.upload in TransformerOptimus SuperAGI 0.0.14 allows remote attackers to overwrite arbitrary files via unsanitised filenames submitted to the file upload endpoint, due to improper handling of directory traversal in os.path.join() and lack of path validation in get_root_input_dir(). | 2025-07-22 | not yet calculated | CVE-2025-51475 |
| Trellix--Trellix Endpoint Security (HX) Agent | A locally authenticated, privileged user can craft a malicious OpenSSL configuration file, potentially leading the agent to load an arbitrary local library. This may impair endpoint defenses and allow the attacker to achieve code execution with SYSTEM-level privileges. | 2025-07-21 | not yet calculated | CVE-2025-0664 |
| TRENDnet--TEW-WLC100P | In TRENDnet TEW-WLC100P 2.03b03, the i_dont_care_about_security_and_use_aggressive_mode_psk option is enabled in the strongSwan configuration file, so that IKE Responders are allowed to use IKEv1 Aggressive Mode with Pre-Shared Keys to conduct offline attacks on the openly transmitted hash of the PSK. | 2025-07-21 | not yet calculated | CVE-2025-44647 |
| TRENDnet--TEW-WLC100P | In the configuration file of racoon in the TRENDnet TEW-WLC100P 2.03b03, the first item of exchage_mode is set to aggressive. Aggressive mode in IKE Phase 1 exposes identity information in plaintext, is vulnerable to offline dictionary attacks, and lacks flexibility in negotiating security parameters. | 2025-07-21 | not yet calculated | CVE-2025-44649 |
| TRENDnet--TPL-430AP | In TRENDnet TPL-430AP FW1.0, the USERLIMIT_GLOBAL option is set to 0 in the bftpd-related configuration file. This can cause DoS attacks when unlimited users are connected. | 2025-07-21 | not yet calculated | CVE-2025-44651 |
| TryQuiet--quiet | Quiet is an alternative to team chat apps like Slack, Discord, and Element that does not require trusting a central server or running one's own. In versions 6.1.0-alpha.4 and below, Quiet's API for backend/frontend communication was using an insecure, not constant-time comparison function for token verification. This allowed for a potential timing attack where an attacker would try different token values and observe tiny differences in the response time (wrong characters fail faster) to guess the whole token one character at a time. This is fixed in version 6.0.1. | 2025-07-24 | not yet calculated | CVE-2025-53940 |
| TYPO3--Extension "femanager" | The femanager extension for TYPO3 allows Insecure Direct Object Reference resulting in unauthorized modification of userdata. This issue affects femanager version 6.4.1 and below, 7.0.0 to 7.5.2 and 8.0.0 to 8.3.0 | 2025-07-22 | not yet calculated | CVE-2025-7900 |
| TYPO3--Extension "powermail" | The powermail extension for TYPO3 allows Insecure Direct Object Reference resulting in download of arbitrary files from the webserver. This issue affects powermail version 12.0.0 up to 12.5.2 and version 13.0.0 | 2025-07-22 | not yet calculated | CVE-2025-7899 |
| Unitree Robotics--Unitree Go1 | Unitree Go1 <= Go1_2022_05_11 is vulnerale to Incorrect Access Control due to authentication credentials being hardcoded in plaintext. | 2025-07-25 | not yet calculated | CVE-2025-45466 |
| Unitree Robotics--Unitree Go1 | Unitree Go1 <= Go1_2022_05_11 is vulnerable to Insecure Permissions as the firmware update functionality (via Wi-Fi/Ethernet) implements an insecure verification mechanism that solely relies on MD5 checksums for firmware integrity validation. | 2025-07-25 | not yet calculated | CVE-2025-45467 |
| Unknown--Ajax Load More | The Ajax Load More plugin before 2.8.1.2 does not have authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber, to upload and delete arbitrary files. | 2025-07-22 | not yet calculated | CVE-2015-10140 |
| Unknown--My Reservation System | The My Reservation System WordPress plugin through 2.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | 2025-07-25 | not yet calculated | CVE-2025-7022 |
| Unknown--Qwizcards | online quizzes and flashcards | The Qwizcards | online quizzes and flashcards WordPress plugin through 3.9.4 does not sanitise and escape the "_stylesheet" parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or any other user. | 2025-07-23 | not yet calculated | CVE-2025-6174 |
| Wuhan Deepin Technology Co., Ltd.--Deepin Linux | A local privilege escalation vulnerability exists in lastore-daemon, the system package manager daemon used in Deepin Linux (developed by Wuhan Deepin Technology Co., Ltd.). In versions 0.9.53-1 (Deepin 15.5) and 0.9.66-1 (Deepin 15.7), the D-Bus configuration permits any user in the sudo group to invoke the InstallPackage method without password authentication. By default, the first user created on Deepin is in the sudo group. An attacker with shell access can craft a .deb package containing a malicious post-install script and use dbus-send to install it via lastore-daemon, resulting in arbitrary code execution as root. | 2025-07-23 | not yet calculated | CVE-2016-15045 |
| Xdebug--Xdebug | An unauthenticated OS command injection vulnerability exists within Xdebug versions 2.5.5 and earlier, a PHP debugging extension developed by Derick Rethans. When remote debugging is enabled, Xdebug listens on port 9000 and accepts debugger protocol commands without authentication. An attacker can send a crafted eval command over this interface to execute arbitrary PHP code, which may invoke system-level functions such as system() or passthru(). This results in full compromise of the host under the privileges of the web server user. | 2025-07-23 | not yet calculated | CVE-2015-10141 |
| xwiki--xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2, it's possible for anyone to inject SQL using the parameter sort of the getdeleteddocuments.vm. It's injected as is as an ORDER BY value. This is fixed in versions 16.10.6 and 17.3.0-rc-1. | 2025-07-24 | not yet calculated | CVE-2025-32429 |
| xwiki--xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki#searchDocuments APIs pass queries directly to Hibernate without sanitization. Even when these APIs enforce a specific SELECT clause, attackers can still inject malicious code through HQL's native function support in other parts of the query (such as the WHERE clause). This is fixed in versions 16.10.6 and 17.3.0-rc-1. | 2025-07-26 | not yet calculated | CVE-2025-54385 |
Vulnerability Summary for the Week of July 14, 2025
Posted on Monday July 21, 2025
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| aapanel--aapanel WP Toolkit | The aapanel WP Toolkit plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization checks within the auto_login() function in versions 1.0 to 1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to bypass all role checks and gain full admin privileges. | 2025-07-18 | 8.8 | CVE-2025-6813 |
| aaroncampbell--Attachment Manager | The Attachment Manager plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the handle_actions() function in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2025-07-18 | 9.1 | CVE-2025-7643 |
| Adrian Tobey--Groundhogg | Unrestricted Upload of File with Dangerous Type vulnerability in Adrian Tobey Groundhogg allows Upload a Web Shell to a Web Server. This issue affects Groundhogg: from n/a through 4.2.1. | 2025-07-16 | 9.1 | CVE-2025-48300 |
| Alcatel-Lucent--OmniAccess Stellar Products | Successful exploitation of the vulnerability could allow an attacker to inject commands with root privileges on the access point, potentially leading to the loss of confidentiality, integrity, availability, and full control of the access point. | 2025-07-16 | 9.8 | CVE-2025-52688 |
| Alcatel-Lucent--OmniAccess Stellar Products | Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the login request, potentially allowing the attacker to modify the behaviour of the access point. | 2025-07-16 | 9.8 | CVE-2025-52689 |
| Alcatel-Lucent--OmniAccess Stellar Products | Successful exploitation of the vulnerability could allow an attacker to execute arbitrary commands as root, potentially leading to the loss of confidentiality, integrity, availability, and full control of the access point. | 2025-07-16 | 8.1 | CVE-2025-52690 |
| arisoft--Contact Form 7 Editor Button | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in arisoft Contact Form 7 Editor Button allows Reflected XSS. This issue affects Contact Form 7 Editor Button: from n/a through 1.0.0. | 2025-07-16 | 7.1 | CVE-2025-48345 |
| Atakan Au--Import CDN-Remote Images | Cross-Site Request Forgery (CSRF) vulnerability in Atakan Au Import CDN-Remote Images allows Stored XSS. This issue affects Import CDN-Remote Images: from n/a through 2.1.2. | 2025-07-16 | 7.1 | CVE-2025-48153 |
| August Infotech--Multi-language Responsive Contact Form | Missing Authorization vulnerability in August Infotech Multi-language Responsive Contact Form allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Multi-language Responsive Contact Form: from n/a through 2.8. | 2025-07-16 | 7.5 | CVE-2025-29000 |
| awethemes--Hillter | Deserialization of Untrusted Data vulnerability in awethemes Hillter allows Object Injection. This issue affects Hillter: from n/a through 3.0.7. | 2025-07-16 | 8.8 | CVE-2025-24777 |
| b1accounting--B1.lt | The B1.lt plugin for WordPress is vulnerable to SQL Injection due to a missing capability check on the b1_run_query AJAX action in all versions up to, and including, 2.2.56. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute and run arbitrary SQL commands. | 2025-07-18 | 8.8 | CVE-2025-6718 |
| Bearsthemes--Alone Charity Multipurpose Non-profit WordPress Theme | The Alone - Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2025-07-15 | 9.1 | CVE-2025-5393 |
| Bearsthemes--Alone Charity Multipurpose Non-profit WordPress Theme | The Alone - Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution. | 2025-07-15 | 9.8 | CVE-2025-5394 |
| Bearsthemes--Bears Backup | The Bears Backup plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.0. This is due to the bbackup_ajax_handle() function not having a capability check, nor validating user supplied input passed directly to call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leverage to inject backdoors or create new administrative user accounts to name a few things. On WordPress sites running the Alone theme versions 7.8.4 and older, this can be chained with CVE-2025-5394 to install the Bears Backup plugin and achieve the same impact. | 2025-07-17 | 9.8 | CVE-2025-5396 |
| BossSoft--CRM | A vulnerability has been found in BossSoft CRM 6.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /crm/module/HNDCBas_customPrmSearchDtl.jsp. The manipulation of the argument cstid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-18 | 7.3 | CVE-2025-7801 |
| Campcodes--Online Movie Theater Seat Reservation System | A vulnerability has been found in Campcodes Online Movie Theater Seat Reservation System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/manage_seat.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-19 | 7.3 | CVE-2025-7838 |
| chainguard-dev--apko | apko allows users to build and publish OCI container images built from apk packages. Starting in version 0.27.0 and prior to version 0.29.5, critical files were inadvertently set to 0666, which could likely be abused for root escalation. Version 0.29.5 contains a fix for the issue. | 2025-07-18 | 7 | CVE-2025-53945 |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device. | 2025-07-16 | 10 | CVE-2025-20337 |
| CMSJunkie - WordPress Business Directory Plugins--WP-BusinessDirectory | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory allows Blind SQL Injection. This issue affects WP-BusinessDirectory: from n/a through 3.1.3. | 2025-07-16 | 9.3 | CVE-2025-24759 |
| cmsMinds--Pay with Contact Form 7 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cmsMinds Pay with Contact Form 7 allows Reflected XSS. This issue affects Pay with Contact Form 7: from n/a through 1.0.4. | 2025-07-16 | 7.1 | CVE-2025-52777 |
| code-projects--AVL Rooms | A vulnerability was found in code-projects AVL Rooms 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /profile.php. The manipulation of the argument first_name leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 7.3 | CVE-2025-7605 |
| code-projects--AVL Rooms | A vulnerability classified as critical has been found in code-projects AVL Rooms 1.0. This affects an unknown part of the file /city.php. The manipulation of the argument city leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 7.3 | CVE-2025-7606 |
| code-projects--Church Donation System | A vulnerability was found in code-projects Church Donation System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /login.php. The manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-19 | 7.3 | CVE-2025-7829 |
| code-projects--Church Donation System | A vulnerability was found in code-projects Church Donation System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /reg.php. The manipulation of the argument mobile leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 2025-07-19 | 7.3 | CVE-2025-7830 |
| code-projects--Church Donation System | A vulnerability classified as critical has been found in code-projects Church Donation System 1.0. This affects an unknown part of the file /members/Tithes.php. The manipulation of the argument trcode leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-19 | 7.3 | CVE-2025-7831 |
| code-projects--Church Donation System | A vulnerability classified as critical was found in code-projects Church Donation System 1.0. This vulnerability affects unknown code of the file /members/offering.php. The manipulation of the argument trcode leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-19 | 7.3 | CVE-2025-7832 |
| code-projects--Church Donation System | A vulnerability, which was classified as critical, has been found in code-projects Church Donation System 1.0. This issue affects some unknown processing of the file /members/giving.php. The manipulation of the argument Amount leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-19 | 7.3 | CVE-2025-7833 |
| code-projects--Church Donation System | A vulnerability classified as critical was found in code-projects Church Donation System 1.0. This vulnerability affects unknown code of the file /members/update_password_admin.php. The manipulation of the argument new_password leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-20 | 7.3 | CVE-2025-7859 |
| code-projects--Church Donation System | A vulnerability, which was classified as critical, has been found in code-projects Church Donation System 1.0. This issue affects some unknown processing of the file /members/login_admin.php. The manipulation of the argument Username leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-20 | 7.3 | CVE-2025-7860 |
| code-projects--Church Donation System | A vulnerability, which was classified as critical, was found in code-projects Church Donation System 1.0. Affected is an unknown function of the file /members/search.php. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-20 | 7.3 | CVE-2025-7861 |
| code-projects--Electricity Billing System | A vulnerability was found in code-projects Electricity Billing System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /user/change_password.php. The manipulation of the argument new_password leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 7.3 | CVE-2025-7610 |
| code-projects--Food Ordering Review System | A vulnerability classified as critical was found in code-projects Food Ordering Review System 1.0. This vulnerability affects unknown code of the file /pages/signup_function.php. The manipulation of the argument fname leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 2025-07-18 | 7.3 | CVE-2025-7814 |
| code-projects--Job Diary | A vulnerability was found in code-projects Job Diary 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /view-all.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 7.3 | CVE-2025-7593 |
| code-projects--Job Diary | A vulnerability was found in code-projects Job Diary 1.0. It has been classified as critical. This affects an unknown part of the file /view-emp.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 7.3 | CVE-2025-7594 |
| code-projects--Job Diary | A vulnerability was found in code-projects Job Diary 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /view-cad.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 7.3 | CVE-2025-7595 |
| code-projects--Mobile Shop | A vulnerability was found in code-projects Mobile Shop 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /login.php. The manipulation of the argument email leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 7.3 | CVE-2025-7612 |
| code-projects--Online Appointment Booking System | A vulnerability was found in code-projects Online Appointment Booking System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /cover.php. The manipulation of the argument uname/psw leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 7.3 | CVE-2025-7587 |
| code-projects--Online Appointment Booking System | A vulnerability, which was classified as critical, has been found in code-projects Online Appointment Booking System 1.0. This issue affects some unknown processing of the file /admin/getmanagerregion.php. The manipulation of the argument city leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-17 | 7.3 | CVE-2025-7749 |
| code-projects--Online Appointment Booking System | A vulnerability, which was classified as critical, was found in code-projects Online Appointment Booking System 1.0. Affected is an unknown function of the file /admin/adddoctorclinic.php. The manipulation of the argument clinic leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-17 | 7.3 | CVE-2025-7750 |
| code-projects--Online Appointment Booking System | A vulnerability has been found in code-projects Online Appointment Booking System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/addclinic.php. The manipulation of the argument cid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-17 | 7.3 | CVE-2025-7751 |
| code-projects--Online Appointment Booking System | A vulnerability was found in code-projects Online Appointment Booking System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/deletedoctor.php. The manipulation of the argument did leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-17 | 7.3 | CVE-2025-7752 |
| code-projects--Online Appointment Booking System | A vulnerability was found in code-projects Online Appointment Booking System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/adddoctor.php. The manipulation of the argument Username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-17 | 7.3 | CVE-2025-7753 |
| code-projects--Online Appointment Booking System | A vulnerability classified as critical has been found in code-projects Online Appointment Booking System 1.0. Affected is an unknown function of the file /admin/deletedoctorclinic.php. The manipulation of the argument clinic leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-17 | 7.3 | CVE-2025-7764 |
| code-projects--Online Appointment Booking System | A vulnerability classified as critical was found in code-projects Online Appointment Booking System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/addmanagerclinic.php. The manipulation of the argument clinic leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-17 | 7.3 | CVE-2025-7765 |
| code-projects--Simple Shopping Cart | A vulnerability, which was classified as critical, has been found in code-projects Simple Shopping Cart 1.0. This issue affects some unknown processing of the file /Customers/save_order.php. The manipulation of the argument order_price leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 7.3 | CVE-2025-7607 |
| code-projects--Simple Shopping Cart | A vulnerability, which was classified as critical, was found in code-projects Simple Shopping Cart 1.0. Affected is an unknown function of the file /userlogin.php. The manipulation of the argument user_email leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 7.3 | CVE-2025-7608 |
| code-projects--Simple Shopping Cart | A vulnerability has been found in code-projects Simple Shopping Cart 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /register.php. The manipulation of the argument ruser_email leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 7.3 | CVE-2025-7609 |
| code-projects--Wedding Reservation | A vulnerability was found in code-projects Wedding Reservation 1.0. It has been classified as critical. This affects an unknown part of the file /global.php. The manipulation of the argument lu leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 7.3 | CVE-2025-7611 |
| Codexpert, Inc--CoSchool LMS | Deserialization of Untrusted Data vulnerability in Codexpert, Inc CoSchool LMS allows Object Injection. This issue affects CoSchool LMS: from n/a through 1.4.3. | 2025-07-16 | 9.8 | CVE-2025-30973 |
| crmperks--Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms | The Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.1 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted. | 2025-07-19 | 9.8 | CVE-2025-7697 |
| crmperks--Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms | The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verify_field_val() function. This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted. | 2025-07-19 | 9.8 | CVE-2025-7696 |
| CrushFTP--CrushFTP | CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025. | 2025-07-18 | 9 | CVE-2025-54309 |
| D-Link--DI-8100 | A vulnerability, which was classified as critical, has been found in D-Link DI-8100 16.07.26A1. This issue affects some unknown processing of the file /menu_nat_more.asp of the component HTTP Request Handler. The manipulation leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-17 | 8.8 | CVE-2025-7762 |
| D-Link--DI-8100 | A vulnerability was found in D-Link DI-8100 16.07.26A1. It has been classified as critical. This affects an unknown part of the file /menu_nat.asp of the component HTTP Request Handler. The manipulation of the argument out_addr/in_addr/out_port/proto leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-18 | 8.8 | CVE-2025-7790 |
| D-Link--DI-8100 | A vulnerability was found in D-Link DI-8100 1.0. It has been declared as critical. Affected by this vulnerability is the function sprintf of the file /ddns.asp?opt=add of the component jhttpd. The manipulation of the argument mx leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-20 | 8.8 | CVE-2025-7908 |
| D-Link--DI-8100 | A vulnerability classified as critical was found in D-Link DI-8100 1.0. This vulnerability affects the function sprintf of the file /upnp_ctrl.asp of the component jhttpd. The manipulation of the argument remove_ext_proto/remove_ext_port leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-20 | 8.8 | CVE-2025-7911 |
| D-Link--DI-8100 | A vulnerability was found in D-Link DI-8100 16.07.26A1 and classified as critical. This issue affects some unknown processing of the file /arp_sys.asp of the component HTTP Request Handler. The manipulation leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 7.2 | CVE-2025-7602 |
| D-Link--DI-8100 | A vulnerability was found in D-Link DI-8100 16.07.26A1. It has been classified as critical. Affected is an unknown function of the file /jingx.asp of the component HTTP Request Handler. The manipulation leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 7.2 | CVE-2025-7603 |
| D-Link--DIR-513 | A vulnerability was found in D-Link DIR-513 1.0. It has been rated as critical. Affected by this issue is the function sprintf of the file /goform/formLanSetupRouterSettings of the component Boa Webserver. The manipulation of the argument curTime leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-07-20 | 8.8 | CVE-2025-7909 |
| D-Link--DIR-513 | A vulnerability classified as critical has been found in D-Link DIR-513 1.10. This affects the function sprintf of the file /goform/formSetWanNonLogin of the component Boa Webserver. The manipulation of the argument curTime leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-07-20 | 8.8 | CVE-2025-7910 |
| danielriera--Counter live visitors for WooCommerce | The Counter live visitors for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wcvisitor_get_block function in all versions up to, and including, 1.3.6. This makes it possible for unauthenticated attackers to delete arbitrary files on the server. NOTE: This particular vulnerability deletes all the files in a targeted arbitrary directory rather than a specified arbitrary file, which can lead to loss of data or a denial of service condition. | 2025-07-16 | 8.2 | CVE-2025-7359 |
| dasinfomedia--School Management System for Wordpress | The School Management System for Wordpress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 93.1.0 via the 'page' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. The Local File Inclusion exploit can be chained to include various dashboard view files in the plugin. One such chain can be leveraged to update the password of Super Administrator accounts in Multisite environments making privilege escalation possible. The vendor has updated the version numbers beginning with `1.93.1 (02-07-2025)` for the patched version. This version comes after version 93.1.0. | 2025-07-18 | 8.8 | CVE-2025-3740 |
| Dassault Systmes--SOLIDWORKS eDrawings | Out-Of-Bounds Read vulnerability exists in the JT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025. This vulnerability could allow an attacker to execute arbitrary code while opening a specially crafted JT file. | 2025-07-15 | 7.8 | CVE-2025-0831 |
| Dassault Systmes--SOLIDWORKS eDrawings | Use After Free vulnerability exists in the CATPRODUCT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025. This vulnerability could allow an attacker to execute arbitrary code while opening a specially crafted CATPRODUCT file. | 2025-07-15 | 7.8 | CVE-2025-6971 |
| Dassault Systmes--SOLIDWORKS eDrawings | Use After Free vulnerability exists in the CATPRODUCT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025. This vulnerability could allow an attacker to execute arbitrary code while opening a specially crafted CATPRODUCT file. | 2025-07-15 | 7.8 | CVE-2025-6972 |
| Dassault Systmes--SOLIDWORKS eDrawings | Use After Free vulnerability exists in the JT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025. This vulnerability could allow an attacker to execute arbitrary code while opening a specially crafted JT file. | 2025-07-15 | 7.8 | CVE-2025-6973 |
| Dassault Systmes--SOLIDWORKS eDrawings | Use of Uninitialized Variable vulnerability exists in the JT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025. This vulnerability could allow an attacker to execute arbitrary code while opening a specially crafted JT file. | 2025-07-15 | 7.8 | CVE-2025-6974 |
| Dassault Systmes--SOLIDWORKS eDrawings | Use After Free vulnerability exists in the IPT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025. This vulnerability could allow an attacker to execute arbitrary code while opening a specially crafted IPT file. | 2025-07-15 | 7.8 | CVE-2025-7042 |
| designthemes--Invico - WordPress Consulting Business Theme | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes Invico - WordPress Consulting Business Theme allows Reflected XSS. This issue affects Invico - WordPress Consulting Business Theme: from n/a through 1.9. | 2025-07-16 | 7.1 | CVE-2025-31427 |
| designthemes--Ofiz - WordPress Business Consulting Theme | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes Ofiz - WordPress Business Consulting Theme allows Reflected XSS. This issue affects Ofiz - WordPress Business Consulting Theme: from n/a through 2.0. | 2025-07-16 | 7.1 | CVE-2025-31072 |
| designthemes--Visual Art | Gallery WordPress Theme | Deserialization of Untrusted Data vulnerability in designthemes Visual Art | Gallery WordPress Theme allows Object Injection. This issue affects Visual Art | Gallery WordPress Theme: from n/a through 2.4. | 2025-07-16 | 8.8 | CVE-2025-31422 |
| Dokploy--dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). Prior to version 0.24.3, an unauthenticated preview deployment vulnerability in Dokploy allows any user to execute arbitrary code and access sensitive environment variables by simply opening a pull request on a public repository. This exposes secrets and potentially enables remote code execution, putting all public Dokploy users using these preview deployments at risk. Version 0.24.3 contains a fix for the issue. | 2025-07-14 | 9.4 | CVE-2025-53825 |
| DSIC--Cross-browser Components for Official Document Creation | The cross-browser document creation component produced by Digitware System Integration Corporation has a Remote Code Execution vulnerability. If a user visits a malicious website while the component is active, remote attackers can cause the system to download and execute arbitrary programs. | 2025-07-14 | 8.8 | CVE-2025-7620 |
| ELEXtensions--ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ELEXtensions ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes allows SQL Injection. This issue affects ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes: from n/a through 1.4.9. | 2025-07-16 | 8.5 | CVE-2025-47645 |
| Eluktronics--Control Center | A vulnerability classified as critical has been found in Eluktronics Control Center 5.23.51.41. Affected is an unknown function of the file \AiStoneService\MyControlCenter\Command of the component Powershell Script Handler. The manipulation leads to command injection. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 7.8 | CVE-2025-7883 |
| Emby--Windows | CWE-434 Unrestricted Upload of File with Dangerous Type | 2025-07-20 | 8.8 | CVE-2025-46384 |
| Emby--Windows | CWE-918 Server-Side Request Forgery (SSRF) | 2025-07-20 | 8.6 | CVE-2025-46385 |
| emlog--emlog | Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows remote attackers to inject arbitrary web script or HTML via the keyword parameter. Due to lack of sanitization it is possible to inject HTML/JS code into keyword parameter. If one persuades an user into clicking into prepared link it is possible to execute any JS code in admin's browser. As of time of publication, no known patched versions exist. | 2025-07-16 | 8.2 | CVE-2025-53923 |
| eoxia--WPshop 2 E-Commerce | The WPshop 2 - E-Commerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajaxUpload function in versions before 1.3.9.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | 2025-07-19 | 9.8 | CVE-2015-10135 |
| expressjs--multer | Multer is a node.js middleware for handling `multipart/form-data`. A vulnerability that is present starting in version 1.4.4-lts.1 and prior to version 2.0.2 allows an attacker to trigger a Denial of Service (DoS) by sending a malformed multi-part upload request. This request causes an unhandled exception, leading to a crash of the process. Users should upgrade to version 2.0.2 to receive a patch. No known workarounds are available. | 2025-07-17 | 7.5 | CVE-2025-7338 |
| EZiHosting--Tennis Court Bookings | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EZiHosting Tennis Court Bookings allows Reflected XSS. This issue affects Tennis Court Bookings: from n/a through 1.2.7. | 2025-07-16 | 7.1 | CVE-2025-52787 |
| Fortinet--FortiWeb | An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in Fortinet FortiWeb version 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10 and below 7.0.10 allows an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests. | 2025-07-17 | 9.6 | CVE-2025-25257 |
| FunnelKit--Funnel Builder by FunnelKit | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FunnelKit Funnel Builder by FunnelKit allows SQL Injection. This issue affects Funnel Builder by FunnelKit: from n/a through 3.10.2. | 2025-07-16 | 7.6 | CVE-2025-49034 |
| FWDesign--Easy Video Player Wordpress & WooCommerce | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in FWDesign Easy Video Player Wordpress & WooCommerce allows Path Traversal. This issue affects Easy Video Player Wordpress & WooCommerce: from n/a through 10.0. | 2025-07-16 | 7.5 | CVE-2025-28955 |
| Grafana--Grafana | An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01, 11.6.3+security-01, 11.5.6+security-01, 11.4.6+security-01 and 11.3.8+security-01 | 2025-07-18 | 7.6 | CVE-2025-6023 |
| GT3themes--ListingEasy | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes ListingEasy allows Reflected XSS. This issue affects ListingEasy: from n/a through 1.9.2. | 2025-07-16 | 7.1 | CVE-2025-30955 |
| Guru Team--Site Chat on Telegram | Deserialization of Untrusted Data vulnerability in Guru Team Site Chat on Telegram allows Object Injection. This issue affects Site Chat on Telegram: from n/a through 1.0.4. | 2025-07-16 | 9.8 | CVE-2025-30949 |
| harry0703--MoneyPrinterTurbo | A vulnerability was found in harry0703 MoneyPrinterTurbo up to 1.2.6 and classified as critical. Affected by this issue is the function verify_token of the file app/controllers/base.py of the component API Endpoint. The manipulation leads to missing authentication. The attack may be launched remotely. | 2025-07-20 | 7.3 | CVE-2025-7897 |
| Hewlett Packard Enterprise (HPE)--HPE Telco Service Orchestrator | A security vulnerability has been identified in HPE Telco Service Orchestrator software. The vulnerability could allow authenticated clients to to perform a SQL Injection attack when sending a service request, and potentially exfiltrate the database's vendor name to unauthorized authenticated clients. | 2025-07-16 | 7.1 | CVE-2025-37104 |
| Hewlett Packard Enterprise--HPE AutoPass License Server | An hsqldb-related remote code execution vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.18. | 2025-07-16 | 7.5 | CVE-2025-37105 |
| Hewlett Packard Enterprise--HPE AutoPass License Server | An authentication bypass and disclosure of information vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.18. | 2025-07-16 | 7.3 | CVE-2025-37106 |
| Hewlett Packard Enterprise--HPE AutoPass License Server | An authentication bypass vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.18. | 2025-07-16 | 7.3 | CVE-2025-37107 |
| Hgiga--iSherlock-maillog-4.5 | The iSherlock developed by Hgiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. This vulnerability has already been exploited. Please update immediately. | 2025-07-14 | 9.8 | CVE-2025-7451 |
| htplugins--HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. | The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-07-15 | 9.8 | CVE-2025-7340 |
| htplugins--HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. | The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the temp_file_delete() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2025-07-15 | 9.1 | CVE-2025-7341 |
| htplugins--HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. | The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation in the handle_files_upload() function in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). | 2025-07-15 | 9.1 | CVE-2025-7360 |
| IBM--WebSphere Application Server | IBM WebSphere Application Server 9.0 and WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.7 are vulnerable to a denial of service, caused by a stack-based overflow. An attacker can send a specially crafted request that cause the server to consume excessive memory resources. | 2025-07-16 | 7.5 | CVE-2025-36097 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0, infinite lines occur when writing during a specific XMP file conversion command. Version 7.1.2-0 fixes the issue. | 2025-07-14 | 7.5 | CVE-2025-53015 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0 and 6.9.13-26, in ImageMagick's `magick mogrify` command, specifying multiple consecutive `%d` format specifiers in a filename template causes internal pointer arithmetic to generate an address below the beginning of the stack buffer, resulting in a stack overflow through `vsnprintf()`. Versions 7.1.2-0 and 6.9.13-26 fix the issue. | 2025-07-14 | 7.4 | CVE-2025-53101 |
| Infility--Infility Global | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global allows Reflected XSS. This issue affects Infility Global: from n/a through 2.13.4. | 2025-07-16 | 7.1 | CVE-2025-47652 |
| ISC--BIND 9 | A `named` caching resolver that is configured to send ECS (EDNS Client Subnet) options may be vulnerable to a cache-poisoning attack. This issue affects BIND 9 versions 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.37-S1, and 9.20.9-S1 through 9.20.10-S1. | 2025-07-16 | 8.6 | CVE-2025-40776 |
| ISC--BIND 9 | If a `named` caching resolver is configured with `serve-stale-enable` `yes`, and with `stale-answer-client-timeout` set to `0` (the only allowable value other than `disabled`), and if the resolver, in the process of resolving a query, encounters a CNAME chain involving a specific combination of cached or authoritative records, the daemon will abort with an assertion failure. This issue affects BIND 9 versions 9.20.0 through 9.20.10, 9.21.0 through 9.21.9, and 9.20.9-S1 through 9.20.10-S1. | 2025-07-16 | 7.5 | CVE-2025-40777 |
| JetBrains--YouTrack | In JetBrains YouTrack before 2025.2.86069, 2024.3.85077, 2025.1.86199 email spoofing via an administrative API was possible | 2025-07-15 | 7.6 | CVE-2025-53959 |
| jetmonsters--JetFormBuilder | Deserialization of Untrusted Data vulnerability in jetmonsters JetFormBuilder allows Object Injection. This issue affects JetFormBuilder: from n/a through 3.5.1.2. | 2025-07-16 | 7.2 | CVE-2025-53990 |
| Jinher--OA | A vulnerability was found in Jinher OA 1.2. It has been declared as problematic. This vulnerability affects unknown code of the file ProjectScheduleDelete.aspx. The manipulation leads to xml external entity reference. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-19 | 7.3 | CVE-2025-7823 |
| Jinher--OA | A vulnerability was found in Jinher OA 1.1. It has been rated as problematic. This issue affects some unknown processing of the file XmlHttp.aspx. The manipulation leads to xml external entity reference. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-19 | 7.3 | CVE-2025-7824 |
| josxha--Restrict File Access | The Restrict File Access plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the 'restrict-file-access' page. This makes it possible for unauthenticated attackers to to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php), via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-07-15 | 8.1 | CVE-2025-7667 |
| karimmughal--Dot html,php,xml etc pages | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in karimmughal Dot html,php,xml etc pages allows Reflected XSS. This issue affects Dot html,php,xml etc pages: from n/a through 1.0. | 2025-07-16 | 7.1 | CVE-2025-52779 |
| Kingdom Creation--Media Folder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kingdom Creation Media Folder allows Reflected XSS. This issue affects Media Folder: from n/a through 1.0.0. | 2025-07-16 | 7.1 | CVE-2025-52786 |
| LambertGroup--HTML5 Radio Player - WPBakery Page Builder Addon | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in LambertGroup HTML5 Radio Player - WPBakery Page Builder Addon allows Path Traversal. This issue affects HTML5 Radio Player - WPBakery Page Builder Addon: from n/a through 2.5. | 2025-07-16 | 7.5 | CVE-2025-31070 |
| LB-LINK--BL-AC1900 | A vulnerability, which was classified as critical, was found in LB-LINK BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P and BL-WR9000 up to 20250702. Affected is the function reboot/restore of the file /cgi-bin/lighttpd.cgi of the component Web Interface. The manipulation leads to improper authentication. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-14 | 9.8 | CVE-2025-7574 |
| LB-LINK--BL-AC3600 | A vulnerability, which was classified as critical, has been found in LB-LINK BL-AC3600 1.0.22. Affected by this issue is some unknown functionality of the file /etc/shadow. The manipulation with the input root:blinkadmin leads to hard-coded credentials. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-14 | 7.8 | CVE-2025-7564 |
| Lenovo--Browser | A cross-site scripting (XSS) vulnerability was reported in the Lenovo Browser that could allow an attacker to obtain sensitive information if a user visits a web page with specially crafted content. | 2025-07-17 | 7.4 | CVE-2025-6248 |
| Lenovo--Elliptic Virtual Lock Sensor Service For ThinkPad P1 Gen 6 (Type 21FV, 21FW) | An incorrect permissions vulnerability was reported in Elliptic Labs Virtual Lock Sensor that could allow a local, authenticated user to escalate privileges. | 2025-07-17 | 7.8 | CVE-2025-0886 |
| Lenovo--Vantage | An improper validation vulnerability was reported in Lenovo Vantage that under certain conditions could allow a local attacker to execute code with elevated permissions by modifying an application configuration file. | 2025-07-17 | 7.8 | CVE-2025-6231 |
| Lenovo--Vantage | An improper validation vulnerability was reported in Lenovo Vantage that under certain conditions could allow a local attacker to execute code with elevated permissions by modifying specific registry locations. | 2025-07-17 | 7.8 | CVE-2025-6232 |
| Leviton--AcquiSuite | Leviton AcquiSuite and Energy Monitoring Hub are susceptible to a cross-site scripting vulnerability, allowing an attacker to craft a malicious payload in URL parameters, which would execute in a client browser when accessed by a user, steal session tokens, and control the service. | 2025-07-17 | 9.3 | CVE-2025-6185 |
| LoginPress--LoginPress Pro | The LoginPress Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.0.1. This is due to insufficient verification on the user being returned by the social login token. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email and the user does not have an already-existing account for the service returning the token. | 2025-07-18 | 9.8 | CVE-2025-7444 |
| Logpoint--Logpoint | An issue was discovered in Logpoint before 7.6.0. An attacker with operator privileges can exploit a path traversal vulnerability when creating a Layout Template, which can lead to remote code execution (RCE). | 2025-07-20 | 8.4 | CVE-2025-54317 |
| lynton_reed--Work The Flow File Upload | The Work The Flow File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jQuery-File-Upload-9.5.0 server and test files in versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | 2025-07-19 | 9.8 | CVE-2015-10138 |
| mailcow--mailcow-dockerized | mailcow: dockerized is an open source groupware/email suite based on docker. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 2025-07 in the notification template system used by mailcow for sending quota and quarantine alerts. The template rendering engine allows template expressions that may be abused to execute code in certain contexts. The issue requires admin-level access to mailcow UI to configure templates, which are automatically rendered during normal system operation. Version 2025-07 contains a patch for the issue. | 2025-07-17 | 9.1 | CVE-2025-53909 |
| malcure--Malcure Malware Scanner #1 Toolset for WordPress Malware Removal | The Malcure Malware Scanner - #1 Toolset for WordPress Malware Removal plugin for WordPress is vulnerable to Arbitrary File Deletion due to a missing capability check on the wpmr_delete_file() function in all versions up to, and including, 16.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files making remote code execution possible. This is only exploitable when advanced mode is enabled on the site. | 2025-07-16 | 8.1 | CVE-2025-6043 |
| MangaBooth--Madara - Core | The Madara - Core plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the wp_manga_delete_zip() function in all versions up to, and including, 2.2.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2025-07-17 | 9.1 | CVE-2025-7712 |
| markjaquith--Subscribe to Comments | The Subscribe to Comments for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.1.2 via the Path to header value. This allows authenticated attackers, with administrative privileges and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. This same function can also be used to execute arbitrary PHP code. | 2025-07-19 | 7.2 | CVE-2015-10133 |
| Mbed--mbedtls | Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that the function will free that pointer; however, the function does call mbedtls_asn1_free_named_data_list() on that argument, which performs a deep free(). As a result, application code that uses this function (relying only on documented behavior) is likely to still hold pointers to the memory blocks that were freed, resulting in a high risk of use-after-free or double-free. In particular, the two sample programs x509/cert_write and x509/cert_req are affected (use-after-free if the san string contains more than one DN). | 2025-07-20 | 8.9 | CVE-2025-47917 |
| Md Yeasin Ul Haider--URL Shortener | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Md Yeasin Ul Haider URL Shortener allows SQL Injection. This issue affects URL Shortener: from n/a through 3.0.7. | 2025-07-16 | 9.3 | CVE-2025-28959 |
| Md Yeasin Ul Haider--URL Shortener | Deserialization of Untrusted Data vulnerability in Md Yeasin Ul Haider URL Shortener allows Object Injection. This issue affects URL Shortener: from n/a through 3.0.7. | 2025-07-16 | 9.8 | CVE-2025-28961 |
| Md Yeasin Ul Haider--URL Shortener | Missing Authorization vulnerability in Md Yeasin Ul Haider URL Shortener allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects URL Shortener: from n/a through 3.0.7. | 2025-07-16 | 8.6 | CVE-2025-28965 |
| Metagauss--ProfileGrid | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Metagauss ProfileGrid allows SQL Injection. This issue affects ProfileGrid : from n/a through 5.9.5.2. | 2025-07-16 | 8.5 | CVE-2025-49876 |
| Metasoft --MetaCRM | A vulnerability classified as critical has been found in Metasoft 美特软件 MetaCRM up to 6.4.2. This affects an unknown part of the file /debug.jsp. The manipulation leads to improper authentication. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 7.3 | CVE-2025-7875 |
| Microsoft--Azure DevOps | Authentication bypass by assumed-immutable data in Azure DevOps allows an unauthorized attacker to elevate privileges over a network. | 2025-07-18 | 9 | CVE-2025-47158 |
| Microsoft--Azure Machine Learning | Improper authorization in Azure Machine Learning allows an authorized attacker to elevate privileges over a network. | 2025-07-18 | 9.9 | CVE-2025-49746 |
| Microsoft--Azure Machine Learning | Missing authorization in Azure Machine Learning allows an authorized attacker to elevate privileges over a network. | 2025-07-18 | 9.9 | CVE-2025-49747 |
| Microsoft--Microsoft Purview | Permissive list of allowed inputs in Microsoft Purview allows an authorized attacker to elevate privileges over a network. | 2025-07-18 | 8.7 | CVE-2025-53762 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation. | 2025-07-20 | 9.8 | CVE-2025-53770 |
| mojoomla--WPGYM | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPGYM allows SQL Injection. This issue affects WPGYM: from n/a through 65.0. | 2025-07-16 | 8.5 | CVE-2025-32574 |
| Motorola--Software Fix | A DLL hijacking vulnerability was reported in the Motorola Software Fix (Rescue and Smart Assistant) installer that could allow a local attacker to escalate privileges during installation of the software. | 2025-07-17 | 7 | CVE-2025-1700 |
| mywebsiteadvisor--Simple Backup | The Simple Backup plugin for WordPress is vulnerable to Arbitrary File Download in versions up to, and including, 2.7.10. via the download_backup_file function. This is due to a lack of capability checks and file type validation. This makes it possible for attackers to download sensitive files such as the wp-config.php file from the affected site. | 2025-07-19 | 7.5 | CVE-2015-10134 |
| NixOS--nix | Nix is a package manager for Linux and other Unix systems. Builds with Nix 2.30.0 on macOS were executed with elevated privileges (root), instead of the build users. The fix was applied to Nix 2.30.1. No known workarounds are available. | 2025-07-14 | 7.9 | CVE-2025-53819 |
| NooTheme--Yogi | Deserialization of Untrusted Data vulnerability in NooTheme Yogi allows Object Injection. This issue affects Yogi: from n/a through 2.9.0. | 2025-07-16 | 8.8 | CVE-2025-24779 |
| nuxt-modules--mdc | MDC is a tool to take regular Markdown and write documents interacting deeply with a Vue component. Prior to version 0.17.2, a remote script-inclusion / stored cross-site scripting vulnerability in @nuxtjs/mdc lets a Markdown author inject a `<base href="https://attacker.tld">` element. The `<base>` tag rewrites how all subsequent relative URLs are resolved, so an attacker can make the page load scripts, styles, or images from an external, attacker-controlled origin and execute arbitrary JavaScript in the site's context. Version 0.17.2 contains a fix for the issue. | 2025-07-18 | 8.3 | CVE-2025-54075 |
| NVIDIA--Container Toolkit | NVIDIA Container Toolkit for all platforms contains a vulnerability in some hooks used to initialize the container, where an attacker could execute arbitrary code with elevated permissions. A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, information disclosure, and denial of service. | 2025-07-17 | 9 | CVE-2025-23266 |
| NVIDIA--Container Toolkit | NVIDIA Container Toolkit for all platforms contains a vulnerability in the update-ldcache hook, where an attacker could cause a link following by using a specially crafted container image. A successful exploit of this vulnerability might lead to data tampering and denial of service. | 2025-07-17 | 8.5 | CVE-2025-23267 |
| NVIDIA--DOCA-Host and Mellanox OFED | NVIDIA DOCA-Host and Mellanox OFED contain a vulnerability in the VGT+ feature, where an attacker on a VM might cause escalation of privileges and denial of service on the VLAN. | 2025-07-17 | 7.6 | CVE-2025-23263 |
| NVIDIA--Jetson Orin, IGX Orin and Xavier Devices | NVIDIA Jetson Linux contains a vulnerability in UEFI Management mode, where an unprivileged local attacker may cause exposure of sensitive information via a side channel vulnerability. A successful exploit of this vulnerability might lead to code execution, data tampering, denial of service, and information disclosure. | 2025-07-17 | 7.1 | CVE-2025-23270 |
| One Identity--Password Manager | The Secure Password extension in One Identity Password Manager before 5.14.4 allows local privilege escalation. The issue arises from a flawed security hardening mechanism within the kiosk browser used to display the Password Self-Service site to end users. Specifically, the application attempts to restrict privileged actions by overriding the native window.print() function. However, this protection can be bypassed by an attacker who accesses the Password Self-Service site from the lock screen and navigates to an attacker-controlled webpage via the Help function. By hosting a crafted web page with JavaScript, the attacker can restore and invoke the window.print() function, launching a SYSTEM-privileged print dialog. From this dialog, the attacker can exploit standard Windows functionality - such as the Print to PDF or Add Printer wizard - to spawn a command prompt with SYSTEM privileges. Successful exploitation allows a local attacker (with access to a locked workstation) to gain SYSTEM-level privileges, granting full control over the affected device. | 2025-07-14 | 7.6 | CVE-2025-27582 |
| Open Source Robotics Foundation--Robot Operating System (ROS) | A code execution vulnerability has been discovered in the Robot Operating System (ROS) 'rosparam' tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability stems from the use of the eval() function to process unsanitized, user-supplied parameter values via special converters for angle representations in radians. This flaw allowed attackers to craft and execute arbitrary Python code. | 2025-07-17 | 7.8 | CVE-2024-39289 |
| Open Source Robotics Foundation--Robot Operating System (ROS) | A code injection vulnerability has been identified in the Robot Operating System (ROS) 'roslaunch' command-line tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability arises from the use of the eval() method to process user-supplied, unsanitized parameter values within the substitution args mechanism, which roslaunch evaluates before launching a node. This flaw allows attackers to craft and execute arbitrary Python code. | 2025-07-17 | 7.8 | CVE-2024-39835 |
| Open Source Robotics Foundation--Robot Operating System (ROS) | A code injection vulnerability has been discovered in the Robot Operating System (ROS) 'rostopic' command-line tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability lies in the 'hz' verb, which reports the publishing rate of a topic and accepts a user-provided Python expression via the --filter option. This input is passed directly to the eval() function without sanitization, allowing a local user to craft and execute arbitrary code. | 2025-07-17 | 7.8 | CVE-2024-41148 |
| Open Source Robotics Foundation--Robot Operating System (ROS) | A code injection vulnerability has been discovered in the Robot Operating System (ROS) 'rostopic' command-line tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability lies in the 'echo' verb, which allows a user to introspect a ROS topic and accepts a user-provided Python expression via the --filter option. This input is passed directly to the eval() function without sanitization, allowing a local user to craft and execute arbitrary code. | 2025-07-17 | 7.8 | CVE-2024-41921 |
| Open Source Robotics Foundation--Robot Operating System (ROS) | A code execution vulnerability has been identified in the Robot Operating System (ROS) 'rosbag' tool, affecting ROS distributions Noetic Ninjemys and earlier. The vulnerability arises from the use of the eval() function to process unsanitized, user-supplied input in the 'rosbag filter' command. This flaw enables attackers to craft and execute arbitrary Python code. | 2025-07-17 | 7.8 | CVE-2025-3753 |
| Oracle Corporation--Oracle Application Express | Vulnerability in Oracle Application Express (component: Strategic Planner Starter App). Supported versions that are affected are 24.2.4 and 24.2.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Application Express. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Application Express. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H). | 2025-07-15 | 9 | CVE-2025-50067 |
| Oracle Corporation--Oracle BI Publisher | Vulnerability in the Oracle BI Publisher product of Oracle Analytics (component: Web Server). Supported versions that are affected are 7.6.0.0.0, 8.2.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle BI Publisher accessible data as well as unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | 2025-07-15 | 8.1 | CVE-2025-50060 |
| Oracle Corporation--Oracle Database Server | Vulnerability in the Oracle Database component of Oracle Database Server. Supported versions that are affected are 19.3-19.27 and 23.4-23.8. Easily exploitable vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via Oracle Net to compromise Oracle Database. Successful attacks of this vulnerability can result in takeover of Oracle Database. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). | 2025-07-15 | 8.8 | CVE-2025-30751 |
| Oracle Corporation--Oracle Database Server | Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.27 and 21.3-21.18. Easily exploitable vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via Oracle Net to compromise Java VM. While the vulnerability is in Java VM, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java VM accessible data. CVSS 3.1 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N). | 2025-07-15 | 7.7 | CVE-2025-50069 |
| Oracle Corporation--Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 and 24.0.1; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2025-07-15 | 8.1 | CVE-2025-30749 |
| Oracle Corporation--Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 and 24.0.1; Oracle GraalVM Enterprise Edition: 21.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. While the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.6 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). | 2025-07-15 | 8.6 | CVE-2025-50059 |
| Oracle Corporation--Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: 2D). Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 and 24.0.1; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2025-07-15 | 8.1 | CVE-2025-50106 |
| Oracle Corporation--Oracle Java SE | Vulnerability in Oracle Java SE (component: Install). The supported version that is affected is Oracle Java SE: 8u451. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Java SE executes to compromise Oracle Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Java SE. Note: Applies to installation process on client deployment of Java. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). | 2025-07-15 | 7.3 | CVE-2025-50063 |
| Oracle Corporation--Oracle Lease and Finance Management | Vulnerability in the Oracle Lease and Finance Management product of Oracle E-Business Suite (component: Internal Operations). The supported version that is affected is 12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Lease and Finance Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Lease and Finance Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Lease and Finance Management accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | 2025-07-15 | 8.1 | CVE-2025-30743 |
| Oracle Corporation--Oracle Mobile Field Service | Vulnerability in the Oracle Mobile Field Service product of Oracle E-Business Suite (component: Multiplatform Sync Errors). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Mobile Field Service. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Mobile Field Service accessible data as well as unauthorized access to critical data or complete access to all Oracle Mobile Field Service accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | 2025-07-15 | 8.1 | CVE-2025-30744 |
| Oracle Corporation--Oracle Universal Work Queue | Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Work Provider Administration). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Universal Work Queue. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Universal Work Queue accessible data as well as unauthorized access to critical data or complete access to all Oracle Universal Work Queue accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | 2025-07-15 | 8.1 | CVE-2025-50105 |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.1.10. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2025-07-15 | 8.2 | CVE-2025-53024 |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.1.10. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2025-07-15 | 8.2 | CVE-2025-53027 |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.1.10. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2025-07-15 | 8.2 | CVE-2025-53028 |
| Oracle Corporation--Oracle WebLogic Server | Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | 2025-07-15 | 7.5 | CVE-2025-30762 |
| Oracle Corporation--PeopleSoft Enterprise HCM Global Payroll Core | Vulnerability in the PeopleSoft Enterprise HCM Global Payroll Core product of Oracle PeopleSoft (component: Global Payroll for Core). Supported versions that are affected are 9.2.51 and 9.2.52. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Global Payroll Core. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all PeopleSoft Enterprise HCM Global Payroll Core accessible data as well as unauthorized access to critical data or complete access to all PeopleSoft Enterprise HCM Global Payroll Core accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | 2025-07-15 | 8.1 | CVE-2025-50062 |
| pakkemx--Pakke Envos | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in pakkemx Pakke EnvÃos allows SQL Injection. This issue affects Pakke EnvÃos: from n/a through 1.0.2. | 2025-07-16 | 8.5 | CVE-2025-52819 |
| PHPGurukul--Hospital Management System | A vulnerability was found in PHPGurukul Hospital Management System 4.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /user-login.php. The manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 7.3 | CVE-2025-7604 |
| PHPGurukul--Land Record System | A vulnerability classified as critical was found in PHPGurukul Land Record System 1.0. Affected by this vulnerability is an unknown functionality of the file /edit-property.php. The manipulation of the argument editid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-17 | 7.3 | CVE-2025-7757 |
| pimwick--PW WooCommerce On Sale! | Missing Authorization vulnerability in pimwick PW WooCommerce On Sale! allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PW WooCommerce On Sale!: from n/a through 1.39. | 2025-07-16 | 7.1 | CVE-2025-49888 |
| pmTicket--Project-Management-Software | A vulnerability, which was classified as critical, was found in pmTicket Project-Management-Software up to 2ef379da2075f4761a2c9029cf91d073474e7486. This affects the function getUserLanguage of the file classes/class.database.php. The manipulation of the argument user_id leads to sql injection. It is possible to initiate the attack remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 7.3 | CVE-2025-7886 |
| prettier--eslint-config-prettier | eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows. | 2025-07-19 | 7.5 | CVE-2025-54313 |
| ProTNS--ActADUR | Vulnerabilities* in ActADUR local server product, developed and maintained by ProTNS, allows Remote Code Inclusion on host systems. * vulnerabilities: * Improper Neutralization of Special Elements used in a Command ('Command Injection') * Use of Hard-coded Credentials * Improper Authentication * Binding to an Unrestricted IP Address The vulnerability has been rated as critical.This issue affects ActADUR: from v2.0.1.9 before v2.0.2.0., hence updating to version v2.0.2.0. or above is required. | 2025-07-15 | 9.6 | CVE-2025-3621 |
| pyload--pyload | pyload is an open-source Download Manager written in pure Python. An unsafe JavaScript evaluation vulnerability in pyLoad's CAPTCHA processing code allows unauthenticated remote attackers to execute arbitrary code in the client browser and potentially the backend server. Exploitation requires no user interaction or authentication and can result in session hijacking, credential theft, and full system remote code execution. Commit 909e5c97885237530d1264cfceb5555870eb9546, the patch for the issue, is included in version 0.5.0b3.dev89. | 2025-07-14 | 9.8 | CVE-2025-53890 |
| QuanticaLabs--CSS3 Compare Pricing Tables for WordPress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuanticaLabs CSS3 Compare Pricing Tables for WordPress allows Reflected XSS. This issue affects CSS3 Compare Pricing Tables for WordPress: from n/a through 11.6. | 2025-07-16 | 7.1 | CVE-2025-47554 |
| QuanticaLabs--GymBase Theme Classes | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuanticaLabs GymBase Theme Classes allows SQL Injection. This issue affects GymBase Theme Classes: from n/a through 1.4. | 2025-07-16 | 8.5 | CVE-2025-54026 |
| rustaurius--Ultimate WP Mail | The Ultimate WP Mail plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization within the get_email_log_details() AJAX handler in versions 1.0.17 to 1.3.6. The handler reads the client-supplied post_id and retrieves the corresponding email log post content (including the password-reset link), relying only on the 'edit_posts' capability without restricting to administrators or validating ownership. This makes it possible for authenticated attackers, with Contributor-level access and above, to harvest an admin's reset link and elevate their privileges to administrator. | 2025-07-16 | 7.5 | CVE-2025-6993 |
| saleem-hadad--larecipe | LaRecipe is an application that allows users to create documentation with Markdown inside a Laravel app. Versions prior to 2.8.1 are vulnerable to Server-Side Template Injection (SSTI), which could potentially lead to Remote Code Execution (RCE) in vulnerable configurations. Attackers could execute arbitrary commands on the server, access sensitive environment variables, and/or escalate access depending on server configuration. Users are strongly advised to upgrade to version v2.8.1 or later to receive a patch. | 2025-07-14 | 10 | CVE-2025-53833 |
| sammcj--mcp-package-docs | mcp-package-docs is an MCP (Model Context Protocol) server that provides LLMs with efficient access to package documentation across multiple programming languages and language server protocol (LSP) capabilities. A command injection vulnerability exists in the `mcp-package-docs` MCP Server prior to the fix in commit cb4ad49615275379fd6f2f1cf1ec4731eec56eb9. The vulnerability is caused by the unsanitized use of input parameters within a call to `child_process.exec`, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (`|`, `>`, `&&`, etc.). Commit cb4ad49615275379fd6f2f1cf1ec4731eec56eb9 in version 0.1.27 contains a fix for the issue, but upgrading to 0.1.28 is recommended. | 2025-07-18 | 7.5 | CVE-2025-54073 |
| scribu--Front-end Editor | The Front End Editor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the upload.php file in versions before 2.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | 2025-07-19 | 9.8 | CVE-2012-10019 |
| Shahjahan Jewel--FluentSnippets | Cross-Site Request Forgery (CSRF) vulnerability in Shahjahan Jewel FluentSnippets allows Cross Site Request Forgery. This issue affects FluentSnippets: from n/a through 10.50. | 2025-07-16 | 9.6 | CVE-2025-54010 |
| shinetheme--Traveler | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler allows SQL Injection. This issue affects Traveler: from n/a through n/a. | 2025-07-16 | 9.3 | CVE-2025-52714 |
| Sophos--Sophos Intercept X for Windows | A vulnerability related to registry permissions in the Intercept X for Windows updater prior to version 2024.3.2 can lead to a local user gaining SYSTEM level privileges during a product upgrade. | 2025-07-17 | 8.8 | CVE-2024-13972 |
| Sophos--Sophos Intercept X for Windows | A local privilege escalation vulnerability in Sophos Intercept X for Windows with Central Device Encryption 2025.1 and older allows arbitrary code execution. | 2025-07-17 | 8.8 | CVE-2025-7433 |
| Sophos--Sophos Intercept X for Windows Installer | A local privilege escalation vulnerability in the Intercept X for Windows installer prior version 1.22 can lead to a local user gaining system level privileges, if the installer is run as SYSTEM. | 2025-07-17 | 7.5 | CVE-2025-7472 |
| Stefan M.--SMu Manual DoFollow | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Stefan M. SMu Manual DoFollow allows Reflected XSS. This issue affects SMu Manual DoFollow: from n/a through 1.8.1. | 2025-07-16 | 7.1 | CVE-2025-49031 |
| StylemixThemes--MasterStudy LMS Pro | The MasterStudy LMS Pro plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'install_and_activate_plugin' function in all versions up to, and including, 4.7.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The vulnerability is difficult to exploit due to timing requirements and environmental factors. | 2025-07-18 | 7.5 | CVE-2025-7438 |
| Teledyne--FLIR FB-Series O | A vulnerability was found in Teledyne FLIR FB-Series O and FLIR FH-Series ID 1.3.2.16 and classified as critical. Affected by this issue is some unknown functionality of the file /priv/production/production.html of the component Production Tools. The manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-14 | 7.3 | CVE-2025-7576 |
| Tenda--AC500 | A vulnerability was found in Tenda AC500 2.0.1.9(1307). It has been declared as critical. Affected by this vulnerability is the function formSetAPCfg of the file /goform/setWtpData. The manipulation of the argument radio_2g_1 leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 8.8 | CVE-2025-7586 |
| Tenda--AX1803 | A vulnerability classified as critical has been found in Tenda AX1803 1.0.0.1. Affected is the function formSetMacFilterCfg of the file /goform/setMacFilterCfg. The manipulation of the argument deviceList leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 8.8 | CVE-2025-7597 |
| Tenda--AX1803 | A vulnerability classified as critical was found in Tenda AX1803 1.0.0.1. Affected by this vulnerability is the function formSetWifiMacFilterCfg of the file /goform/setWifiFilterCfg. The manipulation of the argument deviceList leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 8.8 | CVE-2025-7598 |
| Tenda--FH1205 | A vulnerability was found in Tenda FH1205 2.0.0.7(775). It has been rated as critical. This issue affects the function formWifiExtraSet of the file /goform/WifiExtraSet. The manipulation of the argument wpapsk_crypto leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 8.8 | CVE-2025-7596 |
| Tenda--FH451 | A vulnerability classified as critical has been found in Tenda FH451 1.0.0.9. This affects the function fromWizardHandle of the file /goform/WizardHandle of the component POST Request Handler. The manipulation of the argument PPW leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-17 | 8.8 | CVE-2025-7747 |
| Tenda--FH451 | A vulnerability was found in Tenda FH451 1.0.0.9. It has been rated as critical. This issue affects the function formSafeEmailFilter of the file /goform/SafeEmailFilter. The manipulation of the argument page leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-18 | 8.8 | CVE-2025-7792 |
| Tenda--FH451 | A vulnerability classified as critical has been found in Tenda FH451 1.0.0.9. Affected is the function formWebTypeLibrary of the file /goform/webtypelibrary. The manipulation of the argument webSiteId leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-18 | 8.8 | CVE-2025-7793 |
| Tenda--FH451 | A vulnerability classified as critical was found in Tenda FH451 1.0.0.9. Affected by this vulnerability is the function fromNatStaticSetting of the file /goform/NatStaticSetting. The manipulation of the argument page leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-18 | 8.8 | CVE-2025-7794 |
| Tenda--FH451 | A vulnerability, which was classified as critical, has been found in Tenda FH451 1.0.0.9. Affected by this issue is the function fromP2pListFilter of the file /goform/P2pListFilter. The manipulation of the argument page leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-18 | 8.8 | CVE-2025-7795 |
| Tenda--FH451 | A vulnerability, which was classified as critical, was found in Tenda FH451 1.0.0.9. This affects the function fromPptpUserAdd of the file /goform/PPTPDClient. The manipulation of the argument Username leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-18 | 8.8 | CVE-2025-7796 |
| Tenda--FH451 | A vulnerability classified as critical has been found in Tenda FH451 1.0.0.9. This affects the function fromPptpUserSetting of the file /goform/PPTPUserSetting. The manipulation of the argument delno leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-18 | 8.8 | CVE-2025-7805 |
| Tenda--FH451 | A vulnerability classified as critical was found in Tenda FH451 1.0.0.9. This vulnerability affects the function fromSafeClientFilter of the file /goform/SafeClientFilter. The manipulation of the argument Go/page leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-18 | 8.8 | CVE-2025-7806 |
| Tenda--FH451 | A vulnerability, which was classified as critical, has been found in Tenda FH451 1.0.0.9. This issue affects the function fromSafeUrlFilter of the file /goform/SafeUrlFilter. The manipulation of the argument Go/page leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-18 | 8.8 | CVE-2025-7807 |
| Tenda--FH451 | A vulnerability was found in Tenda FH451 1.0.0.9. It has been rated as critical. This issue affects the function fromSetIpBind of the file /goform/SetIpBind. The manipulation of the argument page leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-19 | 8.8 | CVE-2025-7853 |
| Tenda--FH451 | A vulnerability classified as critical has been found in Tenda FH451 1.0.0.9. Affected is the function fromVirtualSer of the file /goform/VirtualSer. The manipulation of the argument page leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-19 | 8.8 | CVE-2025-7854 |
| Tenda--FH451 | A vulnerability classified as critical was found in Tenda FH451 1.0.0.9. Affected by this vulnerability is the function fromqossetting of the file /goform/qossetting. The manipulation of the argument page leads to stack-based buffer overflow. The attack can be launched remotely. | 2025-07-19 | 8.8 | CVE-2025-7855 |
| ThimPress--WP Pipes | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ThimPress WP Pipes allows SQL Injection. This issue affects WP Pipes: from n/a through 1.4.3. | 2025-07-16 | 9.3 | CVE-2025-28982 |
| Torod Company for Information Technology--Torod | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Torod Company for Information Technology Torod allows SQL Injection. This issue affects Torod: from n/a through 1.9. | 2025-07-16 | 9.3 | CVE-2025-30936 |
| TOTOLINK--T6 | A vulnerability, which was classified as critical, has been found in TOTOLINK T6 up to 4.1.5cu.748_B20211015. Affected by this issue is the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument ip leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-17 | 8.8 | CVE-2025-7758 |
| TOTOLINK--T6 | A vulnerability was found in TOTOLINK T6 4.1.5cu.748_B20211015 and classified as critical. Affected by this issue is the function recvSlaveStaInfo of the component MQTT Service. The manipulation of the argument dest leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-19 | 8.8 | CVE-2025-7837 |
| TOTOLINK--T6 | A vulnerability, which was classified as critical, has been found in TOTOLINK T6 4.1.5cu.748_B20211015. This issue affects the function recvSlaveUpgstatus of the component MQTT Service. The manipulation of the argument s leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-20 | 8.8 | CVE-2025-7912 |
| TOTOLINK--T6 | A vulnerability, which was classified as critical, was found in TOTOLINK T6 4.1.5cu.748_B20211015. Affected is the function updateWifiInfo of the component MQTT Service. The manipulation of the argument serverIp leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-20 | 8.8 | CVE-2025-7913 |
| TOTOLINK--T6 | A vulnerability has been found in TOTOLINK T6 4.1.5cu.748_B20211015 and classified as critical. Affected by this vulnerability is the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component Telnet Service. The manipulation of the argument telnet_enabled with the input 1 leads to missing authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-20 | 7.3 | CVE-2025-7862 |
| UNIMAX--Hospital Information System | The Hospital Information System developed by UNIMAX has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents. | 2025-07-17 | 7.5 | CVE-2025-7735 |
| Unity Business Technology Pty Ltd--The E-Commerce ERP | Incorrect Privilege Assignment vulnerability in Unity Business Technology Pty Ltd The E-Commerce ERP allows Privilege Escalation. This issue affects The E-Commerce ERP: from n/a through 2.1.1.3. | 2025-07-16 | 9.8 | CVE-2025-52836 |
| UTT--HiPER 840G | A vulnerability was found in UTT HiPER 840G up to 3.1.1-190328. It has been rated as critical. Affected by this issue is some unknown functionality of the file /goform/aspRemoteApConfTempSend. The manipulation of the argument remoteSrcTemp leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-14 | 8.8 | CVE-2025-7570 |
| UTT--HiPER 840G | A vulnerability classified as critical has been found in UTT HiPER 840G up to 3.1.1-190328. This affects an unknown part of the file /goform/aspApBasicConfigUrcp. The manipulation of the argument Username leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-14 | 8.8 | CVE-2025-7571 |
| uxper--Nuss | Missing Authorization vulnerability in uxper Nuss allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Nuss: from n/a through 1.3.3. | 2025-07-16 | 7.5 | CVE-2025-52804 |
| uxper--Sala | Missing Authorization vulnerability in uxper Sala allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Sala: from n/a through 1.1.3. | 2025-07-16 | 7.5 | CVE-2025-52803 |
| ValvePress--Wordpress Auto Spinner | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ValvePress Wordpress Auto Spinner allows Reflected XSS. This issue affects Wordpress Auto Spinner: from n/a through 3.25.0. | 2025-07-16 | 7.1 | CVE-2025-46500 |
| vergatheme--Electrician - Electrical Service WordPress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vergatheme Electrician - Electrical Service WordPress allows Reflected XSS. This issue affects Electrician - Electrical Service WordPress: from n/a through 1.0. | 2025-07-16 | 7.1 | CVE-2025-31055 |
| VibeThemes--WPLMS Learning Management System for WordPress, WordPress LMS | The WPLMS theme for WordPress is vulnerable to Privilege Escalation in versions 1.5.2 to 1.8.4.1 via the 'wp_ajax_import_data' AJAX action. This makes it possible for authenticated attackers to change otherwise restricted settings and potentially create a new accessible admin account. | 2025-07-19 | 8.8 | CVE-2015-10139 |
| VMware--Cloud Foundation | VMware ESXi, Workstation, and Fusion contain an integer-underflow in VMCI (Virtual Machine Communication Interface) that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed. | 2025-07-15 | 9.3 | CVE-2025-41237 |
| VMware--ESXi | VMware ESXi, Workstation, and Fusion contain an integer-overflow vulnerability in the VMXNET3 virtual network adapter. A malicious actor with local administrative privileges on a virtual machine with VMXNET3 virtual network adapter may exploit this issue to execute code on the host. Non VMXNET3 virtual adapters are not affected by this issue. | 2025-07-15 | 9.3 | CVE-2025-41236 |
| VMware--ESXi | VMware ESXi, Workstation, and Fusion contain a heap-overflow vulnerability in the PVSCSI (Paravirtualized SCSI) controller that leads to an out of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox and exploitable only with configurations that are unsupported. On Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed. | 2025-07-15 | 9.3 | CVE-2025-41238 |
| VMware--ESXi | VMware ESXi, Workstation, Fusion, and VMware Tools contains an information disclosure vulnerability due to the usage of an uninitialised memory in vSockets. A malicious actor with local administrative privileges on a virtual machine may be able to exploit this issue to leak memory from processes communicating with vSockets. | 2025-07-15 | 7.1 | CVE-2025-41239 |
| Wasiliy Strecker / ContestGallery developer--Contest Gallery | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery allows Stored XSS. This issue affects Contest Gallery: from n/a through 26.0.6. | 2025-07-16 | 7.1 | CVE-2025-48291 |
| Webkul--Medical Prescription Attachment Plugin for WooCommerce | Unrestricted Upload of File with Dangerous Type vulnerability in Webkul Medical Prescription Attachment Plugin for WooCommerce allows Upload a Web Shell to a Web Server. This issue affects Medical Prescription Attachment Plugin for WooCommerce: from n/a through 1.2.3. | 2025-07-16 | 10 | CVE-2025-29009 |
| Websitez.com, LLC--WP Mobile Detector | The WP Mobile Detector plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in resize.php file in versions up to, and including, 3.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | 2025-07-19 | 9.8 | CVE-2016-15043 |
| WellChoose--BatchSignCS | BatchSignCS, a background Windows application developed by WellChoose, has an Arbitrary File Write vulnerability. If a user visits a malicious website while the application is running, remote attackers can write arbitrary files to any path and potentially lead to arbitrary code execution. | 2025-07-14 | 8.8 | CVE-2025-7619 |
| WP Swings--WooCommerce Refund And Exchange with RMA - Warranty Management, Refund Policy, Manage User Wallet | The WooCommerce Refund And Exchange with RMA - Warranty Management, Refund Policy, Manage User Wallet theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ced_rnx_order_exchange_attach_files' function in all versions up to, and including, 3.2.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-07-18 | 9.8 | CVE-2025-6222 |
| wpeventmanager--WP Event Manager Events Calendar, Registrations, Sell Tickets with WooCommerce | The WP Event Manager - Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'organizer_name' parameter in all versions up to, and including, 3.1.50 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-16 | 7.2 | CVE-2025-2800 |
| xwiki--xwiki-rendering | XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 4.2-milestone-1 and prior to versions 13.10.11, 14.4.7, and 14.10, the default macro content parser doesn't preserve the restricted attribute of the transformation context when executing nested macros. This allows executing macros that are normally forbidden in restricted mode, in particular script macros. The cache and chart macros that are bundled in XWiki use the vulnerable feature. This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. To avoid the exploitation of this bug, comments can be disabled for untrusted users until an upgrade to a patched version has been performed. Note that users with edit rights will still be able to add comments via the object editor even if comments have been disabled. | 2025-07-14 | 10 | CVE-2025-53836 |
| xwiki--xwiki-rendering | XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Starting in version 5.4.5 and prior to version 14.10, the XHTML syntax depended on the `xdom+xml/current` syntax which allows the creation of raw blocks that permit the insertion of arbitrary HTML content including JavaScript. This allows XSS attacks for users who can edit a document like their user profile (enabled by default). This has been fixed in version 14.10 by removing the dependency on the `xdom+xml/current` syntax from the XHTML syntax. Note that the `xdom+xml` syntax is still vulnerable to this attack. As it's main purpose is testing and its use is quite difficult, this syntax shouldn't be installed or used on a regular wiki. There are no known workarounds apart from upgrading. | 2025-07-14 | 9.1 | CVE-2025-53835 |
| YayCommerce--SMTP for Amazon SES | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce SMTP for Amazon SES allows SQL Injection. This issue affects SMTP for Amazon SES: from n/a through 1.9. | 2025-07-16 | 7.6 | CVE-2025-54043 |
| YayCommerce--SMTP for SendGrid YaySMTP | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce SMTP for SendGrid - YaySMTP allows SQL Injection. This issue affects SMTP for SendGrid - YaySMTP: from n/a through 1.5. | 2025-07-16 | 7.6 | CVE-2025-48301 |
| YayCommerce--YayExtra | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YayExtra allows SQL Injection. This issue affects YayExtra: from n/a through 1.5.5. | 2025-07-16 | 7.6 | CVE-2025-48299 |
| YayCommerce--YaySMTP | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP allows SQL Injection. This issue affects YaySMTP: from n/a through 1.3. | 2025-07-16 | 7.6 | CVE-2025-48161 |
| zishanj--GI-Media Library | The GI-Media Library plugin for WordPress is vulnerable to Directory Traversal in versions before 3.0 via the 'fileid' parameter. This allows unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | 2025-07-19 | 7.5 | CVE-2015-10136 |
| Zyxel--NWA50AX PRO firmware | A path traversal vulnerability in the file_upload-cgi CGI program of Zyxel NWA50AX PRO firmware version 7.10(ACGE.2) and earlier could allow an authenticated attacker with administrator privileges to access specific directories and delete files, such as the configuration file, on the affected device. | 2025-07-15 | 7.2 | CVE-2025-6265 |
| Zyxel--VMG8825-T50K firmware | A buffer overflow vulnerability in the URL parser of the zhttpd web server in Zyxel VMG8825-T50K firmware versions prior to V5.50(ABOM.5)C0 could allow an unauthenticated attacker to cause denial-of-service (DoS) conditions and potentially execute arbitrary code by sending a specially crafted HTTP request. | 2025-07-16 | 9.8 | CVE-2025-7673 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 1Panel-dev--MaxKB | MaxKB is an open-source AI assistant for enterprise. Prior to version 2.0.0, the sandbox design rules can be bypassed because MaxKB only restricts the execution permissions of files in a specific directory. Therefore, an attacker can use the `shutil.copy2` method in Python to copy the command they want to execute to the executable directory. This bypasses directory restrictions and reverse shell. Version 2.0.0 fixes the issue. | 2025-07-17 | 4.6 | CVE-2025-53927 |
| 1Panel-dev--MaxKB | MaxKB is an open-source AI assistant for enterprise. Prior to versions 1.10.9-lts and 2.0.0, a Remote Command Execution vulnerability exists in the MCP call. Versions 1.10.9-lts and 2.0.0 fix the issue. | 2025-07-17 | 4.6 | CVE-2025-53928 |
| activity-log.com--Profiler - What Slowing Down Your WP | Missing Authorization vulnerability in activity-log.com Profiler - What Slowing Down Your WP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Profiler - What Slowing Down Your WP: from n/a through 1.0.0. | 2025-07-16 | 6.5 | CVE-2025-48339 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.22 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. A low privileged attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a specially crafted web page. | 2025-07-16 | 5.4 | CVE-2025-46959 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 6.5.22 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability. A low privileged attacker could exploit this issue by manipulating the DOM environment to execute malicious JavaScript within the context of the victim's browser. Exploitation of this issue requires user interaction in that a victim must visit a specially crafted web page. | 2025-07-16 | 5.4 | CVE-2025-47053 |
| ajay--Knowledge Base | The Knowledge Base plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin slug setting in all versions up to, and including, 2.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-07-18 | 4.4 | CVE-2025-7431 |
| alexvtn--Chatbox Manager | Missing Authorization vulnerability in alexvtn Chatbox Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Chatbox Manager: from n/a through 1.2.5. | 2025-07-16 | 5.4 | CVE-2025-48167 |
| alexvtn--Internal Linking of Related Contents | Missing Authorization vulnerability in alexvtn Internal Linking of Related Contents allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Internal Linking of Related Contents: from n/a through 1.1.8. | 2025-07-16 | 6.5 | CVE-2025-49884 |
| avishika--Avishi WP PayPal Payment Button | The Avishi WP PayPal Payment Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0. This is due to missing or incorrect nonce validation on the 'avishi-wp-paypal-payment-button/index.php' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-07-19 | 6.1 | CVE-2025-7669 |
| b1accounting--B1.lt | The B1.lt plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 2.2.56 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-07-18 | 6.5 | CVE-2025-6717 |
| bandido--MORKVA Vchasno Kasa Integration | The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the clear_all_log() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to clear log files. | 2025-07-19 | 5.3 | CVE-2025-6720 |
| bandido--MORKVA Vchasno Kasa Integration | The Vchasno Kasa plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the mrkv_vchasno_kasa_wc_do_metabox_action() function in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to generate invoices for arbitrary orders. | 2025-07-19 | 5.3 | CVE-2025-6721 |
| bbc000tommy--Useful Tab Block Responsive & AMP-Compatible | The Useful Tab Block - Responsive & AMP-Compatible plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'className' parameter in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-18 | 6.4 | CVE-2025-5754 |
| Beijing Shenzhou Shihan Technology--Multimedia Integrated Business Display System | A vulnerability classified as critical has been found in Beijing Shenzhou Shihan Technology Multimedia Integrated Business Display System up to 8.2. This affects an unknown part of the file /admin/system/structure/getdirectorydata/web/baseinfo/companyManage. The manipulation of the argument Struccture_ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-18 | 6.3 | CVE-2025-7798 |
| Bill Minozzi--Real Estate Property 2024 Create Your Own Fields and Search Bar WP Plugin | Missing Authorization vulnerability in Bill Minozzi Real Estate Property 2024 Create Your Own Fields and Search Bar WP Plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Real Estate Property 2024 Create Your Own Fields and Search Bar WP Plugin: from n/a through 4.48. | 2025-07-16 | 4.3 | CVE-2025-48150 |
| Bill Minozzi--Stop and Block bots plugin Anti bots | Missing Authorization vulnerability in Bill Minozzi Stop and Block bots plugin Anti bots allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Stop and Block bots plugin Anti bots: from n/a through 1.48. | 2025-07-16 | 5.3 | CVE-2025-48166 |
| biteship--Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo Biteship | The Plugin Pengiriman WooCommerce Kurir Reguler, Instan, Kargo - Biteship plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.2.0 via the get_order_detail() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view other user's orders. | 2025-07-18 | 4.3 | CVE-2025-5816 |
| blazethemes--News Kit Elementor Addons | Missing Authorization vulnerability in blazethemes News Kit Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects News Kit Elementor Addons: from n/a through 1.3.4. | 2025-07-16 | 5.4 | CVE-2025-54037 |
| BlocksWP--Theme Builder For Elementor | Cross-Site Request Forgery (CSRF) vulnerability in BlocksWP Theme Builder For Elementor allows Cross Site Request Forgery. This issue affects Theme Builder For Elementor: from n/a through 1.2.3. | 2025-07-16 | 6.5 | CVE-2025-54033 |
| bogdansilivestru--Zuppler Online Ordering | The Zuppler Online Ordering plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.0. This is due to missing or incorrect nonce validation on the 'zuppler-online-ordering-options' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-07-18 | 6.1 | CVE-2025-6053 |
| boldthemes--Bold Page Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in boldthemes Bold Page Builder allows Stored XSS. This issue affects Bold Page Builder: from n/a through 5.4.1. | 2025-07-16 | 6.5 | CVE-2025-54006 |
| bPlugins--LightBox Block | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins LightBox Block allows Stored XSS. This issue affects LightBox Block: from n/a through 1.1.30. | 2025-07-16 | 6.5 | CVE-2025-54051 |
| brandfolder--Brandfolder Digital Asset Management Simplified. | The Brandfolder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter in all versions up to, and including, 5.0.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-16 | 6.4 | CVE-2025-5843 |
| caido--caido | Caido is a web security auditing toolkit. A reflected cross-site scripting (XSS) vulnerability was discovered in Caido's toast UI component in versions prior to 0.49.0. Toast messages may reflect unsanitized user input in certain tools such as Match&Replace and Scope. This could allow an attacker to craft input that results in arbitrary script execution. Version 0.49.0 fixes the issue. | 2025-07-14 | 6.3 | CVE-2025-53834 |
| CallApp--Caller ID App | A vulnerability was found in CallApp Caller ID App up to 2.0.4 on Android. It has been classified as problematic. Affected is an unknown function of the file AndroidManifest.xml of the component caller.id.phone.number.block. The manipulation leads to improper export of android application components. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 5.3 | CVE-2025-7889 |
| chainguard-dev--melange | melange allows users to build apk packages using declarative pipelines. Starting in version 0.23.0 and prior to version 0.29.5, SBOM files generated by melange in apks had file system permissions mode 666. This potentially allows an unprivileged user to tamper with apk SBOMs on a running image, potentially confusing security scanners. An attacker could also perform a DoS under special circumstances. Version 0.29.5 fixes the issue. | 2025-07-18 | 4.4 | CVE-2025-54059 |
| Cisco--Cisco Evolved Programmable Network Manager (EPNM) | A vulnerability in a subset of REST APIs of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager (EPNM) could allow an authenticated, low-privileged, remote attacker to conduct a blind SQL injection attack. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted request to an affected API. A successful exploit could allow the attacker to view data in some database tables on an affected device. | 2025-07-16 | 4.3 | CVE-2025-20272 |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system as root. This vulnerability is due to insufficient validation of user-supplied input. An attacker with valid credentials could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to execute commands as the root user. To exploit this vulnerability, the attacker must have valid high-privileged credentials. | 2025-07-16 | 6.5 | CVE-2025-20283 |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary code on the underlying operating system as root. This vulnerability is due to insufficient validation of user-supplied input. An attacker with valid credentials could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to execute commands as the root user. To exploit this vulnerability, the attacker must have valid high-privileged credentials. | 2025-07-16 | 6.5 | CVE-2025-20284 |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in the IP Access Restriction feature of Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to bypass configured IP access restrictions and log in to the device from a disallowed IP address. This vulnerability is due to improper enforcement of access controls that are configured using the IP Access Restriction feature. An attacker could exploit this vulnerability by logging in to the API from an unauthorized source IP address. A successful exploit could allow the attacker to gain access to the targeted device from an IP address that should have been restricted. To exploit this vulnerability, the attacker must have valid administrative credentials. | 2025-07-16 | 4.1 | CVE-2025-20285 |
| Cisco--Cisco Unified Contact Center Express | A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an authenticated, remote attacker to upload arbitrary files to an affected device. This vulnerability is due to improper validation of files that are uploaded to the web-based management interface. An attacker could exploit this vulnerability by uploading arbitrary files to an affected device. A successful exploit could allow the attacker to store malicious files on the system and execute arbitrary commands on the operating system. The Security Impact Rating (SIR) of this advisory has been raised to High because an attacker could elevate privileges to root. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of Report Designer. | 2025-07-16 | 6.3 | CVE-2025-20274 |
| Cisco--Cisco Unified Contact Center Express | A vulnerability in the web-based management interface of Cisco Unified Intelligence Center could allow an unauthenticated, remote attacker to conduct a server-side request forgery (SSRF) attack through an affected device. This vulnerability is due to improper input validation for specific HTTP requests. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to send arbitrary network requests that are sourced from the affected device. | 2025-07-16 | 5.8 | CVE-2025-20288 |
| code-projects--E-Commerce Site | A vulnerability classified as problematic has been found in code-projects E-Commerce Site 1.0. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-17 | 4.3 | CVE-2025-7756 |
| code-projects--Online Ordering System | A vulnerability was found in code-projects Online Ordering System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/edit_product.php. The manipulation of the argument image leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-17 | 6.3 | CVE-2025-7755 |
| code-projects--Patient Record Management System | A vulnerability was found in code-projects Patient Record Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /xray_form.php. The manipulation of the argument itr_no leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-17 | 6.3 | CVE-2025-7754 |
| code-projects--Voting System | A vulnerability, which was classified as critical, has been found in code-projects Voting System 1.0. This issue affects some unknown processing of the file /admin/voters_add.php. The manipulation of the argument firstname/lastname leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7555 |
| code-projects--Voting System | A vulnerability, which was classified as critical, was found in code-projects Voting System 1.0. Affected is an unknown function of the file /admin/voters_edit.php. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7556 |
| code-projects--Voting System | A vulnerability has been found in code-projects Voting System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/voters_row.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7557 |
| code-projects--Voting System | A vulnerability was found in code-projects Voting System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/positions_add.php. The manipulation of the argument description leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7558 |
| code-projects--Voting System | A vulnerability classified as critical was found in code-projects Voting System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/positions_row.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7580 |
| code-projects--Voting System | A vulnerability, which was classified as critical, has been found in code-projects Voting System 1.0. Affected by this issue is some unknown functionality of the file /admin/positions_edit.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7581 |
| Codecanyon--iDentSoft | A vulnerability was found in Codecanyon iDentSoft 2.0. It has been classified as critical. This affects an unknown part of the file /clinica/profile/updateSetting of the component Account Setting Page. The manipulation of the argument photo leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-20 | 4.7 | CVE-2025-7898 |
| codents--Temporarily Hidden Content | The Temporarily Hidden Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'temphc-start' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-19 | 6.4 | CVE-2025-7658 |
| CodeSolz--Ultimate Push Notifications | Missing Authorization vulnerability in CodeSolz Ultimate Push Notifications allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ultimate Push Notifications: from n/a through 1.1.9. | 2025-07-16 | 6.5 | CVE-2025-50028 |
| CreativeMindsSolutions--CM Pop-Up banners | Missing Authorization vulnerability in CreativeMindsSolutions CM Pop-Up banners allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CM Pop-Up banners: from n/a through 1.8.4. | 2025-07-16 | 4.3 | CVE-2025-54018 |
| Crocoblock--JetBlocks For Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetBlocks For Elementor allows Stored XSS. This issue affects JetBlocks For Elementor: from n/a through 1.3.19. | 2025-07-16 | 6.5 | CVE-2025-53989 |
| Crocoblock--JetElements For Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor allows Stored XSS. This issue affects JetElements For Elementor: from n/a through 2.7.7. | 2025-07-16 | 6.5 | CVE-2025-53982 |
| Crocoblock--JetPopup | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetPopup allows DOM-Based XSS. This issue affects JetPopup: from n/a through 2.0.15. | 2025-07-16 | 6.5 | CVE-2025-53994 |
| Crocoblock--JetPopup | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetPopup allows Stored XSS. This issue affects JetPopup: from n/a through 2.0.15.1. | 2025-07-16 | 6.5 | CVE-2025-53995 |
| Crocoblock--JetSearch | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSearch allows Stored XSS. This issue affects JetSearch: from n/a through 3.5.10.1. | 2025-07-16 | 6.5 | CVE-2025-53996 |
| Crocoblock--JetSmartFilters | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetSmartFilters allows Stored XSS. This issue affects JetSmartFilters: from n/a through 3.6.8. | 2025-07-16 | 6.5 | CVE-2025-54009 |
| Crocoblock--JetTabs | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetTabs allows Stored XSS. This issue affects JetTabs: from n/a through 2.2.9. | 2025-07-16 | 6.5 | CVE-2025-53984 |
| Crocoblock--JetTricks | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetTricks allows Stored XSS. This issue affects JetTricks: from n/a through 1.5.4.1. | 2025-07-16 | 6.5 | CVE-2025-53991 |
| CyberArk--IDP | CWE-200 Exposure of Sensitive Information to an Unauthorized Actor | 2025-07-20 | 5.3 | CVE-2025-46382 |
| CyberChimps--Responsive Addons for Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CyberChimps Responsive Addons for Elementor allows Stored XSS. This issue affects Responsive Addons for Elementor: from n/a through 1.7.3. | 2025-07-16 | 6.5 | CVE-2025-54050 |
| D-Link--DIR-816L | A vulnerability has been found in D-Link DIR-816L up to 2.06B01 and classified as critical. Affected by this vulnerability is the function lxmldbc_system of the file /htdocs/cgibin of the component Environment Variable Handler. The manipulation leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-07-19 | 6.3 | CVE-2025-7836 |
| Dell--ECS | Dell ECS versions prior to 3.8.1.5/ ObjectScale version 4.0.0.0 contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure. | 2025-07-15 | 5.5 | CVE-2025-30483 |
| dglingren--Media Library Assistant | The Media Library Assistant plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mla_tag_cloud and mla_term_list shortcodes in all versions up to, and including, 3.26 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-16 | 6.4 | CVE-2025-7035 |
| DIRACGrid--diracx-web | DiracX-Web is a web application that provides an interface to interact with the DiracX services. Prior to version 0.1.0-a8, an attacker can forge a request that they can pass to redirect an authenticated user to another arbitrary website. In the login page, DiracX-Web has a `redirect` field which is the location where the server will redirect the user. This URI is not verified, and can be an arbitrary URI. Paired with a parameter pollution, an attacker can hide their malicious URI. This could be used for phishing, and extract new data (such as redirecting to a new "log in" page, and asking another time credentials). Version 0.1.0-a8 fixes this vulnerability. | 2025-07-17 | 4.7 | CVE-2025-54066 |
| directus--directus | Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow. Depending on what the Flow is set up to do this can lead to the Flow executing potential tasks on the attacker's behalf without authenticating. Bad actors could execute the manual trigger Flows without authentication, or access rights to the said collection(s) or item(s). Users with manual trigger Flows configured are impacted as these endpoints do not currently validate if the user has read access to `directus_flows` or to the relevant collection/items. The manual trigger Flows should have tighter security requirements as compared to webhook Flows where users are expected to perform do their own checks. Version 11.9.0 fixes the issue. As a workaround, implement permission checks for read access to Flows and read access to relevant collection/items. | 2025-07-14 | 6.5 | CVE-2025-53889 |
| directus--directus | Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the `/server/specs/oas` endpoint without authentication. With the exact version information a malicious attacker can look for known vulnerabilities in Directus core or any of its shipped dependencies in that specific running version. Version 11.9.0 fixes the issue. | 2025-07-14 | 5.3 | CVE-2025-53887 |
| directus--directus | Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template string. Malicious admins can log sensitive data from other users when they are created or updated. Version 11.9.0 contains a fix for the issue. As a workaround, avoid logging sensitive data to the console outside the context of development. | 2025-07-14 | 4.2 | CVE-2025-53885 |
| directus--directus | Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in cookies. Malicious admins with access to the logs can hijack the user sessions within the token expiration time of them triggering the Flow. Version 11.9.0 fixes the issue. | 2025-07-14 | 4.5 | CVE-2025-53886 |
| dracoon--security-advisories | DRACOON is a file sharing service, and the DRACOON Branding Service allows customers to customize their DRACOON interface with their brand. Versions of the DRACOON Branding Service prior to 2.10.0 are vulnerable to cross-site scripting. Improper neutralization of input from administrative users could inject HTML code into the workflow for newly onboarded users. A fix was made available in version 2.10.0 and rolled out to the DRACOON service. DRACOON customers do not need to take action. | 2025-07-14 | 4 | CVE-2025-53839 |
| DSpace--DSpace | DSpace open source software is a repository application which provides durable access to digital resources. Two related XML External Entity (XXE) injection possibilities impact all versions of DSpace prior to 7.6.4, 8.2, and 9.1. External entities are not disabled when parsing XML files during import of an archive (in Simple Archive Format), either from command-line (`./dspace import` command) or from the "Batch Import (Zip)" user interface feature. External entities are also not explicitly disabled when parsing XML responses from some upstream services (ArXiv, Crossref, OpenAIRE, Creative Commons) used in import from external sources via the user interface or REST API. An XXE injection in these files may result in a connection being made to an attacker's site or a local path readable by the Tomcat user, with content potentially being injected into a metadata field. In the latter case, this may result in sensitive content disclosure, including retrieving arbitrary files or configurations from the server where DSpace is running. The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site administrators (from user interface / REST API) or system administrators (from command-line). Therefore, to exploit this vulnerability, the malicious payload would have to be provided by an attacker and trusted by an administrator, who would trigger the import. The fix is included in DSpace 7.6.4, 8.2, and 9.1. Please upgrade to one of these versions. For those who cannot upgrade immediately, it is possible to manually patch the DSpace backend. One may also apply some best practices, though the protection provided is not as complete as upgrading. Administrators must carefully inspect any SAF archives (they did not construct themselves) before importing. As necessary, affected external services can be disabled to mitigate the ability for payloads to be delivered via external service APIs. | 2025-07-15 | 6.9 | CVE-2025-53621 |
| DSpace--DSpace | DSpace open source software is a repository application which provides durable access to digital resources. Prior to versions 7.6.4, 8.2, and 9.1, a path traversal vulnerability is possible during the import of an archive (in Simple Archive Format), either from command-line (`./dspace import` command) or from the "Batch Import (Zip)" user interface feature. An attacker may craft a malicious Simple Archive Format (SAF) package where the `contents` file references any system files (using relative traversal sequences) which are readable by the Tomcat user. If such a package is imported, this will result in sensitive content disclose, including retrieving arbitrary files or configurations from the server where DSpace is running. The Simple Archive Format (SAF) importer / Batch Import (Zip) is only usable by site administrators (from user interface / REST API) or system administrators (from command-line). Therefore, to exploit this vulnerability, the malicious payload would have to be provided by an attacker and trusted by an administrator (who would trigger the import). The fix is included in DSpace 7.6.4, 8.2 and 9.1. For those who cannot upgrade immediately, it is possible to manually patch the DSpace backend. (No changes are necessary to the frontend.) A pull request exists which can be used to patch systems running DSpace 7.6.x, 8.x or 9.0. Although it is not possible to fully protect the system via workarounds, one may can apply a best practice. Administrators must carefully inspect any SAF archives (they did not construct themselves) before importing, paying close attention to the `contents` file to validate it does not reference files outside of the SAF archives. | 2025-07-15 | 5.2 | CVE-2025-53622 |
| Dunamu--StockPlus App | A vulnerability was found in Dunamu StockPlus App up to 7.62.10 on Android. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file AndroidManifest.xml of the component com.dunamu.stockplus. The manipulation leads to improper export of android application components. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 5.3 | CVE-2025-7890 |
| Elliot Sowersby / RelyWP--Coupon Affiliates | Cross-Site Request Forgery (CSRF) vulnerability in Elliot Sowersby / RelyWP Coupon Affiliates allows Cross Site Request Forgery. This issue affects Coupon Affiliates: from n/a through 6.4.0. | 2025-07-16 | 6.5 | CVE-2025-54022 |
| Emby--Windows | CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') | 2025-07-20 | 6.1 | CVE-2025-46383 |
| emlog--emlog | Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows authenticated remote attackers to inject arbitrary web script or HTML via the siteurl parameter. It is possible to inject malicious code into siteurl parameter resulting in Stored XSS. When someone clicks on the link the malicious code is executed. As of time of publication, no known patched versions exist. | 2025-07-16 | 6.9 | CVE-2025-53924 |
| emlog--emlog | Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows remote attackers to inject arbitrary web script or HTML via the comment and comname parameters. Reflected XSS requires the victim to send POST requests, therefore the victim must be persuaded into clicking into sent URL. As of time of publication, no known patched versions exist. | 2025-07-16 | 6.1 | CVE-2025-53926 |
| emlog--emlog | Emlog is an open source website building system. A cross-site scripting (XSS) vulnerability in emlog up to and including pro-2.5.17 allows authenticated remote attackers to inject arbitrary web script or HTML via the file upload functionality. As an authenticated user it is possible to upload an .svg file that contains JavaScript code that is later executed. As of time of publication, no known patched versions exist. | 2025-07-16 | 5.4 | CVE-2025-53925 |
| enituretechnology--Residential Address Detection | Missing Authorization vulnerability in enituretechnology Residential Address Detection allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Residential Address Detection: from n/a through 2.5.9. | 2025-07-16 | 5.3 | CVE-2025-48155 |
| Erik--AntiSpam for Contact Form 7 | Cross-Site Request Forgery (CSRF) vulnerability in Erik AntiSpam for Contact Form 7 allows Cross Site Request Forgery. This issue affects AntiSpam for Contact Form 7: from n/a through 0.6.3. | 2025-07-16 | 5.4 | CVE-2025-54020 |
| favethemes--Houzez | Missing Authorization vulnerability in favethemes Houzez allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Houzez: from n/a through 4.0.4. | 2025-07-16 | 4.3 | CVE-2025-53997 |
| fedify-dev--hollo | Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Versions prior to 0.6.5 allow HTML form elements to be submitted, making the software vulnerable to HTML injection. Version 0.6.5 fixes the issue. | 2025-07-17 | 6.1 | CVE-2025-53941 |
| Foresight--News App | A vulnerability classified as problematic was found in Foresight News App up to 2.6.4 on Android. This vulnerability affects unknown code of the file AndroidManifest.xml of the component pro.foresightnews.appa. The manipulation leads to improper export of android application components. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 5.3 | CVE-2025-7893 |
| Fortinet--FortiIsolator | An improper access control vulnerability [CWE-284] in FortiIsolator version 2.4.4, version 2.4.3, 2.3 all versions logging component may allow a remote authenticated read-only attacker to alter logs via a crafted HTTP request. | 2025-07-18 | 4 | CVE-2024-32124 |
| Fortinet--FortiOS | A heap-based buffer overflow in Fortinet FortiOS versions 7.6.0 through 7.6.2, 7.4.0 through 7.4.7, 7.2.4 through 7.2.11 allows an attacker to escalate its privileges via a specially crafted CLI command | 2025-07-15 | 4 | CVE-2025-24477 |
| Fortinet--FortiSandbox | An insufficient session expiration vulnerability [CWE-613] in FortiSandbox FortiSandbox version 4.4.4 and below, version 4.2.6 and below, 4.0 all versions, 3.2 all versions and FortiIsolator version 2.4 and below, 2.3 all versions, 2.2 all versions, 2.1 all versions, 2.0 all versions, 1.2 all versions may allow a remote attacker in possession of an admin session cookie to keep using that admin's session even after the admin user was deleted. | 2025-07-18 | 6.3 | CVE-2024-27779 |
| Fortra--GoAnywhere MFT | Broken access control in Fortra's GoAnywhere MFT prior to 7.8.1 allows an attacker to create a denial of service situation when configured to use GoAnywhere One-Time Password (GOTP) email two-factor authentication (2FA) and the user has not set an email address. In this scenario, the attacker may enter the email address of a known user when prompted and the user will be disabled if that user has configured GOTP. | 2025-07-16 | 5.3 | CVE-2025-3871 |
| gmg137--snap7-rs | A vulnerability, which was classified as critical, has been found in gmg137 snap7-rs up to 1.142.1. Affected by this issue is the function pthread_cond_destroy of the component Public API. The manipulation leads to memory corruption. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 5.5 | CVE-2025-7616 |
| gopiplus--Vertical scroll image slideshow gallery | The Vertical scroll image slideshow gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter in all versions up to, and including, 11.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-18 | 6.4 | CVE-2025-5752 |
| Grafana--Grafana | Grafana is an open-source platform for monitoring and observability. The Grafana Alerting DingDing integration was not properly protected and could be exposed to users with Viewer permission. Fixed in versions 10.4.19+security-01, 11.2.10+security-01, 11.3.7+security-01, 11.4.5+security-01, 11.5.5+security-01, 11.6.2+security-01 and 12.0.1+security-01 | 2025-07-17 | 4.3 | CVE-2025-3415 |
| Grafana--Grafana | An open redirect vulnerability has been identified in Grafana OSS organization switching functionality. Prerequisites for exploitation: - Multiple organizations must exist in the Grafana instance - Victim must be on a different organization than the one specified in the URL | 2025-07-18 | 4.2 | CVE-2025-6197 |
| Greg Winiarski--WPAdverts | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Greg Winiarski WPAdverts allows DOM-Based XSS. This issue affects WPAdverts: from n/a through 2.2.5. | 2025-07-16 | 6.5 | CVE-2025-54024 |
| GSheetConnector by WesternDeal--WooCommerce Google Sheet Connector | Cross-Site Request Forgery (CSRF) vulnerability in GSheetConnector by WesternDeal WooCommerce Google Sheet Connector allows Cross Site Request Forgery. This issue affects WooCommerce Google Sheet Connector: from n/a through 1.3.20. | 2025-07-16 | 4.3 | CVE-2025-54030 |
| harry0703--MoneyPrinterTurbo | A vulnerability, which was classified as critical, was found in harry0703 MoneyPrinterTurbo up to 1.2.6. Affected is the function upload_bgm_file of the file app/controllers/v1/video.py of the component File Extension Handler. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. | 2025-07-20 | 6.3 | CVE-2025-7895 |
| harry0703--MoneyPrinterTurbo | A vulnerability has been found in harry0703 MoneyPrinterTurbo up to 1.2.6 and classified as critical. Affected by this vulnerability is the function download_video/delete_video of the file app/controllers/v1/video.py. The manipulation leads to path traversal. The attack can be launched remotely. | 2025-07-20 | 6.3 | CVE-2025-7896 |
| hashthemes--Easy Elementor Addons | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hashthemes Easy Elementor Addons allows Stored XSS. This issue affects Easy Elementor Addons: from n/a through 2.2.5. | 2025-07-16 | 6.5 | CVE-2025-48295 |
| HT Plugins--HT Contact Form 7 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in HT Plugins HT Contact Form 7 allows PHP Local File Inclusion. This issue affects HT Contact Form 7: from n/a through 2.0.0. | 2025-07-16 | 6.6 | CVE-2025-54015 |
| Huashengdun--WebSSH | A vulnerability, which was classified as problematic, has been found in Huashengdun WebSSH up to 1.6.2. Affected by this issue is some unknown functionality of the component Login Page. The manipulation of the argument hostname/port leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 4.3 | CVE-2025-7885 |
| IBM--QRadar SIEM | IBM QRadar SIEM 7.5 - 7.5.0 UP12 IF02 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2025-07-15 | 6.4 | CVE-2025-33097 |
| IBM--Sterling B2B Integrator | IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.0.0.0 through 6.1.2.7 and 6.2.0.0 through 6.2.0.4 uses a web link with untrusted references to an external site. A remote attacker could exploit this vulnerability to expose sensitive information or perform unauthorized actions on the victims' web browser. | 2025-07-18 | 5.4 | CVE-2025-33014 |
| InstantBits--Web Video Cast App | A vulnerability was found in InstantBits Web Video Cast App up to 5.12.4 on Android. It has been rated as problematic. Affected by this issue is some unknown functionality of the file AndroidManifest.xml of the component com.instantbits.cast.webvideo. The manipulation leads to improper export of android application components. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 5.3 | CVE-2025-7891 |
| itsourcecode--Insurance Management System | A vulnerability, which was classified as critical, was found in itsourcecode Insurance Management System 1.0. This affects an unknown part of the file /insertNominee.php. The manipulation of the argument nominee_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-20 | 6.3 | CVE-2025-7904 |
| itsourcecode--Insurance Management System | A vulnerability has been found in itsourcecode Insurance Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /insertPayment.php. The manipulation of the argument recipt_no leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-20 | 6.3 | CVE-2025-7905 |
| jetmonsters--Restaurant Menu by MotoPress | Cross-Site Request Forgery (CSRF) vulnerability in jetmonsters Restaurant Menu by MotoPress allows Cross Site Request Forgery. This issue affects Restaurant Menu by MotoPress: from n/a through 2.4.6. | 2025-07-16 | 5.4 | CVE-2025-54038 |
| JiranSoft--CrossEditor4 | The improper default setting in JiranSoft CrossEditor4 on Windows, Linux, Unix (API modules) potentaily allows Stored XSS. This issue affects CrossEditor4: from 4.0.0.01 before 4.6.0.23. | 2025-07-15 | 4.3 | CVE-2025-7672 |
| juiiee8487--Testimonial Post type | The Testimonial Post type plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'auto_play' parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-18 | 6.4 | CVE-2025-5800 |
| Kerfred--FG Drupal to WordPress | Server-Side Request Forgery (SSRF) vulnerability in Kerfred FG Drupal to WordPress allows Server Side Request Forgery. This issue affects FG Drupal to WordPress: from n/a through 3.90.0. | 2025-07-16 | 4.4 | CVE-2025-48294 |
| krasenslavov--Block Editor Gallery Slider | The Block Editor Gallery Slider plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the classic_gallery_slider_options() function in all versions up to, and including, 1.1.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update limited post meta for arbitrary posts. | 2025-07-18 | 4.3 | CVE-2025-6726 |
| Kyle Gilman--Videopack | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kyle Gilman Videopack allows DOM-Based XSS. This issue affects Videopack: from n/a through 4.10.3. | 2025-07-16 | 6.5 | CVE-2025-54016 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the `index.php` endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows attackers to inject malicious scripts in the `erro` parameter. Version 3.4.5 contains a patch for the issue. | 2025-07-14 | 6.5 | CVE-2025-53820 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the `relatorio_geracao.php` endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows attackers to inject malicious scripts in the `tipo_relatorio` parameter. Version 3.4.5 has a patch for the issue. | 2025-07-14 | 6.5 | CVE-2025-53822 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in versions prior to 3.4.6 in the `pre_cadastro_atendido.php` endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the `msg_e` parameter. Version 3.4.6 fixes the issue. | 2025-07-18 | 6.5 | CVE-2025-54076 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in versions prior to 3.4.6 in the `personalizacao.php` endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the `err` parameter. Version 3.4.6 fixes the issue. | 2025-07-18 | 6.5 | CVE-2025-54077 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in versions prior to 3.4.6 in the `personalizacao_imagem.php` endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the `err` parameter. Version 3.4.6 fixes the issue. | 2025-07-18 | 6.5 | CVE-2025-54078 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. An Open Redirect vulnerability exists in the web application prior to version 3.4.5. The control.php endpoint allows to specify an arbitrary URL via the `nextPage` parameter, leading to an uncontrolled redirection. Version 3.4.5 contains a fix for the issue. | 2025-07-14 | 4.7 | CVE-2025-53821 |
| LB-LINK--BL-AC1900 | A vulnerability classified as critical was found in LB-LINK BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P and BL-WR9000 up to 20250702. This vulnerability affects the function bs_GetHostInfo in the library libblinkapi.so of the file /cgi-bin/lighttpd.cgi. The manipulation leads to information disclosure. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-14 | 5.3 | CVE-2025-7572 |
| LB-LINK--BL-AC1900 | A vulnerability, which was classified as critical, has been found in LB-LINK BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P and BL-WR9000 up to 20250702. This issue affects the function bs_GetManPwd in the library libblinkapi.so of the file /cgi-bin/lighttpd.cgi. The manipulation leads to information disclosure. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-14 | 5.3 | CVE-2025-7573 |
| LB-LINK--BL-AC3600 | A vulnerability, which was classified as critical, was found in LB-LINK BL-AC3600 up to 1.0.22. This affects the function geteasycfg of the file /cgi-bin/lighttpd.cgi of the component Web Management Interface. The manipulation of the argument Password leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-14 | 5.3 | CVE-2025-7565 |
| Lenovo--FileZ Client | An authentication bypass vulnerability was reported in FileZ client application that could allow a local attacker with elevated permissions access to application data. | 2025-07-17 | 6.7 | CVE-2025-6249 |
| Lenovo--PC Manager | A buffer overflow vulnerability was reported in the Lenovo Protection Driver, prior to version 5.1.1110.4231, used in Lenovo PC Manager, Lenovo Browser, and Lenovo App Store could allow a local attacker with elevated privileges to execute arbitrary code. | 2025-07-17 | 6.7 | CVE-2025-4657 |
| Lenovo--TrackPoint Quick Menu | A DLL hijacking vulnerability was reported in TrackPoint Quick Menu software that, under certain conditions, could allow a local attacker to escalate privileges. | 2025-07-17 | 6.7 | CVE-2025-1729 |
| Lenovo--Vantage | A SQL injection vulnerability was reported in Lenovo Vantage that could allow a local attacker to modify the local SQLite database and execute code with elevated permissions. | 2025-07-17 | 5.3 | CVE-2025-6230 |
| lewisking0072--Map My Locations | The Map My Locations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'map_my_locations' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-18 | 6.4 | CVE-2025-7660 |
| libp2p--py-libp2p | py-libp2p before 0.2.3 allows a peer to cause a denial of service (resource consumption) via a large RSA key. | 2025-07-14 | 4.3 | CVE-2025-29606 |
| litonice13--Master Addons Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations | The Master Addons - Elementor Addons with White Label, Free Widgets, Hover Effects, Conditions, & Animations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS extension in all versions up to, and including, 2.0.8.2 due to insufficient capability restriction, and insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-16 | 6.4 | CVE-2025-5284 |
| Logpoint--Logpoint | An issue was discovered in Logpoint before 7.6.0. When creating reports, attackers can create custom Jinja templates that chained built-in filter functions to generate XSS payloads. These payloads can be rendered by the Logpoint Report Template engine, making it vulnerable to cross-site scripting (XSS) attacks. | 2025-07-20 | 4.9 | CVE-2025-54316 |
| malcure--Malcure Malware Scanner #1 Toolset for Malware Removal | The Malcure Malware Scanner - #1 Toolset for WordPress Malware Removal plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 16.8 via the wpmr_inspect_file() function due to a missing capability check. This makes it possible for authenticated attackers, with subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2025-07-18 | 6.5 | CVE-2025-7772 |
| Mattermost--Mattermost | Mattermost versions 10.5.x <= 10.5.6, 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 9.11.x <= 9.11.16 fail to verify authorization when retrieving cached posts by PendingPostID which allows an authenticated user to read posts in private channels they don't have access to via guessing the PendingPostID of recently created posts. | 2025-07-18 | 6.5 | CVE-2025-6226 |
| Mattermost--Mattermost | Mattermost versions 10.8.x <= 10.8.1, 10.7.x <= 10.7.3, 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to sanitize input paths of file attachments in the bulk import JSONL file, which allows a system admin to read arbitrary system files via path traversal. | 2025-07-18 | 6.8 | CVE-2025-6233 |
| maxomatos--Partnersk systm Martinus | The Partnerský systém Martinus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'martinus' shortcode in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-19 | 6.4 | CVE-2025-7661 |
| Mbed--mbedtls | Mbed TLS before 3.6.4 has a NULL pointer dereference because mbedtls_asn1_store_named_data can trigger conflicting data with val.p of NULL but val.len greater than zero. | 2025-07-20 | 4 | CVE-2025-48965 |
| Mbed--mbedtls | In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in block cipher padding removal allows an attacker to recover the plaintext when PKCS#7 padding mode is used. | 2025-07-20 | 4 | CVE-2025-49087 |
| metagauss--ProfileGrid User Profiles, Groups and Communities | The ProfileGrid - User Profiles, Groups and Communities plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'pm_get_messenger_notification' function in all versions up to, and including, 5.9.5.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a logged-in user into performing an action such as clicking on a link. | 2025-07-16 | 6.1 | CVE-2025-6977 |
| Metasoft --MetaCRM | A vulnerability was found in Metasoft 美特软件 MetaCRM up to 6.4.2. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file mcc_login.jsp. The manipulation of the argument workerid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 6.3 | CVE-2025-7873 |
| Metasoft --MetaCRM | A vulnerability classified as critical was found in Metasoft 美特软件 MetaCRM up to 6.4.2. This vulnerability affects the function AnalyzeParam of the file download.jsp. The manipulation of the argument p leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 6.3 | CVE-2025-7876 |
| Metasoft --MetaCRM | A vulnerability, which was classified as critical, has been found in Metasoft 美特软件 MetaCRM up to 6.4.2. This issue affects some unknown processing of the file sendfile.jsp. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 6.3 | CVE-2025-7877 |
| Metasoft --MetaCRM | A vulnerability, which was classified as critical, was found in Metasoft 美特软件 MetaCRM up to 6.4.2. Affected is an unknown function of the file /common/jsp/upload2.jsp. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 6.3 | CVE-2025-7878 |
| Metasoft --MetaCRM | A vulnerability has been found in Metasoft 美特软件 MetaCRM up to 6.4.2 and classified as critical. Affected by this vulnerability is an unknown functionality of the file mobileupload.jsp. The manipulation of the argument File leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 6.3 | CVE-2025-7879 |
| Metasoft --MetaCRM | A vulnerability was found in Metasoft 美特软件 MetaCRM up to 6.4.2 and classified as critical. Affected by this issue is some unknown functionality of the file /business/common/sms/sendsms.jsp. The manipulation of the argument File leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 6.3 | CVE-2025-7880 |
| Metasoft --MetaCRM | A vulnerability was found in Metasoft 美特软件 MetaCRM up to 6.4.2. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /env.jsp. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 5.3 | CVE-2025-7874 |
| Microsoft--Azure Machine Learning | Weak authentication in Azure Machine Learning allows an authorized attacker to elevate privileges over a network. | 2025-07-18 | 6.5 | CVE-2025-47995 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2025-07-20 | 6.3 | CVE-2025-53771 |
| milanmk--Listly: Listicles For WordPress | The Listly: Listicles For WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the Init() function in all versions up to, and including, 2.7. This makes it possible for unauthenticated attackers to delete arbitrary transient values on the WordPress site. | 2025-07-18 | 5.3 | CVE-2025-5811 |
| n/a--chinese-poetry | A vulnerability was found in chinese-poetry 0.1. It has been rated as problematic. This issue affects some unknown processing of the file rank/server.js. The manipulation leads to inefficient regular expression complexity. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 4.3 | CVE-2025-7579 |
| n/a--GPAC | A vulnerability was found in GPAC up to 2.4. It has been rated as problematic. Affected by this issue is the function gf_dash_download_init_segment of the file src/media_tools/dash_client.c. The manipulation of the argument base_init_url leads to null pointer dereference. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 153ea314b6b053db17164f8bc3c7e1e460938eaa. It is recommended to apply a patch to fix this issue. | 2025-07-18 | 5.3 | CVE-2025-7797 |
| n/a--IDnow App | A vulnerability classified as problematic has been found in IDnow App up to 9.6.0 on Android. This affects an unknown part of the file AndroidManifest.xml of the component de.idnow. The manipulation leads to improper export of android application components. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 5.3 | CVE-2025-7892 |
| n/a--jshERP | A vulnerability has been found in jshERP up to 3.5 and classified as critical. This vulnerability affects the function exportExcelByParam of the file /src/main/java/com/jsh/erp/controller/SystemConfigController.java. The manipulation of the argument Title leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-14 | 4.7 | CVE-2025-7566 |
| n/a--Onyx | A vulnerability, which was classified as critical, has been found in Onyx up to 0.29.1. This issue affects the function generate_simple_sql of the file backend/onyx/agents/agent_search/kb_search/nodes/a3_generate_simple_sql.py of the component Chat Interface. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 6.3 | CVE-2025-7894 |
| n/a--ShopXO | A vulnerability was found in ShopXO up to 6.5.0 and classified as problematic. This issue affects some unknown processing of the file header.html. The manipulation of the argument lang/system_type leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 4.3 | CVE-2025-7567 |
| nanbu--Welcart e-Commerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nanbu Welcart e-Commerce allows Stored XSS. This issue affects Welcart e-Commerce: from n/a through 2.11.16. | 2025-07-16 | 5.9 | CVE-2025-54013 |
| NVIDIA--Jetson Orin and Xavier Devices | NVIDIA Jetson Linux contains a vulnerability in the kernel where an attacker may cause an exposure of sensitive information due to a shared microarchitectural predictor state that influences transient execution. A successful exploit of this vulnerability may lead to information disclosure. | 2025-07-17 | 4.7 | CVE-2025-23269 |
| One Identity--OneLogin | In One Identity OneLogin before 2025.2.0, the SQL connection "application name" is set based on the value of an untrusted X-RequestId HTTP request header. | 2025-07-19 | 4 | CVE-2025-52924 |
| OpenCTI-Platform--opencti | OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.6.6, an IDOR vulnerability in the GrapQL `NotificationLineNotificationMarkReadMutation` and `NotificationLineNotificationDeleteMutation` mutations of OpenCTI allows an authenticated user to change the read status of a notification or delete a notification of another user in case he has knowledge of the UUID of the notification. When changing the read status of a notification, the user also receives the content of the notification they changed the read status of. Authenticated Users in OpenCTI can read, modify and delete notification of other users if they know the UUID of the notification. Version 6.6.6 fixes the issue. | 2025-07-18 | 5.4 | CVE-2025-46732 |
| Oracle Corporation--JD Edwards EnterpriseOne Tools | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are 9.2.0.0-9.2.9.3. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data as well as unauthorized read access to a subset of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). | 2025-07-15 | 5.4 | CVE-2025-30760 |
| Oracle Corporation--JDBC | Vulnerability in the JDBC component of Oracle Database Server. Supported versions that are affected are 23.4-23.8. Difficult to exploit vulnerability allows low privileged attacker having Authenticated OS User privilege with logon to the infrastructure where JDBC executes to compromise JDBC. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in JDBC, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all JDBC accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N). | 2025-07-15 | 5.3 | CVE-2025-50070 |
| Oracle Corporation--MySQL Cluster | Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: General). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Cluster executes to compromise MySQL Cluster. Successful attacks of this vulnerability can result in takeover of MySQL Cluster. CVSS 3.1 Base Score 6.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). | 2025-07-15 | 6.7 | CVE-2025-50068 |
| Oracle Corporation--MySQL Cluster | Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 4.9 | CVE-2025-50077 |
| Oracle Corporation--MySQL Cluster | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Server accessible data. CVSS 3.1 Base Score 4.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N). | 2025-07-15 | 4.9 | CVE-2025-50087 |
| Oracle Corporation--MySQL Cluster | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Replication). Supported versions that are affected are 8.0.0-8.0.42. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 4.9 | CVE-2025-53023 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.0-8.0.25. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 6.5 | CVE-2025-50076 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 6.5 | CVE-2025-50078 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 6.5 | CVE-2025-50082 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 6.5 | CVE-2025-50083 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H). | 2025-07-15 | 5.5 | CVE-2025-50085 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 4.9 | CVE-2025-50079 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 4.9 | CVE-2025-50080 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 4.9 | CVE-2025-50084 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Components Services). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 4.9 | CVE-2025-50086 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.41, 8.4.0-8.4.4 and 9.0.0-9.2.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 4.9 | CVE-2025-50088 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 4.9 | CVE-2025-50089 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 4.9 | CVE-2025-50091 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 4.9 | CVE-2025-50092 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 4.9 | CVE-2025-50093 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.42, 8.4.5 and 9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 4.9 | CVE-2025-50094 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 4.9 | CVE-2025-50095 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Server executes to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 4.4 | CVE-2025-50096 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 4.9 | CVE-2025-50097 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 4.9 | CVE-2025-50099 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 4.9 | CVE-2025-50101 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 4.9 | CVE-2025-50102 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: LDAP Auth). Supported versions that are affected are 9.0.0-9.3.0. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 4.4 | CVE-2025-50103 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.1.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 4.9 | CVE-2025-53032 |
| Oracle Corporation--Oracle Applications Framework | Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Web Utilities). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Applications Framework. While the vulnerability is in Oracle Applications Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data as well as unauthorized read access to a subset of Oracle Applications Framework accessible data. CVSS 3.1 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N). | 2025-07-15 | 6.4 | CVE-2025-50071 |
| Oracle Corporation--Oracle Applications Framework | Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Personalization). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Applications Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data as well as unauthorized read access to a subset of Oracle Applications Framework accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | 2025-07-15 | 5.4 | CVE-2025-50090 |
| Oracle Corporation--Oracle Business Intelligence Enterprise Edition | Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Platform Security). Supported versions that are affected are 7.6.0.0.0, 8.2.0.0.0 and 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Intelligence Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2025-07-15 | 6.1 | CVE-2025-30759 |
| Oracle Corporation--Oracle CRM Technical Foundation | Vulnerability in the Oracle CRM Technical Foundation product of Oracle E-Business Suite (component: Preferences). Supported versions that are affected are 12.2.11-12.2.13. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle CRM Technical Foundation. While the vulnerability is in Oracle CRM Technical Foundation, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle CRM Technical Foundation accessible data as well as unauthorized read access to a subset of Oracle CRM Technical Foundation accessible data. CVSS 3.1 Base Score 5.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N). | 2025-07-15 | 5.5 | CVE-2025-30739 |
| Oracle Corporation--Oracle Financial Services Analytical Applications Infrastructure | Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.8, 8.0.8.5, 8.0.8.6, 8.1.1.4 and 8.1.2.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | 2025-07-15 | 5.3 | CVE-2025-53031 |
| Oracle Corporation--Oracle Hyperion Financial Reporting | Vulnerability in the Oracle Hyperion Financial Reporting product of Oracle Hyperion (component: Workspace). The supported version that is affected is 11.2.20.0.000. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hyperion Financial Reporting. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Hyperion Financial Reporting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Hyperion Financial Reporting accessible data as well as unauthorized read access to a subset of Oracle Hyperion Financial Reporting accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | 2025-07-15 | 5.4 | CVE-2025-50108 |
| Oracle Corporation--Oracle iStore | Vulnerability in the Oracle iStore product of Oracle E-Business Suite (component: Shopping Cart). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle iStore. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle iStore, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle iStore accessible data as well as unauthorized read access to a subset of Oracle iStore accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2025-07-15 | 6.1 | CVE-2025-30746 |
| Oracle Corporation--Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Scripting). Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf and 11.0.27; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N). | 2025-07-15 | 5.9 | CVE-2025-30761 |
| Oracle Corporation--Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u451, 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 and 24.0.1; Oracle GraalVM Enterprise Edition: 21.3.14. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). | 2025-07-15 | 4.8 | CVE-2025-30754 |
| Oracle Corporation--Oracle MES for Process Manufacturing | Vulnerability in the Oracle MES for Process Manufacturing product of Oracle E-Business Suite (component: Device Integration). Supported versions that are affected are 12.2.12-12.2.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle MES for Process Manufacturing. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle MES for Process Manufacturing, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle MES for Process Manufacturing accessible data as well as unauthorized read access to a subset of Oracle MES for Process Manufacturing accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2025-07-15 | 6.1 | CVE-2025-30745 |
| Oracle Corporation--Oracle REST Data Services | Vulnerability in Oracle REST Data Services (component: General). The supported version that is affected is 24.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle REST Data Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle REST Data Services accessible data as well as unauthorized read access to a subset of Oracle REST Data Services accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2025-07-15 | 6.1 | CVE-2025-30756 |
| Oracle Corporation--Oracle Universal Work Queue | Vulnerability in the Oracle Universal Work Queue product of Oracle E-Business Suite (component: Request handling). Supported versions that are affected are 12.2.5-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Universal Work Queue. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Universal Work Queue, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Universal Work Queue accessible data as well as unauthorized read access to a subset of Oracle Universal Work Queue accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2025-07-15 | 6.1 | CVE-2025-50107 |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.1.10. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). | 2025-07-15 | 6 | CVE-2025-53025 |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.1.10. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). | 2025-07-15 | 6 | CVE-2025-53026 |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.1.10. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). | 2025-07-15 | 6 | CVE-2025-53030 |
| Oracle Corporation--Oracle WebLogic Server | Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2025-07-15 | 6.5 | CVE-2025-30753 |
| Oracle Corporation--Oracle WebLogic Server | Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Container). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2025-07-15 | 6.1 | CVE-2025-50073 |
| Oracle Corporation--Oracle WebLogic Server | Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N). | 2025-07-15 | 4.8 | CVE-2025-50064 |
| Oracle Corporation--Oracle WebLogic Server | Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle WebLogic Server executes to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 4.0 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N). | 2025-07-15 | 4 | CVE-2025-50072 |
| Oracle Corporation--PeopleSoft Enterprise PeopleTools | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: PIA Core Technology). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2025-07-15 | 6.1 | CVE-2025-30748 |
| Oracle Corporation--PeopleSoft Enterprise PeopleTools | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: PIA Core Technology). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N). | 2025-07-15 | 4.3 | CVE-2025-30747 |
| Oracle Corporation--Primavera P6 Enterprise Project Portfolio Management | Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product of Oracle Construction and Engineering (component: Web Access). Supported versions that are affected are 20.12.0-20.12.21, 21.12.0-21.12.21, 22.12.0-22.12.19, 23.12.0-23.12.13 and 24.12.0-24.12.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized read access to a subset of Primavera P6 Enterprise Project Portfolio Management accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | 2025-07-15 | 5.4 | CVE-2025-50061 |
| Oracle Corporation--Siebel CRM End User | Vulnerability in the Siebel CRM End User product of Oracle Siebel CRM (component: User Interface). Supported versions that are affected are 25.0-25.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel CRM End User. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Siebel CRM End User accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | 2025-07-15 | 5.3 | CVE-2025-30758 |
| OTRS AG--OTRS | A vulnerability in the External Interface of OTRS allows conclusions to be drawn about the existence of user accounts through different HTTP response codes and messages. This enables an attacker to systematically identify valid email addresses. This issue affects: * OTRS 7.0.X * OTRS 8.0.X * OTRS 2023.X * OTRS 2024.X * OTRS 2025.X | 2025-07-14 | 5.3 | CVE-2025-24391 |
| papin--Companion Auto Update | The Companion Auto Update plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'update_delay_days' parameter in all versions up to, and including, 3.9.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-07-15 | 5.5 | CVE-2025-4369 |
| Parakoos--Image Wall | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Parakoos Image Wall allows Stored XSS. This issue affects Image Wall: from n/a through 3.1. | 2025-07-16 | 6.5 | CVE-2025-48156 |
| PHPGurukul--Complaint Management System | A vulnerability, which was classified as problematic, was found in PHPGurukul Complaint Management System 2.0. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-19 | 4.3 | CVE-2025-7834 |
| PHPGurukul--Dairy Farm Shop Management System | A vulnerability classified as critical has been found in PHPGurukul Dairy Farm Shop Management System 1.3. This affects an unknown part of the file edit-product.php. The manipulation of the argument productname leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7588 |
| PHPGurukul--Dairy Farm Shop Management System | A vulnerability classified as critical was found in PHPGurukul Dairy Farm Shop Management System 1.3. This vulnerability affects unknown code of the file edit-company.php. The manipulation of the argument companyname leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7589 |
| PHPGurukul--Dairy Farm Shop Management System | A vulnerability, which was classified as critical, has been found in PHPGurukul Dairy Farm Shop Management System 1.3. This issue affects some unknown processing of the file edit-category.php. The manipulation of the argument categorycode leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7590 |
| PHPGurukul--Dairy Farm Shop Management System | A vulnerability, which was classified as critical, was found in PHPGurukul Dairy Farm Shop Management System 1.3. Affected is an unknown function of the file view-invoice.php. The manipulation of the argument invid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7591 |
| PHPGurukul--Dairy Farm Shop Management System | A vulnerability has been found in PHPGurukul Dairy Farm Shop Management System 1.3 and classified as critical. Affected by this vulnerability is an unknown functionality of the file invoices.php. The manipulation of the argument del leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7592 |
| PHPGurukul--Dairy Farm Shop Management System | A vulnerability, which was classified as critical, has been found in PHPGurukul Dairy Farm Shop Management System 1.3. Affected by this issue is some unknown functionality of the file /invoice.php. The manipulation of the argument del leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7599 |
| PHPGurukul--Online Fire Reporting System | A vulnerability was found in PHPGurukul Online Fire Reporting System 1.2. It has been classified as critical. This affects an unknown part of the file /admin/bwdates-report-result.php. The manipulation of the argument fromdate/todate leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7559 |
| PHPGurukul--Online Fire Reporting System | A vulnerability was found in PHPGurukul Online Fire Reporting System 1.2. It has been declared as critical. This vulnerability affects unknown code of the file /admin/workin-progress-requests.php. The manipulation of the argument teamid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7560 |
| PHPGurukul--Online Fire Reporting System | A vulnerability was found in PHPGurukul Online Fire Reporting System 1.2. It has been rated as critical. This issue affects some unknown processing of the file /admin/team-ontheway-requests.php. The manipulation of the argument teamid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7561 |
| PHPGurukul--Online Fire Reporting System | A vulnerability classified as critical has been found in PHPGurukul Online Fire Reporting System 1.2. Affected is an unknown function of the file /admin/new-requests.php. The manipulation of the argument teamid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7562 |
| PHPGurukul--Online Fire Reporting System | A vulnerability classified as critical was found in PHPGurukul Online Fire Reporting System 1.2. Affected by this vulnerability is an unknown functionality of the file /admin/completed-requests.php. The manipulation of the argument teamid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7563 |
| PHPGurukul--Online Fire Reporting System | A vulnerability, which was classified as critical, was found in PHPGurukul Online Fire Reporting System 1.2. This affects an unknown part of the file /admin/assigned-requests.php. The manipulation of the argument teamid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7582 |
| PHPGurukul--Online Fire Reporting System | A vulnerability has been found in PHPGurukul Online Fire Reporting System 1.2 and classified as critical. This vulnerability affects unknown code of the file /admin/all-requests.php. The manipulation of the argument teamid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7583 |
| PHPGurukul--Online Fire Reporting System | A vulnerability was found in PHPGurukul Online Fire Reporting System 1.2 and classified as critical. This issue affects some unknown processing of the file /admin/add-team.php. The manipulation of the argument teammember leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7584 |
| PHPGurukul--Online Fire Reporting System | A vulnerability was found in PHPGurukul Online Fire Reporting System 1.2. It has been classified as critical. Affected is an unknown function of the file /admin/manage-site.php. The manipulation of the argument webtitle leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7585 |
| PHPGurukul--Online Library Management System | A vulnerability, which was classified as critical, was found in PHPGurukul Online Library Management System 3.0. This affects an unknown part of the file /admin/student-history.php. The manipulation of the argument stdid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7600 |
| qBittorrent--qBittorrent | qBittorrent before 5.1.2 does not prevent access to a local file that is referenced in a link URL. This affects rsswidget.cpp and searchjobwidget.cpp. | 2025-07-18 | 4 | CVE-2025-54310 |
| qianfox--FoxCMS | A vulnerability was found in qianfox FoxCMS up to 1.2.5. It has been classified as critical. Affected is the function batchCope of the file app/admin/controller/Video.php. The manipulation of the argument ids leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-14 | 6.3 | CVE-2025-7568 |
| QuanticaLabs--Cost Calculator | Missing Authorization vulnerability in QuanticaLabs Cost Calculator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cost Calculator: from n/a through 7.4. | 2025-07-16 | 4.3 | CVE-2025-54047 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm. | 2025-07-18 | 6.5 | CVE-2025-7784 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in polkit. When processing an XML policy with 32 or more nested elements in depth, an out-of-bounds write can be triggered. This issue can lead to a crash or other unexpected behavior, and arbitrary code execution is not discarded. To exploit this flaw, a high-privilege account is needed as it's required to place the malicious policy file properly. | 2025-07-14 | 6.7 | CVE-2025-7519 |
| ruven-themes--Ruven Themes: Shortcodes | The Ruven Themes: Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ruven_button' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-18 | 6.4 | CVE-2025-7648 |
| ryanfaber--Copymatic AI Content Writer & Generator | The Copymatic - AI Content Writer & Generator plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1. This is due to missing or incorrect nonce validation on the 'copymatic-menu' page. This makes it possible for unauthenticated attackers to update the copymatic_apikey option via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-07-18 | 4.3 | CVE-2025-6781 |
| SMTP2GO--SMTP2GO | Missing Authorization vulnerability in SMTP2GO SMTP2GO allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SMTP2GO: from n/a through 1.12.1. | 2025-07-16 | 4.3 | CVE-2025-54011 |
| TDuckCloud--tduck-platform | A vulnerability was found in TDuckCloud tduck-platform 5.1 and classified as critical. This issue affects the function UserFormDataMapper of the file src/main/java/com/tduck/cloud/form/mapper/UserFormDataMapper.java. The manipulation of the argument formKey leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 6.3 | CVE-2025-7888 |
| Teledyne--FLIR FB-Series O | A vulnerability was found in Teledyne FLIR FB-Series O and FLIR FH-Series ID 1.3.2.16. It has been declared as critical. This vulnerability affects the function sendCommand of the file runcmd.sh. The manipulation of the argument cmd leads to command injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The researcher highlights, that "[a]lthough this functionality is currently disabled due to server CGI configuration errors, it is essentially a 'time bomb' waiting to be activated". The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-14 | 5 | CVE-2025-7578 |
| themefusion--Avada (Fusion) Builder | The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'fusion_map' shortcode in all versions up to, and including, 3.12.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-16 | 6.4 | CVE-2025-6747 |
| ThemeIsle--Hestia | Missing Authorization vulnerability in ThemeIsle Hestia allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Hestia: from n/a through 3.2.10. | 2025-07-16 | 5.3 | CVE-2025-53986 |
| ThemeREX--ThemeREX Addons | The ThemeREX Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.35.1.1 due to insufficient input sanitization and output escaping. The plugin's SVG rendering routine calls the trx_addons_get_svg_from_file() function on an unvalidated 'svg' parameter supplied via the shortcode or Elementor widget settings, then outputs it via the trx_addons_show_layout() function. Because there is no check on the URL's origin, scheme, or the SVG content itself, authenticated attackers, with Contributor-level access and above, can supply a remote SVG and inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2025-07-19 | 6.4 | CVE-2025-6997 |
| thinkgem--JeeSite | A vulnerability, which was classified as critical, was found in thinkgem JeeSite up to 5.12.0. This affects an unknown part of the file modules/core/src/main/java/com/jeesite/common/ueditor/ActionEnter.java of the component UEditor Image Grabber. The manipulation of the argument Source leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 1c5e49b0818037452148e0f8ff69ed04cb8fefdc. It is recommended to apply a patch to fix this issue. | 2025-07-17 | 6.3 | CVE-2025-7759 |
| thinkgem--JeeSite | A vulnerability was found in thinkgem JeeSite up to 5.12.0. It has been classified as critical. This affects the function Upload of the file src/main/java/com/jeesite/modules/file/web/FileUploadController.java. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is 3585737d21fe490ff6948d913fcbd8d99c41fc08. It is recommended to apply a patch to fix this issue. | 2025-07-20 | 6.3 | CVE-2025-7864 |
| thinkgem--JeeSite | A vulnerability, which was classified as problematic, was found in thinkgem JeeSite up to 5.12.0. Affected is the function select of the file src/main/java/com/jeesite/modules/cms/web/SiteController.java of the component Site Controller. The manipulation of the argument redirect leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 3d06b8d009d0267f0255acc87ea19d29d07cedc3. It is recommended to apply a patch to fix this issue. | 2025-07-17 | 4.3 | CVE-2025-7763 |
| thinkgem--JeeSite | A vulnerability classified as problematic was found in thinkgem JeeSite up to 5.12.0. This vulnerability affects the function sso of the file src/main/java/com/jeesite/modules/sys/web/SsoController.java. The manipulation of the argument redirect leads to open redirect. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 3d06b8d009d0267f0255acc87ea19d29d07cedc3. It is recommended to apply a patch to fix this issue. | 2025-07-18 | 4.3 | CVE-2025-7785 |
| TimeLineOfficial--Time-Line- | The timelineofficial/Time-Line- repository contains the source code for the TIME LINE website. A vulnerability was found in the TIME LINE website where uploaded files (instruction/message media) are not strictly validated for type and size. A user may upload renamed or oversized files that can disrupt performance or bypass restrictions. This could result in malicious file upload, denial of service, or client-side crashes. Version 1.0.5 contains a fix for the issue. | 2025-07-15 | 4.3 | CVE-2025-53891 |
| tkrivickas--Live Stream Badger | The Live Stream Badger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'livestream' shortcode in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-19 | 6.4 | CVE-2025-7655 |
| Toast Plugins--Animator | Cross-Site Request Forgery (CSRF) vulnerability in Toast Plugins Animator allows Cross Site Request Forgery. This issue affects Animator: from n/a through 3.0.16. | 2025-07-16 | 4.3 | CVE-2025-54039 |
| TOTOLINK--T6 | A vulnerability was found in TOTOLINK T6 4.1.5cu.748. It has been rated as critical. This issue affects the function CloudSrvVersionCheck of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument ip leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7613 |
| TOTOLINK--T6 | A vulnerability classified as critical has been found in TOTOLINK T6 4.1.5cu.748. Affected is the function delDevice of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument ipAddr leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7614 |
| TOTOLINK--T6 | A vulnerability classified as critical was found in TOTOLINK T6 4.1.5cu.748. Affected by this vulnerability is the function clearPairCfg of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument ip leads to command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 6.3 | CVE-2025-7615 |
| Tribulant Software--Newsletters | Cross-Site Request Forgery (CSRF) vulnerability in Tribulant Software Newsletters allows Cross Site Request Forgery. This issue affects Newsletters: from n/a through 4.10. | 2025-07-16 | 4.3 | CVE-2025-54035 |
| Vidco Software--VOC TESTER | Authorization Bypass Through User-Controlled Key vulnerability in Vidco Software VOC TESTER allows Forceful Browsing.This issue affects VOC TESTER: before 12.41.0. | 2025-07-18 | 5.5 | CVE-2024-13175 |
| vim--vim | Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim's tar.vim plugin can allow overwriting of arbitrary files when opening specially crafted tar archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1552 contains a patch for the vulnerability. | 2025-07-15 | 4.1 | CVE-2025-53905 |
| vim--vim | Vim is an open source, command line text editor. Prior to version 9.1.1551, a path traversal issue in Vim's zip.vim plugin can allow overwriting of arbitrary files when opening specially crafted zip archives. Impact is low because this exploit requires direct user interaction. However, successfully exploitation can lead to overwriting sensitive files or placing executable code in privileged locations, depending on the permissions of the process editing the archive. The victim must edit such a file using Vim which will reveal the filename and the file content, a careful user may suspect some strange things going on. Successful exploitation could results in the ability to execute arbitrary commands on the underlying operating system. Version 9.1.1551 contains a patch for the vulnerability. | 2025-07-15 | 4.1 | CVE-2025-53906 |
| vladimirs--Terms descriptions | The Terms descriptions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-07-18 | 4.4 | CVE-2025-6719 |
| vloo--EPay.bg Payments | The EPay.bg Payments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'epay' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-19 | 6.4 | CVE-2025-7653 |
| VMware--Reactor Netty | In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects. | 2025-07-16 | 6.1 | CVE-2025-22227 |
| Webba Appointment Booking--Webba Booking | Cross-Site Request Forgery (CSRF) vulnerability in Webba Appointment Booking Webba Booking allows Cross Site Request Forgery. This issue affects Webba Booking: from n/a through 5.1.20. | 2025-07-16 | 4.3 | CVE-2025-54036 |
| Westermo--WeOS | An issue was discovered in Westermo WeOS 5 (5.24 through 5.24.4). A threat actor potentially can gain unauthorized access to sensitive information via system logging information (syslog verbose logging that includes credentials). | 2025-07-20 | 6.3 | CVE-2025-54319 |
| WP Delicious--WP Delicious | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Delicious WP Delicious allows DOM-Based XSS. This issue affects WP Delicious: from n/a through 1.8.4. | 2025-07-16 | 6.5 | CVE-2025-54023 |
| WP Swings--Wallet System for WooCommerce | Cross-Site Request Forgery (CSRF) vulnerability in WP Swings Wallet System for WooCommerce allows Cross Site Request Forgery. This issue affects Wallet System for WooCommerce: from n/a through 2.6.7. | 2025-07-16 | 4.3 | CVE-2025-54041 |
| wpchill--Strong Testimonials | The Strong Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Testimonial Custom Fields in all versions up to, and including, 3.2.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-15 | 6.4 | CVE-2025-7367 |
| wpchop--Affiliate Reviews | The Affiliate Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'numColumns' parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-16 | 6.4 | CVE-2025-5845 |
| wpeventmanager--WP Event Manager Events Calendar, Registrations, Sell Tickets with WooCommerce | The WP Event Manager - Events Calendar, Registrations, Sell Tickets with WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag-name' parameter in all versions up to, and including, 3.1.49 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2025-07-16 | 4.4 | CVE-2025-2799 |
| WPFactory--Product XML Feed Manager for WooCommerce | Missing Authorization vulnerability in WPFactory Product XML Feed Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Product XML Feed Manager for WooCommerce: from n/a through 2.9.2. | 2025-07-16 | 6.5 | CVE-2025-30959 |
| WPFactory--Wishlist for WooCommerce | Missing Authorization vulnerability in WPFactory Wishlist for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Wishlist for WooCommerce: from n/a through 3.2.3. | 2025-07-16 | 6.5 | CVE-2025-49319 |
| wpmudev--Forminator Forms Contact Form, Payment Form & Custom Form Builder | The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to time-based SQL Injection via the `order_by` parameter in all versions up to, and including, 1.45.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-07-18 | 4.9 | CVE-2025-7638 |
| wpwham--Crowdfunding for WooCommerce | The Crowdfunding for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter in all versions up to, and including, 3.1.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-18 | 6.4 | CVE-2025-5767 |
| xfinitysoft--WP Post Hide | Cross-Site Request Forgery (CSRF) vulnerability in xfinitysoft WP Post Hide allows Cross Site Request Forgery. This issue affects WP Post Hide: from n/a through 1.0.9. | 2025-07-16 | 4.3 | CVE-2025-54042 |
| Xuxueli--xxl-job | A vulnerability, which was classified as critical, was found in Xuxueli xxl-job up to 3.1.1. Affected is the function httpJobHandler of the file src\main\java\com\xxl\job\executor\service\jobhandler\SampleXxlJob.java. The manipulation leads to server-side request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-18 | 6.3 | CVE-2025-7787 |
| Xuxueli--xxl-job | A vulnerability has been found in Xuxueli xxl-job up to 3.1.1 and classified as critical. Affected by this vulnerability is the function commandJobHandler of the file src\main\java\com\xxl\job\executor\service\jobhandler\SampleXxlJob.java. The manipulation leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-18 | 6.3 | CVE-2025-7788 |
| yangzongzhuan--RuoYi | A vulnerability was found in yangzongzhuan RuoYi up to 4.8.1 and classified as critical. This issue affects the function uploadFile of the file ruoyi-admin/src/main/java/com/ruoyi/web/controller/common/CommonController.java. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-20 | 6.3 | CVE-2025-7906 |
| yangzongzhuan--RuoYi | A vulnerability was found in yangzongzhuan RuoYi up to 4.8.1. It has been rated as problematic. This issue affects some unknown processing of the file /swagger-ui/index.html of the component Swagger UI. The manipulation of the argument configUrl leads to cross site scripting. The attack may be initiated remotely. | 2025-07-20 | 4.3 | CVE-2025-7901 |
| yangzongzhuan--RuoYi | A vulnerability classified as problematic was found in yangzongzhuan RuoYi up to 4.8.1. Affected by this vulnerability is an unknown functionality of the component Image Source Handler. The manipulation leads to improper restriction of rendered ui layers. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-20 | 4.3 | CVE-2025-7903 |
| yangzongzhuan--RuoYi | A vulnerability was found in yangzongzhuan RuoYi up to 4.8.1. It has been classified as problematic. Affected is an unknown function of the file ruoyi-admin/src/main/resources/application-druid.yml of the component Druid. The manipulation leads to use of default credentials. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-20 | 4.3 | CVE-2025-7907 |
| YiJiuSmile--kkFileViewOfficeEdit | A vulnerability was found in YiJiuSmile kkFileViewOfficeEdit up to 5fbc57c48e8fe6c1b91e0e7995e2d59615f37abd and classified as critical. Affected by this issue is the function fileUpload of the file /fileUpload. The manipulation of the argument File leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-07-14 | 6.3 | CVE-2025-7627 |
| YiJiuSmile--kkFileViewOfficeEdit | A vulnerability was found in YiJiuSmile kkFileViewOfficeEdit up to 5fbc57c48e8fe6c1b91e0e7995e2d59615f37abd. It has been classified as critical. This affects the function deleteFile of the file /deleteFile. The manipulation of the argument fileName leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | 2025-07-14 | 5.4 | CVE-2025-7628 |
| YiJiuSmile--kkFileViewOfficeEdit | A vulnerability, which was classified as critical, was found in YiJiuSmile kkFileViewOfficeEdit up to 5fbc57c48e8fe6c1b91e0e7995e2d59615f37abd. Affected is the function Download of the file /download. The manipulation of the argument url leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | 2025-07-14 | 4.3 | CVE-2025-7625 |
| YiJiuSmile--kkFileViewOfficeEdit | A vulnerability has been found in YiJiuSmile kkFileViewOfficeEdit up to 5fbc57c48e8fe6c1b91e0e7995e2d59615f37abd and classified as critical. Affected by this vulnerability is the function onlinePreview of the file /onlinePreview. The manipulation of the argument url leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | 2025-07-14 | 4.3 | CVE-2025-7626 |
| Zavy86--WikiDocs | A vulnerability has been found in Zavy86 WikiDocs up to 1.0.77 and classified as critical. Affected by this vulnerability is the function image_drop_upload_ajax/image_delete_ajax of the file submit.php. The manipulation leads to path traversal. The attack can be launched remotely. Upgrading to version 1.0.78 is able to address this issue. The identifier of the patch is 98ea9ee4a2052c4327f89d2f7688cc1b5749450d. It is recommended to upgrade the affected component. | 2025-07-14 | 4.7 | CVE-2025-7575 |
| Zavy86--WikiDocs | A vulnerability has been found in Zavy86 WikiDocs up to 1.0.78 and classified as problematic. This vulnerability affects unknown code of the file template.inc.php. The manipulation of the argument path leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-20 | 4.3 | CVE-2025-7887 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| Alcatel-Lucent--OmniAccess Stellar | Successful exploitation of the vulnerability could allow an attacker with administrator credentials for the access point to inject malicious JavaScript into the payload of web traffics, potentially leading to session hijacking and denial-of-service (DoS). | 2025-07-16 | 2.4 | CVE-2025-52687 |
| Bigotry--OneBase | A vulnerability was found in Bigotry OneBase up to 1.3.6. It has been declared as problematic. Affected by this vulnerability is the function parse_args of the file /tpl/think_exception.tpl. The manipulation of the argument args leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-14 | 3.5 | CVE-2025-7569 |
| bytecodealliance--wasmtime | Wasmtime is a runtime for WebAssembly. Prior to versions 24.0.4, 33.0.2, and 34.0.2, a bug in Wasmtime's implementation of the WASIp1 set of import functions can lead to a WebAssembly guest inducing a panic in the host (embedder). The specific bug is triggered by calling `path_open` after calling `fd_renumber` with either two equal argument values or a second argument being equal to a previously-closed file descriptor number value. The corrupt state introduced in `fd_renumber` will lead to the subsequent opening of a file descriptor to panic. This panic cannot introduce memory unsafety or allow WebAssembly to break outside of its sandbox, however. There is no possible heap corruption or memory unsafety from this panic. This bug is in the implementation of Wasmtime's `wasmtime-wasi` crate which provides an implementation of WASIp1. The bug requires a specially crafted call to `fd_renumber` in addition to the ability to open a subsequent file descriptor. Opening a second file descriptor is only possible when a preopened directory was provided to the guest, and this is common amongst embeddings. A panic in the host is considered a denial-of-service vector for WebAssembly embedders and is thus a security issue in Wasmtime. This bug does not affect WASIp2 and embedders using components. In accordance with Wasmtime's release process, patch releases are available as 24.0.4, 33.0.2, and 34.0.2. Users of other release of Wasmtime are recommended to move to a supported release of Wasmtime. Embedders who are using components or are not providing guest access to create more file descriptors (e.g. via a preopened filesystem directory) are not affected by this issue. Otherwise, there is no workaround at this time, and affected embeddings are recommended to update to a patched version which will not cause a panic in the host. | 2025-07-18 | 3.5 | CVE-2025-53901 |
| Campcodes--Online Movie Theater Seat Reservation System | A vulnerability was found in Campcodes Online Movie Theater Seat Reservation System 1.0. It has been classified as problematic. This affects an unknown part of the file /index.php?page=reserve of the component Reserve Your Seat Page. The manipulation of the argument Firstname/Lastname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-19 | 3.5 | CVE-2025-7840 |
| cgpandey--hotelmis | A vulnerability classified as problematic was found in cgpandey hotelmis up to c572198e6c4780fccc63b1d3e8f3f72f825fc94e. This vulnerability affects unknown code of the file admin.php of the component HTTP GET Request Handler. The manipulation of the argument Search leads to cross site scripting. The attack can be initiated remotely. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-07-18 | 3.5 | CVE-2025-7800 |
| descreekert--wx-discuz | A vulnerability was found in descreekert wx-discuz up to 12bd4745c63ec203cb32119bf77ead4a923bf277. It has been classified as problematic. This affects the function validToken of the file /wx.php. The manipulation of the argument echostr leads to cross site scripting. It is possible to initiate the attack remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | 2025-07-18 | 3.5 | CVE-2025-7803 |
| Eluktronics--Control Center | A vulnerability classified as problematic was found in Eluktronics Control Center 5.23.51.41. Affected by this vulnerability is an unknown functionality of the component REG File Handler. The manipulation leads to insufficient verification of data authenticity. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 3.3 | CVE-2025-7884 |
| Gnuboard--g6 | A vulnerability, which was classified as problematic, has been found in Gnuboard g6 up to 6.0.10. This issue affects some unknown processing of the file /bbs/scrap_popin_update/qa/ of the component Post Reply Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-18 | 3.5 | CVE-2025-7786 |
| HCL Software--Connections | HCL Connections is vulnerable to an information disclosure vulnerability that could allow a user to obtain sensitive information they are not entitled to, which is caused by improper handling of request data. | 2025-07-17 | 3.5 | CVE-2024-42209 |
| Icinga--icingadb-web | Icinga DB Web provides a graphical interface for Icinga monitoring. Starting in version 1.2.0 and prior to version 1.2.2, users with access to Icinga Dependency Views, are allowed to see hosts and services that they weren't meant to on the dependency map. However, the name of an object will not be revealed nor does this grant access to a host's or service's detail view. Please note that this only affects the restrictions `filter/hosts` and `filter/services`. `filter/objects` is not affected by this and restricts objects as it is supposed to. Version 1.2.2 applies these restrictions properly. As a workaround, one may downgrade to version 1.1.3. | 2025-07-16 | 2.4 | CVE-2025-53840 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Versions prior to 7.1.2-0 and 6.9.13-26 have a heap buffer overflow in the `InterpretImageFilename` function. The issue stems from an off-by-one error that causes out-of-bounds memory access when processing format strings containing consecutive percent signs (`%%`). Versions 7.1.2-0 and 6.9.13-26 fix the issue. | 2025-07-14 | 3.7 | CVE-2025-53014 |
| ImageMagick--ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. In versions prior to 7.1.2-0 and 6.9.13-26, in ImageMagick's `magick stream` command, specifying multiple consecutive `%d` format specifiers in a filename template causes a memory leak. Versions 7.1.2-0 and 6.9.13-26 fix the issue. | 2025-07-14 | 3.7 | CVE-2025-53019 |
| jshttp--on-headers | on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions `<1.1.0` may result in response headers being inadvertently modified when an array is passed to `response.writeHead()`. Users should upgrade to version 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to `1.1.0`, but this issue can be worked around by passing an object to `response.writeHead()` rather than an array. | 2025-07-17 | 3.4 | CVE-2025-7339 |
| Mattermost--Mattermost | Mattermost versions 10.5.x <= 10.5.7, 9.11.x <= 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API. | 2025-07-18 | 2.2 | CVE-2025-6227 |
| Mercusys--MW301R | A vulnerability was found in Mercusys MW301R 1.0.2 Build 190726 Rel.59423n. It has been rated as problematic. This issue affects some unknown processing of the component Login. The manipulation leads to improper restriction of excessive authentication attempts. The attack can only be initiated within the local network. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 3.1 | CVE-2025-7882 |
| Mercusys--MW301R | A vulnerability was found in Mercusys MW301R 1.0.2 Build 190726 Rel.59423n. It has been declared as problematic. This vulnerability affects unknown code of the component Web Interface. The manipulation of the argument code leads to weak password recovery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 2.7 | CVE-2025-7881 |
| Motorola--Smart Connect Android Application | A vulnerability was reported in version 1.0 of the Bluetooth Transmission Alliance protocol adopted by Motorola Smart Connect Android Application that could allow a nearby attacker within the Bluetooth interaction range to intercept files when transferred to a device not paired in Smart Connect. | 2025-07-17 | 3.5 | CVE-2025-2818 |
| n/a--Scada-LTS | A vulnerability classified as problematic has been found in Scada-LTS up to 2.7.8.1. Affected is an unknown function of the file users.shtm. The manipulation of the argument Username leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this issue and confirmed that it will be fixed in the upcoming release 2.8.0. | 2025-07-17 | 3.5 | CVE-2025-7728 |
| n/a--Scada-LTS | A vulnerability classified as problematic was found in Scada-LTS up to 2.7.8.1. Affected by this vulnerability is an unknown functionality of the file usersProfiles.shtm. The manipulation of the argument Username leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this issue and confirmed that it will be fixed in the upcoming release 2.8.0. | 2025-07-17 | 3.5 | CVE-2025-7729 |
| n/a--ZCMS | A vulnerability classified as problematic was found in ZCMS 3.6.0. This vulnerability affects unknown code of the component Create Article Page. The manipulation of the argument Title leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-17 | 3.5 | CVE-2025-7748 |
| Oracle Corporation--MySQL Cluster | Vulnerability in the MySQL Client product of Oracle MySQL (component: Client: mysqldump). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Client. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Client accessible data as well as unauthorized read access to a subset of MySQL Client accessible data. CVSS 3.1 Base Score 3.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N). | 2025-07-15 | 3.1 | CVE-2025-50081 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L). | 2025-07-15 | 2.7 | CVE-2025-50098 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L). | 2025-07-15 | 2.2 | CVE-2025-50100 |
| Oracle Corporation--MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.0-8.0.42, 8.4.0-8.4.5 and 9.0.0-9.3.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L). | 2025-07-15 | 2.7 | CVE-2025-50104 |
| Oracle Corporation--Oracle Database Server | Vulnerability in the Unified Audit component of Oracle Database Server. Supported versions that are affected are 19.3-19.27, 21.3-21.18 and 23.4-23.8. Easily exploitable vulnerability allows high privileged attacker having Create User privilege with network access via Oracle Net to compromise Unified Audit. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Unified Audit accessible data. CVSS 3.1 Base Score 2.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N). | 2025-07-15 | 2.4 | CVE-2025-30750 |
| Oracle Corporation--Oracle Database Server | Vulnerability in the Oracle Database Materialized View component of Oracle Database Server. Supported versions that are affected are 19.3-19.27, 21.3-21.18 and 23.4-23.8. Easily exploitable vulnerability allows high privileged attacker having Execute on DBMS_REDEFINITION privilege with network access via Oracle Net to compromise Oracle Database Materialized View. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database Materialized View accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N). | 2025-07-15 | 2.7 | CVE-2025-50066 |
| Oracle Corporation--Oracle GraalVM for JDK | Vulnerability in the Oracle GraalVM for JDK product of Oracle Java SE (component: Native Image). The supported version that is affected is Oracle GraalVM for JDK: 24.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle GraalVM for JDK. CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). | 2025-07-15 | 3.7 | CVE-2025-50065 |
| Oracle Corporation--Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK product of Oracle Java SE (component: Compiler). The supported version that is affected is Oracle Java SE: 24.0.1; Oracle GraalVM for JDK: 24.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L). | 2025-07-15 | 3.7 | CVE-2025-30752 |
| Oracle Corporation--Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is 7.1.10. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 2.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N). | 2025-07-15 | 2.3 | CVE-2025-53029 |
| PHPGurukul--Apartment Visitors Management System | A vulnerability, which was classified as problematic, was found in PHPGurukul Apartment Visitors Management System 1.0. Affected is an unknown function of the file /visitor-detail.php of the component HTTP POST Request Handler. The manipulation of the argument visname leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-19 | 3.5 | CVE-2025-7816 |
| PHPGurukul--Apartment Visitors Management System | A vulnerability has been found in PHPGurukul Apartment Visitors Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /bwdates-reports.php of the component HTTP POST Request Handler. The manipulation of the argument visname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-19 | 3.5 | CVE-2025-7817 |
| PHPGurukul--Apartment Visitors Management System | A vulnerability was found in PHPGurukul Apartment Visitors Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /category.php of the component HTTP POST Request Handler. The manipulation of the argument categoryname leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-19 | 3.5 | CVE-2025-7818 |
| PHPGurukul--Apartment Visitors Management System | A vulnerability was found in PHPGurukul Apartment Visitors Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file pass-details.php of the component HTTP POST Request Handler. The manipulation of the argument visname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-19 | 3.5 | CVE-2025-7856 |
| PHPGurukul--Apartment Visitors Management System | A vulnerability was found in PHPGurukul Apartment Visitors Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file bwdates-passreports-details.php of the component HTTP POST Request Handler. The manipulation of the argument visname leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-19 | 3.5 | CVE-2025-7857 |
| PHPGurukul--Apartment Visitors Management System | A vulnerability classified as problematic has been found in PHPGurukul Apartment Visitors Management System 1.0. This affects an unknown part of the file /admin-profile.php of the component HTTP POST Request Handler. The manipulation of the argument adminname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-19 | 3.5 | CVE-2025-7858 |
| PHPGurukul--Apartment Visitors Management System | A vulnerability, which was classified as problematic, has been found in PHPGurukul Apartment Visitors Management System 1.0. This issue affects some unknown processing of the file /manage-newvisitors.php of the component HTTP POST Request Handler. The manipulation of the argument visname leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 2025-07-19 | 2.4 | CVE-2025-7815 |
| PHPGurukul--Apartment Visitors Management System | A vulnerability was found in PHPGurukul Apartment Visitors Management System 1.0. It has been classified as problematic. This affects an unknown part of the file /create-pass.php of the component HTTP POST Request Handler. The manipulation of the argument visname leads to cross site scripting. It is possible to initiate the attack remotely. | 2025-07-19 | 2.4 | CVE-2025-7819 |
| PHPGurukul--Art Gallery Management System | A vulnerability, which was classified as problematic, has been found in PHPGurukul Art Gallery Management System 1.1. Affected by this issue is some unknown functionality of the file /admin/edit-art-medium-detail.php. The manipulation of the argument artmed leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-18 | 3.5 | CVE-2025-7767 |
| PHPGurukul--Complaint Management System | A vulnerability was found in PHPGurukul Complaint Management System 2.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /admin/complaint-search.php. The manipulation of the argument Search leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-18 | 3.5 | CVE-2025-7802 |
| PHPGurukul--Online Library Management System | A vulnerability has been found in PHPGurukul Online Library Management System 3.0 and classified as problematic. This vulnerability affects unknown code of the file /admin/student-history.php. The manipulation of the argument stdid leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 3.5 | CVE-2025-7601 |
| PHPGurukul--Online Security Guards Hiring System | A vulnerability was found in PHPGurukul Online Security Guards Hiring System 1.0. It has been declared as problematic. This vulnerability affects unknown code of the file /admin/search.php. The manipulation of the argument searchdata leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-18 | 3.5 | CVE-2025-7791 |
| Portabilis--i-Diario | A vulnerability, which was classified as problematic, was found in Portabilis i-Diario 1.5.0. This affects an unknown part of the component justificativas-de-falta Endpoint. The manipulation of the argument Anexo leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 3.5 | CVE-2025-7870 |
| Portabilis--i-Diario | A vulnerability has been found in Portabilis i-Diario 1.5.0 and classified as problematic. This vulnerability affects unknown code of the file /conteudos. The manipulation of the argument filter[by_description] leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 3.5 | CVE-2025-7871 |
| Portabilis--i-Diario | A vulnerability was found in Portabilis i-Diario 1.5.0 and classified as problematic. This issue affects some unknown processing of the file /justificativas-de-falta. The manipulation of the argument Justificativa leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 3.5 | CVE-2025-7872 |
| Portabilis--i-Educar | A vulnerability was found in Portabilis i-Educar 2.9.0. It has been rated as problematic. This issue affects some unknown processing of the file /intranet/educar_deficiencia_lst.php of the component Disabilities Module. The manipulation of the argument Deficiência ou Transtorno leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 3.5 | CVE-2025-7866 |
| Portabilis--i-Educar | A vulnerability classified as problematic has been found in Portabilis i-Educar 2.9.0. Affected is an unknown function of the file /intranet/agenda.php of the component Agenda Module. The manipulation of the argument novo_titulo leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 3.5 | CVE-2025-7867 |
| Portabilis--i-Educar | A vulnerability classified as problematic was found in Portabilis i-Educar 2.9.0. Affected by this vulnerability is an unknown functionality of the file /intranet/educar_calendario_dia_motivo_cad.php of the component Calendar Module. The manipulation of the argument Motivo leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 3.5 | CVE-2025-7868 |
| Portabilis--i-Educar | A vulnerability, which was classified as problematic, has been found in Portabilis i-Educar 2.9.0. Affected by this issue is some unknown functionality of the file intranet/educar_turma_tipo_det.php?cod_turma_tipo=ID of the component Turma Module. The manipulation of the argument nm_tipo leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-20 | 3.5 | CVE-2025-7869 |
| rubyonrails--Thor | Thor before 1.4.0 can construct an unsafe shell command from library input. | 2025-07-20 | 2.8 | CVE-2025-54314 |
| Sapido--RB-1802 | A vulnerability classified as problematic was found in Sapido RB-1802 1.0.32. This vulnerability affects unknown code of the file urlfilter.asp of the component URL Filtering Page. The manipulation of the argument URL address leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-14 | 2.4 | CVE-2025-7554 |
| Teledyne--FLIR FB-Series O | A vulnerability was found in Teledyne FLIR FB-Series O and FLIR FH-Series ID 1.3.2.16. It has been classified as problematic. This affects an unknown part. The manipulation leads to use of hard-coded password. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-14 | 3.7 | CVE-2025-7577 |
| thinkgem--JeeSite | A vulnerability was found in thinkgem JeeSite up to 5.12.0 and classified as problematic. Affected by this issue is the function redirectUrl of the file src/main/java/com/jeesite/common/web/http/ServletUtils.java. The manipulation of the argument url leads to open redirect. The attack may be launched remotely. The name of the patch is 3d06b8d009d0267f0255acc87ea19d29d07cedc3. It is recommended to apply a patch to fix this issue. | 2025-07-20 | 3.5 | CVE-2025-7863 |
| thinkgem--JeeSite | A vulnerability was found in thinkgem JeeSite up to 5.12.0. It has been declared as problematic. This vulnerability affects the function xssFilter of the file src/main/java/com/jeesite/common/codec/EncodeUtils.java of the component XSS Filter. The manipulation of the argument text leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The patch is identified as 3585737d21fe490ff6948d913fcbd8d99c41fc08. It is recommended to apply a patch to fix this issue. | 2025-07-20 | 3.5 | CVE-2025-7865 |
| Xuxueli--xxl-job | A vulnerability was found in Xuxueli xxl-job up to 3.1.1 and classified as problematic. Affected by this issue is the function makeToken of the file src/main/java/com/xxl/job/admin/controller/IndexController.java of the component Token Generation. The manipulation leads to password hash with insufficient computational effort. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | 2025-07-18 | 3.7 | CVE-2025-7789 |
| yangzongzhuan--RuoYi | A vulnerability classified as problematic has been found in yangzongzhuan RuoYi up to 4.8.1. Affected is the function addSave of the file com/ruoyi/web/controller/system/SysNoticeController.java. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-20 | 3.5 | CVE-2025-7902 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| Achat Software--Achat Chat Server | A stack-based buffer overflow exists in Achat v0.150 in its default configuration. By sending a specially crafted message to the UDP port 9256, an attacker can overwrite the structured exception handler (SEH) due to insufficient bounds checking on user-supplied input leading to remote code execution. | 2025-07-16 | not yet calculated | CVE-2025-34127 |
| AdGuard--AdGuard for Safari | An issue was discovered in AdGuard plugin before 1.11.22 for Safari on MacOS. AdGaurd verbosely logged each url that Safari accessed when the plugin was active. These logs went into the MacOS general logs for any unsandboxed process to read. This may be disabled in version 1.11.22. | 2025-07-17 | not yet calculated | CVE-2025-51497 |
| Agorum--Agorum core open | agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 was discovered to contain an XML External Entity (XXE) via the RSSReader endpoint. This vulnerability allows attackers to access sensitive data via providing a crafted XML input. | 2025-07-18 | not yet calculated | CVE-2025-52162 |
| Agorum--Agorum core open | A Server-Side Request Forgery (SSRF) in the component TunnelServlet of agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 allows attackers to forcefully initiate connections to arbitrary internal and external resources via a crafted request. This can lead to sensitive data exposure. | 2025-07-18 | not yet calculated | CVE-2025-52163 |
| Agorum--Agorum core open | Software GmbH Agorum core open v11.9.2 & v11.10.1 was discovered to store credentials in plaintext. | 2025-07-18 | not yet calculated | CVE-2025-52164 |
| Agorum--Agorum core open | Incorrect access control in Software GmbH Agorum core open v11.9.2 & v11.10.1 allows authenticated attackers to escalate privileges to Administrator and access sensitive components and information. | 2025-07-18 | not yet calculated | CVE-2025-52166 |
| Agorum--Agorum core open | Incorrect access control in the dynawebservice component of agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 allows unauthenticated attackers to access arbitrary files on the system. | 2025-07-18 | not yet calculated | CVE-2025-52168 |
| Agorum--Agorum core open | agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability. | 2025-07-18 | not yet calculated | CVE-2025-52169 |
| aio-libs--aiohttp | AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Prior to version 3.12.14, the Python parser is vulnerable to a request smuggling vulnerability due to not parsing trailer sections of an HTTP request. If a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled, then an attacker may be able to execute a request smuggling attack to bypass certain firewalls or proxy protections. Version 3.12.14 contains a patch for this issue. | 2025-07-14 | not yet calculated | CVE-2025-53643 |
| Apache Software Foundation--Apache CXF | Apache CXF stores large stream based messages as temporary files on the local filesystem. A bug was introduced which means that the entire temporary file is read into memory and then logged. An attacker might be able to exploit this to cause a denial of service attack by causing an out of memory exception. In addition, it is possible to configure CXF to encrypt temporary files to prevent sensitive credentials from being cached unencrypted on the local filesystem, however this bug means that the cached files are written out to logs unencrypted. Users are recommended to upgrade to versions 3.5.11, 3.6.6, 4.0.7 or 4.1.1, which fixes this issue. | 2025-07-15 | not yet calculated | CVE-2025-48795 |
| Apache Software Foundation--Apache Jackrabbit | Blind XXE Vulnerabilities in jackrabbit-spi-commons and jackrabbit-core in Apache Jackrabbit < 2.23.2 due to usage of an unsecured document build to load privileges. Users are recommended to upgrade to versions 2.20.17 (Java 8), 2.22.1 (Java 11) or 2.23.2 (Java 11, beta versions), which fix this issue. Earlier versions (up to 2.20.16) are not supported anymore, thus users should update to the respective supported version. | 2025-07-14 | not yet calculated | CVE-2025-53689 |
| ASUSTOR--ADM | A stored Cross-Site Scripting (XSS) vulnerability exists in the Access Control of ADM, the issue allows an attacker to inject malicious scripts into the folder name field while creating a new shared folder. These scripts are not properly sanitized and will be executed when the folder name is subsequently displayed in the user interface. This allows attackers to execute arbitrary JavaScript in the context of another user's session, potentially accessing session cookies or other sensitive data. Affected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier. | 2025-07-14 | not yet calculated | CVE-2025-7380 |
| ASUSTOR--ADM | A stored Cross-Site Scripting (XSS) vulnerability vulnerability was found in the File Explorer and Text Editor of ADM. An attacker could exploit this vulnerability to inject malicious scripts into the applications, which may then access cookies or other sensitive information retained by the browser and used with the affected applications. Affected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier, and Text Editor 1.0.0.r112 and earlier. | 2025-07-14 | not yet calculated | CVE-2025-7618 |
| ASUSTOR--ADM | An improper access control vulnerability was found in the EZ Sync Manager of ADM, which allows authenticated users to copy arbitrary files from the server file system into their own EZSync folder. The vulnerability is due to a lack of authorization checks on the file parameter of the HTTP request. Attackers can exploit this flaw to access files outside their authorized scope, provided the file has readable permissions for other users on the underlying OS. This can lead to unauthorized exposure of sensitive data. Affected products and versions include: from ADM 4.1.0 to ADM 4.3.3.RH61 as well as ADM 5.0.0.RIN1 and earlier. | 2025-07-16 | not yet calculated | CVE-2025-7699 |
| ATRODO--Net::Dropbear | Net::Dropbear versions through 0.16 for Perl contains a dependency that may be susceptible to an integer overflow. Net::Dropbear embeds a version of the libtommath library that is susceptible to an integer overflow associated with CVE-2023-36328. | 2025-07-16 | not yet calculated | CVE-2025-40913 |
| Avid--Avid NEXIS E-series | An Unauthenticated Arbitrary File Read vulnerability affects the Agent when installed on a system. The parameter filename does not validate the path thus allowing users to read arbitrary files. As the application runs with the highest privileges (root/NT_AUTHORITY SYSTEM) by default attackers are able to obtain sensitive information. This issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1. | 2025-07-14 | not yet calculated | CVE-2024-26291 |
| Avid--Avid NEXIS E-series | An authenticated Arbitrary File Deletion vulnerability enables an attacker to delete critical files. This issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1. | 2025-07-14 | not yet calculated | CVE-2024-26292 |
| Avid--Avid NEXIS E-series | The Avid Nexis Agent uses a vulnerable gSOAP version. An undocumented vulnerability impacting gSOAP v2.8 makes the application vulnerable to an Unauthenticated Path Traversal vulnerability. This issue affects Avid NEXIS E-series: before 2025.5.1; Avid NEXIS F-series: before 2025.5.1; Avid NEXIS PRO+: before 2025.5.1; System Director Appliance (SDA+): before 2025.5.1. | 2025-07-14 | not yet calculated | CVE-2024-26293 |
| balbooa.com--Balbooa Forms component for Joomla | A SQL injection vulnerability in the Balbooa Forms plugin 1.0.0-2.3.1.1 for Joomla allows privileged users to execute arbitrary SQL commands via the 'id' parameter. | 2025-07-18 | not yet calculated | CVE-2025-49485 |
| balbooa.com--Balbooa Gallery component for Joomla | A stored XSS vulnerability in the Balbooa Gallery plugin 1.0.0-2.4.0 for Joomla allows privileged users to store malicious scripts in gallery items. | 2025-07-18 | not yet calculated | CVE-2025-49486 |
| Beakon Software--Beakon Learning Management System Sharable Content Object Reference Model (SCORM) | Cross Site Scripting vulnerability in Beakon Software Beakon Learning Management System Sharable Content Object Reference Model (SCORM) version V.5.4.3 allows a remote attacker to obtain sensitive information via the URL parameter | 2025-07-17 | not yet calculated | CVE-2025-46102 |
| Bluebird--com.bluebird.filemanagers | Bluebird devices contain a pre-loaded file manager application. This application exposes an unsecured service provider "com.bluebird.system.koreanpost.IsdcardRemoteService". A local attacker can bind to the AIDL-type service to copy and delete arbitrary files from device's storage with system-level permissions. Version 1.4.4 is vulnerable, vendor reverted vulnerable versions to older version: 1.3.6 | 2025-07-17 | not yet calculated | CVE-2025-5345 |
| Bluebird--com.bluebird.kiosk.launcher | Bluebird devices contain a pre-loaded kiosk application. This application exposes an unsecured service provider "com.bluebird.kiosk.launcher.IpartnerKioskRemoteService". A local attacker can bind to the AIDL-type service to modify device's global settings and wallpaper image. This issue affects all versions before 1.1.2. | 2025-07-17 | not yet calculated | CVE-2025-5344 |
| Bluebird--kr.co.bluebird.android.bbsettings | Bluebird devices contain a pre-loaded barcode scanner application. This application exposes an unsecured broadcast receiver "kr.co.bluebird.android.bbsettings.BootReceiver". A local attacker can call the receiver to overwrite file containing ".json" keyword with default barcode config file. It is possible to overwrite file in any location due to lack of protection against path traversal in name of the file. This issue affects all versions before 1.3.3. | 2025-07-17 | not yet calculated | CVE-2025-5346 |
| Broadcom--Brocade ASCG | Brocade ASCG before 3.3.0 logs JSON Web Tokens (JWT) in log files. An attacker with access to the log files can withdraw the unencrypted tokens with security implications, such as unauthorized access, session hijacking, and information disclosure. | 2025-07-17 | not yet calculated | CVE-2025-6391 |
| Broadcom--Brocade ASCG | A vulnerability in the ascgshell, of Brocade ASCG before 3.3.0 stores any command executed in the Command Line Interface (CLI) in plain text within the command history. A local authenticated user that can access sensitive information like passwords within the CLI history leading to unauthorized access and potential data breaches. | 2025-07-17 | not yet calculated | CVE-2025-7397 |
| Broadcom--Brocade ASCG | Brocade ASCG before 3.3.0 allows for the use of medium strength cryptography algorithms on internal ports ports 9000 and 8036. | 2025-07-17 | not yet calculated | CVE-2025-7398 |
| Burnaware--PDF Shaper | A buffer overflow vulnerability exists in PDF Shaper versions 3.5 and 3.6 when converting a crafted PDF file to an image using the 'Convert PDF to Image' functionality. An attacker can exploit this vulnerability by tricking a user into opening a maliciously crafted PDF file, leading to arbitrary code execution under the context of the user. This vulnerability has been verified on Windows XP, 7, 8, and 10 platforms using the PDFTools.exe component. | 2025-07-15 | not yet calculated | CVE-2025-34106 |
| ColoradoFTP--Server | A directory traversal vulnerability exists in ColoradoFTP Server ≤ 1.3 Build 8 for Windows, allowing unauthenticated attackers to read or write arbitrary files outside the configured FTP root directory. The flaw is due to insufficient sanitation of user-supplied file paths in the FTP GET and PUT command handlers. Exploitation is possible by submitting traversal sequences during FTP operations, enabling access to system-sensitive files. This issue affects only the Windows version of ColoradoFTP. | 2025-07-15 | not yet calculated | CVE-2025-34110 |
| cyberark--conjur | Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.22.0 and Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) 13.1 through 13.5 and 13.6 are vulnerable to bypass of the IAM authenticator. An attacker who can manipulate the headers signed by AWS can take advantage of a malformed regular expression to redirect the authentication validation request that Secrets Manager, Self-Hosted sends to AWS to a malicious server controlled by the attacker. This redirection could result in a bypass of the Secrets Manager, Self-Hosted IAM Authenticator, granting the attacker the permissions granted to the client whose request was manipulated. This issue affects both Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue. | 2025-07-15 | not yet calculated | CVE-2025-49827 |
| cyberark--conjur | Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.21.1 and Secrets Manager, Self-Hosted (formerly known as Conjur Enterprise) 13.1 through 13.4.1 are vulnerable to remote code execution An authenticated attacker who can inject secrets or templates into the Secrets Manager, Self-Hosted database could take advantage of an exposed API endpoint to execute arbitrary Ruby code within the Secrets Manager process. This issue affects both Secrets Manager, Self-Hosted (formerly Conjur Enterprise) and Conjur OSS. Conjur OSS version 1.21.2 and Secrets Manager, Self-Hosted version 13.5 fix the issue. | 2025-07-15 | not yet calculated | CVE-2025-49828 |
| cyberark--conjur | Conjur provides secrets management and application identity for infrastructure. Missing validations in Secrets Manager, Self-Hosted allows authenticated attackers to inject resources into the database and to bypass permission checks. This issue affects Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue. | 2025-07-15 | not yet calculated | CVE-2025-49829 |
| cyberark--conjur | Conjur provides secrets management and application identity for infrastructure. An authenticated attacker who is able to load policy can use the policy yaml parser to reference files on the Secrets Manager, Self-Hosted server. These references may be used as reconnaissance to better understand the folder structure of the Secrets Manager/Conjur server or to have the yaml parser include files on the server in the yaml that is processed as the policy loads. This issue affects Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue. | 2025-07-15 | not yet calculated | CVE-2025-49830 |
| cyberark--conjur | An attacker of Secrets Manager, Self-Hosted installations that route traffic from Secrets Manager to AWS through a misconfigured network device can reroute authentication requests to a malicious server under the attacker's control. CyberArk believes there to be very few installations where this issue can be actively exploited, though Secrets Manager, Self-Hosted (formerly Conjur Enterprise) prior to versions 13.5.1 and 13.6.1 and Conjur OSS prior to version 1.22.1 may be affected. Conjur OSS version 1.22.1 and Secrets Manager, Self-Hosted versions 13.5.1 and 13.6.1 fix the issue. | 2025-07-15 | not yet calculated | CVE-2025-49831 |
| D-Link--DSP-W110A1 | An unauthenticated command injection vulnerability exists in the cookie handling process of the lighttpd web server on D-Link DSP-W110A1 firmware version 1.05B01. This occurs when specially crafted cookie values are processed, allowing remote attackers to execute arbitrary commands on the underlying Linux operating system. Successful exploitation enables full system compromise. | 2025-07-16 | not yet calculated | CVE-2025-34125 |
| Death1Clown--VoidBot_open-source | VoidBot Open-Source is a customizable Discord bot. VoidBot Open-Source versions 0.0.1 through 0.8.1 contain a vulnerability in the command handler where permission checks are not properly enforced for certain administrative commands. This allows users without the required roles or privileges to execute sensitive commands such as `ban`, `kick`, or `shutdown`, potentially disrupting server operations. Version 1.0.0 fixes the issue. | 2025-07-16 | not yet calculated | CVE-2025-53943 |
| Digisol--XPON ONU Wi-Fi Router (DG-GR6821AC) | This vulnerability exists in Digisol DG-GR6821AC Router due to hard-coded Root Access Credentials in system configuration of the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and analyzing the binary data to obtain the stored root access credentials. Successful exploitation of this vulnerability could allow the attacker to gain admin access to the targeted device. | 2025-07-16 | not yet calculated | CVE-2025-53754 |
| Digisol--XPON ONU Wi-Fi Router (DG-GR6821AC) | This vulnerability exists in Digisol DG-GR6821AC Router due to storage of credentials and PINS without encryption in the device firmware. An attacker with physical access could exploit this vulnerability by extracting the firmware and reverse engineer the binary data to access the unencrypted data stored in the firmware of targeted device. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the network of the targeted device. | 2025-07-16 | not yet calculated | CVE-2025-53755 |
| Digisol--XPON ONU Wi-Fi Router (DG-GR6821AC) | This vulnerability exists in Digisol DG-GR6821AC Router due to cleartext transmission of credentials in its web management interface. A remote attacker could exploit this vulnerability by intercepting the network traffic and capturing cleartext credentials. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted device. | 2025-07-16 | not yet calculated | CVE-2025-53756 |
| Digisol--XPON ONU Wi-Fi Router (DG-GR6821AC) | This vulnerability exists in Digisol DG-GR6821AC Router due to misconfiguration of both Secure and HttpOnly flags on session cookies associated with the router web interface. A remote attacker could exploit this vulnerability by capturing the session cookies transmitted over an unsecure HTTP connection. Successful exploitation of this vulnerability could allow the attacker to obtain sensitive information from the targeted device. | 2025-07-16 | not yet calculated | CVE-2025-53757 |
| Digisol--XPON ONU Wi-Fi Router (DG-GR6821AC) | This vulnerability exists in Digisol DG-GR6821AC Router due to use of default admin credentials at its web management interface. An attacker with physical access could exploit this vulnerability by extracting the firmware and reverse engineer the binary data to access the hardcoded default credentials stored in the firmware of the targeted device. Successful exploitation of this vulnerability could allow the attacker to gain unauthorized access to the targeted device. | 2025-07-16 | not yet calculated | CVE-2025-53758 |
| Eclipse Foundation--Eclipse Glassfish | In Eclipse GlassFish version 7.0.15 is possible to perform Reflected Cross-site scripting attacks in the Administration Console. | 2025-07-16 | not yet calculated | CVE-2024-10029 |
| Eclipse Foundation--Eclipse Glassfish | In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site Scripting attacks by modifying the configuration file in the underlying operating system. | 2025-07-16 | not yet calculated | CVE-2024-10031 |
| Eclipse Foundation--Eclipse Glassfish | In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console. | 2025-07-16 | not yet calculated | CVE-2024-10032 |
| Eclipse Foundation--Eclipse Glassfish | In Eclipse GlassFish version 7.0.16 or earlier it is possible to perform Login Brute Force attacks as there is no limitation in the number of failed login attempts. | 2025-07-16 | not yet calculated | CVE-2024-9342 |
| Eclipse Foundation--Eclipse Glassfish | In Eclipse GlassFish version 7.0.15 is possible to perform Stored Cross-site scripting attacks in the Administration Console. | 2025-07-16 | not yet calculated | CVE-2024-9343 |
| Eclipse Foundation--Eclipse Glassfish | In Eclipse GlassFish since version 6.2.5 it is possible to perform a Server Side Request Forgery attack in specific endpoints. | 2025-07-16 | not yet calculated | CVE-2024-9408 |
| EHUELS--Authen::SASL::Perl::DIGEST_MD5 | Authen::SASL::Perl::DIGEST_MD5 versions 2.04 through 2.1800 for Perl generates the cnonce insecurely. The cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. According to RFC 2831, The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy. | 2025-07-16 | not yet calculated | CVE-2025-40918 |
| ESET, spol. s.r.o--ESET NOD32 Antivirus | Time-of-check to time-of-use race condition vulnerability potentially allowed an attacker to use the installed ESET security software to clear the content of an arbitrary file on the file system. | 2025-07-18 | not yet calculated | CVE-2025-2425 |
| Falconstor Software--Disk Pulse Enterprise | A stack-based buffer overflow vulnerability exists in the login functionality of Disk Pulse Enterprise version 9.0.34. An attacker can send a specially crafted HTTP POST request to the /login endpoint with an overly long username parameter, causing a buffer overflow in the libspp.dll component. Successful exploitation allows arbitrary code execution with SYSTEM privileges. | 2025-07-15 | not yet calculated | CVE-2025-34108 |
| filebrowser--filebrowser | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.39.0, File Browser's authentication system issues long-lived JWT tokens that remain valid even after the user logs out. As of time of publication, no known patches exist. | 2025-07-15 | not yet calculated | CVE-2025-53826 |
| filebrowser--filebrowser | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.38.0, a Denial of Service (DoS) vulnerability exists in the file processing logic when reading a file on endpoint `Filebrowser-Server-IP:PORT/files/{file-name}` . While the server correctly handles and stores uploaded files, it attempts to load the entire content into memory during read operations without size checks or resource limits. This allows an authenticated user to upload a large file and trigger uncontrolled memory consumption on read, potentially crashing the server and making it unresponsive. As of time of publication, no known patches are available. | 2025-07-15 | not yet calculated | CVE-2025-53893 |
| Flexense--DiskBoss Enterprise | A stack-based buffer overflow vulnerability exists in the built-in web interface of DiskBoss Enterprise versions 7.4.28, 7.5.12, and 8.2.14. The vulnerability arises from improper bounds checking on the path component of HTTP GET requests. By sending a specially crafted long URI, a remote unauthenticated attacker can trigger a buffer overflow, potentially leading to arbitrary code execution with SYSTEM privileges on vulnerable Windows hosts. | 2025-07-15 | not yet calculated | CVE-2025-34105 |
| Galactic Advisors--Kaseya RapidFire Tools Network Detective | Kaseya Rapid Fire Tools Network Detective 2.0.16.0 has Unencrypted Credentials (for privileged access) stored in the collector.txt configuration file. | 2025-07-16 | not yet calculated | CVE-2025-32353 |
| Galactic Advisors--Kaseya RapidFire Tools Network Detective | An issue was discovered in Kaseya Rapid Fire Tools Network Detective through 2.0.16.0. A vulnerability exists in the EncryptionUtil class because symmetric encryption is implemented in a deterministic and non-randomized fashion. The method Encrypt(byte[] clearData) derives both the encryption key and the IV from a fixed, hardcoded input by using a static salt value. As a result, identical plaintext inputs always produce identical ciphertext outputs. This is true for both FIPS and non-FIPS generated passwords. In other words, there is a cryptographic implementation flaw in the password encryption mechanism. Although there are multiple encryption methods grouped under FIPS and non-FIPS classifications, the logic consistently results in predictable and reversible encrypted outputs due to the lack of per-operation randomness and encryption authentication. | 2025-07-16 | not yet calculated | CVE-2025-32874 |
| GitHub--Enterprise Server | An incorrect authorization vulnerability allowed unauthorized read access to the contents of internal repositories for contractor accounts when the Contractors API feature was enabled. The Contractors API is a rarely-enabled feature in private preview. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.18 and was fixed in versions 3.14.15, 3.15.10, 3.16.6 and 3.17.3 | 2025-07-15 | not yet calculated | CVE-2025-6981 |
| GoldenDict--GoldenDict | GoldenDict 1.5.0 and 1.5.1 has an exposed dangerous method that allows reading and modifying files when a user adds a crafted dictionary and then searches for any term included in that dictionary. | 2025-07-17 | not yet calculated | CVE-2025-53964 |
| Google--Chrome | Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | 2025-07-15 | not yet calculated | CVE-2025-6558 |
| Google--Chrome | Integer overflow in V8 in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-07-15 | not yet calculated | CVE-2025-7656 |
| Google--Chrome | Use after free in WebRTC in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-07-15 | not yet calculated | CVE-2025-7657 |
| Growatt--https://oss.growatt.com | An incorrect authorisation check in the the 'plant transfer' function of the Growatt cloud service allowed a malicous attacker with a valid account to transfer any plant into his/her account. | 2025-07-19 | not yet calculated | CVE-2025-29757 |
| HAARG--Catalyst::Plugin::Session | Catalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely. The session id is generated from a (usually SHA-1) hash of a simple counter, the epoch time, the built-in rand function, the PID and the current Catalyst context. This information is of low entropy. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. | 2025-07-17 | not yet calculated | CVE-2025-40924 |
| Hewlett Packard Enterprise--HPE AutoPass License Server | An authentication bypass vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.17. | 2025-07-14 | not yet calculated | CVE-2024-51767 |
| Hewlett Packard Enterprise--HPE AutoPass License Server | An hsqldb-related remote code execution vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.17. | 2025-07-14 | not yet calculated | CVE-2024-51768 |
| Hewlett Packard Enterprise--HPE AutoPass License Server | An information disclosure vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.17. | 2025-07-14 | not yet calculated | CVE-2024-51769 |
| Hewlett Packard Enterprise--HPE AutoPass License Server | An information disclosure vulnerability exists in HPE AutoPass License Server (APLS) prior to 9.17. | 2025-07-14 | not yet calculated | CVE-2024-51770 |
| Idera--Up.Time Monitoring Station | An unauthenticated arbitrary file upload vulnerability exists in Idera Up.Time Monitoring Station versions up to and including 7.2. The `wizards/post2file.php` script accepts arbitrary POST parameters, allowing attackers to upload crafted PHP files to the webroot. Successful exploitation results in remote code execution as the web server user. NOTE: The bypass for this vulnerability is tracked as CVE-2015-9263. | 2025-07-16 | not yet calculated | CVE-2025-34121 |
| Imagination Technologies--Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to subvert GPU HW to write to arbitrary physical memory pages. Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform altering their behaviour. | 2025-07-14 | not yet calculated | CVE-2025-25180 |
| indico--indico | Indico is an event management system that uses Flask-Multipass, a multi-backend authentication system for Flask. Starting in version 2.2 and prior to version 3.3.7, an endpoint used to display details of users listed in certain fields (such as ACLs) could be misused to dump basic user details (such as name, affiliation and email) in bulk. Version 3.3.7 fixes the issue. Owners of instances that allow everyone to create a user account, who wish to truly restrict access to these user details, should consider restricting user search to managers. As a workaround, it is possible to restrict access to the affected endpoints (e.g. in the webserver config), but doing so would break certain form fields which could no longer show the details of the users listed in those fields, so upgrading instead is highly recommended. | 2025-07-14 | not yet calculated | CVE-2025-53640 |
| intlify--vue-i18n | Vue I18n is the internationalization plugin for Vue.js. The escapeParameterHtml: true option in Vue I18n is designed to protect against HTML/script injection by escaping interpolated parameters. However, starting in version 9.0.0 and prior to versions 9.14.5, 10.0.8, and 11.1.0, this setting fails to prevent execution of certain tag-based payloads, such as <img src=x onerror=...>, if the interpolated value is inserted inside an HTML context using v-html. This may lead to a DOM-based XSS vulnerability, even when using escapeParameterHtml: true, if a translation string includes minor HTML and is rendered via v-html. Versions 9.14.5, 10.0.8, and 11.1.0 contain a fix for the issue. | 2025-07-16 | not yet calculated | CVE-2025-53892 |
| ipavlov--7-Zip | 7-Zip is a file archiver with a high compression ratio. Zeroes written outside heap buffer in RAR5 handler may lead to memory corruption and denial of service in versions of 7-Zip prior to 25.0.0. Version 25.0.0 contains a fix for the issue. | 2025-07-17 | not yet calculated | CVE-2025-53816 |
| ipavlov--7-Zip | 7-Zip is a file archiver with a high compression ratio. 7-Zip supports extracting from Compound Documents. Prior to version 25.0.0, a null pointer dereference in the Compound handler may lead to denial of service. Version 25.0.0 contains a fix cor the issue. | 2025-07-17 | not yet calculated | CVE-2025-53817 |
| IPFire Project--IPFire | A remote command execution vulnerability exists in IPFire before version 2.19 Core Update 101 via the 'proxy.cgi' CGI interface. An authenticated attacker can inject arbitrary shell commands through crafted values in the NCSA user creation form fields, leading to command execution with web server privileges. | 2025-07-15 | not yet calculated | CVE-2025-34116 |
| ITRS Group--OP5 Monitor | An authenticated command injection vulnerability exists in OP5 Monitor through version 7.1.9 via the 'cmd_str' parameter in the command_test.php endpoint. A user with access to the web interface can exploit the 'Test this command' feature to execute arbitrary shell commands as the unprivileged web application user. The vulnerability resides in the configuration section of the application and requires valid login credentials with access to the command testing functionality. This issue is fixed in version 7.2.0. | 2025-07-15 | not yet calculated | CVE-2025-34115 |
| joomcar.net--Articles Calendar extension for Joomla | A SQL injection in Articles Calendar extension 1.0.0 - 1.0.1.0007 for Joomla allows attackers to execute arbitrary SQL commands. | 2025-07-18 | not yet calculated | CVE-2025-26855 |
| joomcar.net--Articles Good Search extension for Joomla | A SQL injection in Articles Good Search extension 1.0.0 - 1.2.4.0011 for Joomla allows attackers to execute arbitrary SQL commands. | 2025-07-18 | not yet calculated | CVE-2025-26854 |
| joomsky.com--JS Jobs component for Joomla | A SQL injection vulnerability in the JS Jobs plugin versions 1.0.0-1.4.1 for Joomla allows low-privilege users to execute arbitrary SQL commands via the 'cvid' parameter in the employee application feature. | 2025-07-18 | not yet calculated | CVE-2025-49484 |
| LabF--WinaXe FTP Client | A buffer overflow vulnerability exists in the WinaXe FTP Client version 7.7 within the FTP banner parsing functionality, WCMDPA10.dll. When the client connects to a remote FTP server and receives an overly long '220 Server Ready' response, the vulnerable component responsible for parsing the banner overflows a stack buffer, leading to arbitrary code execution under the context of the user. | 2025-07-15 | not yet calculated | CVE-2025-34107 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. Versions prior to 3.4.5 have a SQL Injection vulnerability in the endpoint `/WeGIA/html/socio/sistema/processa_deletar_socio.php`, in the `id_socio` parameter. This vulnerability allows the execution of arbitrary SQL commands, which can compromise the confidentiality, integrity, and availability of stored data. Version 3.4.5 fixes the issue. | 2025-07-14 | not yet calculated | CVE-2025-53823 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the editar_permissoes.php endpoint of the WeGIA application prior to version 3.4.4. This vulnerability allows attackers to inject malicious scripts in the msg_c parameter. Version 3.4.4 fixes the issue. | 2025-07-14 | not yet calculated | CVE-2025-53824 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `adicionar_cor.php` endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows attackers to inject malicious scripts into the `cor` parameter. The injected scripts are stored on the server and executed automatically whenever the affected page `cadastro_pet.php` is accessed by users, posing a significant security risk. Version 3.4.5 fixes the issue. | 2025-07-16 | not yet calculated | CVE-2025-53929 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `adicionar_especie.php` endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows attackers to inject malicious scripts into the `especie` parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. Version 3.4.5 fixes the issue. | 2025-07-16 | not yet calculated | CVE-2025-53930 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `adicionar_raca.php` endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows attackers to inject malicious scripts into the `raca` parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. Version 3.4.5 fixes the issue. | 2025-07-16 | not yet calculated | CVE-2025-53931 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the `cadastro_adotante.php` endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows attackers to inject malicious scripts in the `cpf` parameter. Version 3.4.5 fixes the issue. | 2025-07-16 | not yet calculated | CVE-2025-53932 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `adicionar_enfermidade.php` endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows attackers to inject malicious scripts into the `nome` parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. Version 3.4.5 fixes the issue. | 2025-07-16 | not yet calculated | CVE-2025-53933 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Stored Cross-Site Scripting (XSS) vulnerability was identified in the `control.php` endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows attackers to inject malicious scripts into the `descricao_emergencia` parameter. The injected scripts are stored on the server and executed automatically whenever the affected page is accessed by users, posing a significant security risk. Version 3.4.5 fixes the issue. | 2025-07-16 | not yet calculated | CVE-2025-53934 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the `personalizacao_selecao.php` endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows attackers to inject malicious scripts in the `id` parameter. Version 3.4.5 fixes the issue. | 2025-07-16 | not yet calculated | CVE-2025-53935 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the `personalizacao_selecao.php` endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows attackers to inject malicious scripts in the `nome_car` parameter. Version 3.4.5 fixes the issue. | 2025-07-16 | not yet calculated | CVE-2025-53936 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in the `/controle/control.php` endpoint, specifically in the `cargo` parameter, of WeGIA prior to version 3.4.5. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. Version 3.4.5 fixes the issue. | 2025-07-16 | not yet calculated | CVE-2025-53937 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. An Authentication Bypass vulnerability was identified in the `/dao/verificar_recursos_cargo.php` endpoint of the WeGIA application prior to version 3.4.5. This vulnerability allows unauthenticated users to access protected application functionalities and retrieve sensitive information by sending crafted HTTP requests without any session cookies or authentication tokens. Version 3.4.5 fixes the issue. | 2025-07-16 | not yet calculated | CVE-2025-53938 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in versions prior to 3.4.5 in the `id_funcionario` parameter of the `/html/saude/profile_paciente.php` endpoint. This vulnerability allows attacker to manipulate SQL queries and access sensitive database information, such as table names and sensitive data. Version 3.4.5 fixes the issue. | 2025-07-17 | not yet calculated | CVE-2025-53946 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in versions prior to 3.4.6 in the `idatendido_familiares` parameter of the `/html/funcionario/dependente_editarEndereco.php` endpoint. This vulnerability allows attacker to manipulate SQL queries and access sensitive database information, such as table names and sensitive data. Version 3.4.6 fixes the issue. | 2025-07-17 | not yet calculated | CVE-2025-54058 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in versions prior to 3.4.6 in the `idatendido_familiares` parameter of the `/html/funcionario/dependente_editarInfoPessoal.php` endpoint. This vulnerability allows attacker to manipulate SQL queries and access sensitive database information, such as table names and sensitive data. Version 3.4.6 fixes the issue. | 2025-07-17 | not yet calculated | CVE-2025-54060 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in versions prior to 3.4.6 in the `idatendido_familiares` parameter of the `/html/funcionario/dependente_editarDoc.php` endpoint. This vulnerability allows attacker to manipulate SQL queries and access sensitive database information, such as table names and sensitive data. Version 3.4.6 fixes the issue. | 2025-07-17 | not yet calculated | CVE-2025-54061 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in versions prior to 3.4.6 in the `/html/funcionario/profile_dependente.php` endpoint, specifically in the `id_dependente` parameter. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity, and availability of the database. Version 3.4.6 fixes the issue. | 2025-07-17 | not yet calculated | CVE-2025-54062 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in versions prior to 3.4.6 in the endpoint `/html/atendido/Profile_Atendido.php`, in the `idatendido` parameter. This vulnerability allow an authorized attacker to execute arbitrary SQL queries, allowing access to sensitive information. Version 3.4.6 fixes the issue. | 2025-07-18 | not yet calculated | CVE-2025-54079 |
| LimeSurvey GmbH--LimeSurvey | An unauthenticated file download vulnerability exists in LimeSurvey versions from 2.0+ up to and including 2.06+ Build 151014. The application fails to validate serialized input to the admin backup endpoint (`index.php/admin/update/sa/backup`), allowing attackers to specify arbitrary file paths using a crafted `datasupdateinfo` payload. The files are packaged in a ZIP archive and made available for download without authentication. This vulnerability can be exploited to read arbitrary files on the host system, including sensitive OS and configuration files. | 2025-07-16 | not yet calculated | CVE-2025-34120 |
| Linknat Technology--VOS Manager | A path traversal vulnerability exists in Linknat VOS Manager versions prior to 2.1.9.07, including VOS2009 and early VOS3000 builds, that allows unauthenticated remote attackers to read arbitrary files on the server. The vulnerability is accessible via multiple localized subpaths such as '/eng/', '/chs/', or '/cht/', where the 'js/lang_en_us.js' or equivalent files are loaded. By injecting encoded traversal sequences such as '%c0%ae%c0%ae' into the request path, attackers can bypass input validation and disclose sensitive files. | 2025-07-16 | not yet calculated | CVE-2025-34118 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: eventpoll: don't decrement ep refcount while still holding the ep mutex Jann Horn points out that epoll is decrementing the ep refcount and then doing a mutex_unlock(&ep->mtx); afterwards. That's very wrong, because it can lead to a use-after-free. That pattern is actually fine for the very last reference, because the code in question will delay the actual call to "ep_free(ep)" until after it has unlocked the mutex. But it's wrong for the much subtler "next to last" case when somebody *else* may also be dropping their reference and free the ep while we're still using the mutex. Note that this is true even if that other user is also using the same ep mutex: mutexes, unlike spinlocks, can not be used for object ownership, even if they guarantee mutual exclusion. A mutex "unlock" operation is not atomic, and as one user is still accessing the mutex as part of unlocking it, another user can come in and get the now released mutex and free the data structure while the first user is still cleaning up. See our mutex documentation in Documentation/locking/mutex-design.rst, in particular the section [1] about semantics: "mutex_unlock() may access the mutex structure even after it has internally released the lock already - so it's not safe for another context to acquire the mutex and assume that the mutex_unlock() context is not using the structure anymore" So if we drop our ep ref before the mutex unlock, but we weren't the last one, we may then unlock the mutex, another user comes in, drops _their_ reference and releases the 'ep' as it now has no users - all while the mutex_unlock() is still accessing it. Fix this by simply moving the ep refcount dropping to outside the mutex: the refcount itself is atomic, and doesn't need mutex protection (that's the whole _point_ of refcounts: unlike mutexes, they are inherently about object lifetimes). | 2025-07-18 | not yet calculated | CVE-2025-38349 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on an enqueue operation. This may unexpectedly empty the child qdisc and thus make an in-flight class passive via qlen_notify(). Most qdiscs do not expect such behaviour at this point in time and may re-activate the class eventually anyways which will lead to a use-after-free. The referenced fix commit attempted to fix this behavior for the HFSC case by moving the backlog accounting around, though this turned out to be incomplete since the parent's parent may run into the issue too. The following reproducer demonstrates this use-after-free: tc qdisc add dev lo root handle 1: drr tc filter add dev lo parent 1: basic classid 1:1 tc class add dev lo parent 1: classid 1:1 drr tc qdisc add dev lo parent 1:1 handle 2: hfsc def 1 tc class add dev lo parent 2: classid 2:1 hfsc rt m1 8 d 1 m2 0 tc qdisc add dev lo parent 2:1 handle 3: netem tc qdisc add dev lo parent 3:1 handle 4: blackhole echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 tc class delete dev lo classid 1:1 echo 1 | socat -u STDIN UDP4-DATAGRAM:127.0.0.1:8888 Since backlog accounting issues leading to a use-after-frees on stale class pointers is a recurring pattern at this point, this patch takes a different approach. Instead of trying to fix the accounting, the patch ensures that qdisc_tree_reduce_backlog always calls qlen_notify when the child qdisc is empty. This solves the problem because deletion of qdiscs always involves a call to qdisc_reset() and / or qdisc_purge_queue() which ultimately resets its qlen to 0 thus causing the following qdisc_tree_reduce_backlog() to report to the parent. Note that this may call qlen_notify on passive classes multiple times. This is not a problem after the recent patch series that made all the classful qdiscs qlen_notify() handlers idempotent. | 2025-07-19 | not yet calculated | CVE-2025-38350 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush In KVM guests with Hyper-V hypercalls enabled, the hypercalls HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST and HVCALL_FLUSH_VIRTUAL_ADDRESS_LIST_EX allow a guest to request invalidation of portions of a virtual TLB. For this, the hypercall parameter includes a list of GVAs that are supposed to be invalidated. However, when non-canonical GVAs are passed, there is currently no filtering in place and they are eventually passed to checked invocations of INVVPID on Intel / INVLPGA on AMD. While AMD's INVLPGA silently ignores non-canonical addresses (effectively a no-op), Intel's INVVPID explicitly signals VM-Fail and ultimately triggers the WARN_ONCE in invvpid_error(): invvpid failed: ext=0x0 vpid=1 gva=0xaaaaaaaaaaaaa000 WARNING: CPU: 6 PID: 326 at arch/x86/kvm/vmx/vmx.c:482 invvpid_error+0x91/0xa0 [kvm_intel] Modules linked in: kvm_intel kvm 9pnet_virtio irqbypass fuse CPU: 6 UID: 0 PID: 326 Comm: kvm-vm Not tainted 6.15.0 #14 PREEMPT(voluntary) RIP: 0010:invvpid_error+0x91/0xa0 [kvm_intel] Call Trace: vmx_flush_tlb_gva+0x320/0x490 [kvm_intel] kvm_hv_vcpu_flush_tlb+0x24f/0x4f0 [kvm] kvm_arch_vcpu_ioctl_run+0x3013/0x5810 [kvm] Hyper-V documents that invalid GVAs (those that are beyond a partition's GVA space) are to be ignored. While not completely clear whether this ruling also applies to non-canonical GVAs, it is likely fine to make that assumption, and manual testing on Azure confirms "real" Hyper-V interprets the specification in the same way. Skip non-canonical GVAs when processing the list of address to avoid tripping the INVVPID failure. Alternatively, KVM could filter out "bad" GVAs before inserting into the FIFO, but practically speaking the only downside of pushing validation to the final processing is that doing so is suboptimal for the guest, and no well-behaved guest will request TLB flushes for non-canonical addresses. | 2025-07-19 | not yet calculated | CVE-2025-38351 |
| LITEON--IC48A EV Charger | LITEON IC48A firmware versions prior to 01.00.19r and LITEON IC80A firmware versions prior to 01.01.12e store FTP-server-access-credentials in cleartext in their system logs. | 2025-07-16 | not yet calculated | CVE-2025-7357 |
| livewire--livewire | Livewire is a full-stack framework for Laravel. In Livewire v3 up to and including v3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions. Exploitation requires a component to be mounted and configured in a particular way, but does not require authentication or user interaction. This issue has been patched in Livewire v3.6.4. All users are strongly encouraged to upgrade to this version or later as soon as possible. No known workarounds are available. | 2025-07-17 | not yet calculated | CVE-2025-54068 |
| Merit LILIN--DVR Firmware | A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 due to insufficient sanitization of the FTP and NTP Server fields in the service configuration. An attacker with access to the configuration interface can upload a malicious XML file with injected shell commands in these fields. Upon subsequent configuration syncs, these commands are executed with elevated privileges. This vulnerability was exploited in the wild by the Moobot botnets. | 2025-07-16 | not yet calculated | CVE-2025-34129 |
| Merit LILIN--DVR Firmware | An unauthenticated arbitrary file read exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the /z/zbin/net_html.cgi endpoint. This vulnerability allows attackers to read sensitive configuration files, such as /zconf/service.xml, which can then be used to facilitate further attacks including command injection. The vulnerability has been exploited in the wild in conjunction with other issues by botnets like FBot and Moobot. | 2025-07-16 | not yet calculated | CVE-2025-34130 |
| Merit LILIN--DVR Firmware | A command injection vulnerability exists in LILIN Digital Video Recorder (DVR) devices prior to firmware version 2.0b60_20200207 via the Server field in the NTPUpdate configuration. The web service at /z/zbin/dvr_box fails to properly sanitize input, allowing remote attackers to inject and execute arbitrary commands as root by supplying specially crafted XML data to the DVRPOST interface. 777 | 2025-07-16 | not yet calculated | CVE-2025-34132 |
| META-INF--Email This Issue | A cross-site scripting (XSS) vulnerability in META-INF Kft. Email This Issue (Data Center) before 9.13.0-GA allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the recipient field of an e-mail message. | 2025-07-16 | not yet calculated | CVE-2024-42912 |
| metersphere--metersphere | MeterSphere is an open source continuous testing platform. Prior to version 3.6.5-lts, the sortField parameter in certain API endpoints is not properly validated or sanitized. An attacker can supply crafted input to inject and execute arbitrary SQL statements through the sorting functionality. This could result in modification or deletion of database contents, with a potential full compromise of the application's database integrity and availability. Version 3.6.5-lts fixes the issue. | 2025-07-14 | not yet calculated | CVE-2025-53639 |
| MIYAGAWA--Plack::Middleware::Session | Plack-Middleware-Session before version 0.35 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems. | 2025-07-16 | not yet calculated | CVE-2025-40923 |
| n/a--beiyuouo arxiv-daily | Directory traversal vulnerability in beiyuouo arxiv-daily thru 2025-05-06 (commit fad168770b0e68aef3e5acfa16bb2e7a7765d687) when parsing the the topic.yml file in the generation logic in daily_arxiv.py. | 2025-07-15 | not yet calculated | CVE-2025-50819 |
| N/A--form-data | Use of Insufficiently Random Values vulnerability in form-data allows HTTP Parameter Pollution (HPP). This vulnerability is associated with program files lib/form_data.Js. This issue affects form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3. | 2025-07-18 | not yet calculated | CVE-2025-7783 |
| n/a--Foxcms | An arbitrary file upload vulnerability in the component /controller/PicManager.php of FoxCMS v1.2.6 allows attackers to execute arbitrary code via uploading a crafted template file. | 2025-07-14 | not yet calculated | CVE-2025-51650 |
| n/a--Haichang OA | SQL Injection vulnerability in cnhcit.com Haichang OA v.1.0.0 allows a remote attacker to obtain sensitive information via the if parameter in hcit.project.rte.agents.UploadImages.class. | 2025-07-17 | not yet calculated | CVE-2024-32323 |
| n/a--Island Lake WebBatch | Island Lake WebBatch before 2025C allows Remote Code Execution via a crafted URL. | 2025-07-17 | not yet calculated | CVE-2025-53867 |
| n/a--landray OA EKP | OA EKP v16 was discovered to contain an arbitrary download vulnerability via the component /ui/sys_ui_extend/sysUiExtend.do. This vulnerability allows attackers to obtain the password of the background administrator and further obtain database permissions. | 2025-07-17 | not yet calculated | CVE-2023-41566 |
| n/a--McCms | An authenticated arbitrary file download vulnerability in the component /admin/Backups.php of Mccms v2.7.0 allows attackers to download arbitrary files via a crafted GET request. | 2025-07-14 | not yet calculated | CVE-2025-51651 |
| n/a--Mingyu Security Gateway | Mingyu Security Gateway before v3.0-5.3p was discovered to contain a remote command execution (RCE) vulnerability via the log_type parameter at /log/fw_security.mds. | 2025-07-17 | not yet calculated | CVE-2023-47356 |
| n/a--MRCMS | MRCMS v3.1.2 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /admin/group/save.do. | 2025-07-18 | not yet calculated | CVE-2025-50581 |
| n/a--NanoMQ | A segmentation fault in NanoMQ v0.21.10 allows attackers to cause a Denial of Service (DoS) via crafted messages. | 2025-07-14 | not yet calculated | CVE-2024-42646 |
| n/a--NanoMQ | NanoMQ v0.22.10 was discovered to contain a heap overflow which allows attackers to cause a Denial of Service (DoS) via a crafted CONNECT message. | 2025-07-14 | not yet calculated | CVE-2024-42648 |
| n/a--NanoMQ | NanoMQ v0.22.10 was discovered to contain a memory leak which allows attackers to cause a Denial of Service (DoS) via a crafted PUBLISH message. | 2025-07-14 | not yet calculated | CVE-2024-42649 |
| n/a--NanoMQ | NanoMQ 0.17.5 was discovered to contain a segmentation fault via the component /nanomq/pub_handler.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted PUBLISH message. | 2025-07-15 | not yet calculated | CVE-2024-42650 |
| n/a--nbcio-boot | nbcio-boot v1.0.3 was discovered to contain a SQL injection vulnerability via the userIds parameter at /sys/user/deleteRecycleBin. | 2025-07-17 | not yet calculated | CVE-2025-50240 |
| n/a--SemCms | SemCms v5.0 was discovered to contain a SQL injection vulnerability via the pid parameter at SEMCMS_Categories.php. | 2025-07-14 | not yet calculated | CVE-2025-51652 |
| n/a--SemCms | SemCms v5.0 was discovered to contain a SQL injection vulnerability via the pid parameter at SEMCMS_ct.php. | 2025-07-14 | not yet calculated | CVE-2025-51653 |
| n/a--SemCms | SemCms v5.0 was discovered to contain a SQL injection vulnerability via the pid parameter at SEMCMS_Infocategories.php. | 2025-07-14 | not yet calculated | CVE-2025-51654 |
| n/a--SemCms | SemCms v5.0 was discovered to contain a SQL injection vulnerability via the pid parameter at SEMCMS_Quanxian.php. | 2025-07-14 | not yet calculated | CVE-2025-51655 |
| n/a--SemCms | SemCms v5.0 was discovered to contain a SQL injection vulnerability via the ID parameter at SEMCMS_Link.php. | 2025-07-14 | not yet calculated | CVE-2025-51656 |
| n/a--SemCms | SemCms v5.0 was discovered to contain a SQL injection vulnerability via the lgid parameter at SEMCMS_Link.php. | 2025-07-14 | not yet calculated | CVE-2025-51657 |
| n/a--SemCms | SemCms v5.0 was discovered to contain a SQL injection vulnerability via the ID parameter at SEMCMS_InquiryView.php. | 2025-07-14 | not yet calculated | CVE-2025-51658 |
| n/a--SemCms | SemCms v5.0 was discovered to contain a SQL injection vulnerability via the ID parameter at SEMCMS_Products.php. | 2025-07-14 | not yet calculated | CVE-2025-51659 |
| n/a--SemCms | SemCms v5.0 was discovered to contain a SQL injection vulnerability via the lgid parameter at SEMCMS_Products.php. | 2025-07-14 | not yet calculated | CVE-2025-51660 |
| n/a--Simogeo Filemanager | An arbitrary file upload vulnerability in the component /rsc/filemanager.rsc.class.php of Filemanager commit c75b914 v.2.5.0 allows attackers to execute arbitrary code via uploading a crafted SVG file. | 2025-07-18 | not yet calculated | CVE-2025-46000 |
| n/a--Simogeo Filemanager | An arbitrary file upload vulnerability in the is_allowed_file_type() function of Filemanager v2.3.0 allows attackers to execute arbitrary code via uploading a crafted PHP file. | 2025-07-18 | not yet calculated | CVE-2025-46001 |
| n/a--Simogeo Filemanager | An issue in Filemanager v2.5.0 and below allows attackers to execute a directory traversal via sending a crafted HTTP request to the filemanager.php endpoint. | 2025-07-18 | not yet calculated | CVE-2025-46002 |
| n/a--Splashin iOS | Splashin iOS v2.0 fails to enforce server-side interval restrictions for location updates for free-tier users. | 2025-07-18 | not yet calculated | CVE-2025-45156 |
| n/a--Splashin iOS | Insecure permissions in Splashin iOS v2.0 allow unauthorized attackers to access location data for specific users. | 2025-07-18 | not yet calculated | CVE-2025-45157 |
| n/a--StudentManage | StudentManage v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Add A New Course module. | 2025-07-18 | not yet calculated | CVE-2025-50582 |
| n/a--StudentManage | StudentManage v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Add A New Student module. | 2025-07-18 | not yet calculated | CVE-2025-50583 |
| n/a--StudentManage | StudentManage v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Add A New Teacher module. | 2025-07-18 | not yet calculated | CVE-2025-50584 |
| n/a--StudentManage | StudentManage v1.0 was discovered to contain a SQL injection vulnerability via the component /admin/adminStudentUrl. | 2025-07-18 | not yet calculated | CVE-2025-50585 |
| n/a--StudentManage | StudentManage v1.0 was discovered to contain Cross-Site Request Forgery (CSRF). | 2025-07-18 | not yet calculated | CVE-2025-50586 |
| Netcore Technology--Router firmware | A remote code execution vulnerability exists in multiple Netcore and Netis routers models with firmware released prior to August 2014 due to the presence of an undocumented backdoor listener on UDP port 53413. Exact version boundaries remain undocumented. An unauthenticated remote attacker can send specially crafted UDP packets to execute arbitrary commands on the affected device. This backdoor uses a hardcoded authentication mechanism and accepts shell commands post-authentication. Some device models include a non-standard implementation of the `echo` command, which may affect exploitability. | 2025-07-16 | not yet calculated | CVE-2025-34117 |
| Netgear--Netgear XR300 | In Netgear XR300 V1.0.3.38_10.3.30, a stack-based buffer overflow vulnerability exists in the HTTPD service through the usb_device.cgi endpoint. The vulnerability occurs when processing POST requests containing the share_name parameter. | 2025-07-15 | not yet calculated | CVE-2025-52080 |
| Netgear--Netgear XR300 | In Netgear XR300 V1.0.3.38_10.3.30, a stack-based buffer overflow vulnerability exists in the HTTPD service through the usb_device.cgi endpoint. The vulnerability occurs when processing POST requests containing the usb_folder parameter. | 2025-07-15 | not yet calculated | CVE-2025-52081 |
| Netgear--Netgear XR300 | In Netgear XR300 V1.0.3.38_10.3.30, a stack-based buffer overflow exists in the HTTPD service through the usb_device.cgi endpoint. The vulnerability occurs when processing POST requests containing the read_access parameter. | 2025-07-15 | not yet calculated | CVE-2025-52082 |
| Netwrix--Netwrix Directory Manager | Netwrix Directory Manager through 2025-05-01 allows XSS. | 2025-07-17 | not yet calculated | CVE-2025-47189 |
| Nexxt Solutions--NCM-X1800 Mesh Router | An authentication bypass vulnerability in the /web/um_open_telnet.cgi endpoint in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below, allowing an attacker to remotely enable the Telnet service without authentication, bypassing security controls. The Telnet server is then accessible with hard-coded credentials, allowing attackers to gain administrative shell access and execute arbitrary commands on the device. | 2025-07-15 | not yet calculated | CVE-2025-52376 |
| Nexxt Solutions--NCM-X1800 Mesh Router | Command injection vulnerability in Nexxt Solutions NCM-X1800 Mesh Router versions UV1.2.7 and below, allowing authenticated attackers to execute arbitrary commands on the device. The vulnerability is present in the web management interface's ping and traceroute functionality, specifically in the /web/um_ping_set.cgi endpoint. The application fails to properly sanitize user input in the `Ping_host_text` parameter before passing it to the underlying system command, allowing attackers to inject and execute arbitrary shell commands as the root user. | 2025-07-15 | not yet calculated | CVE-2025-52377 |
| Nexxt Solutions--NCM-X1800 Mesh Router | Cross-Site Scripting (XSS) vulnerability in Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below allowing attackers to inject JavaScript code that is executed in the context of administrator sessions when viewing the device management page via the DEVICE_ALIAS parameter to the /web/um_device_set_aliasname endpoint. | 2025-07-15 | not yet calculated | CVE-2025-52378 |
| Nexxt Solutions--NCM-X1800 Mesh Router | Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below contains an authenticated command injection vulnerability in the firmware update feature. The /web/um_fileName_set.cgi and /web/um_web_upgrade.cgi endpoints fail to properly sanitize the upgradeFileName parameter, allowing authenticated attackers to execute arbitrary OS commands on the device, resulting in remote code execution. | 2025-07-15 | not yet calculated | CVE-2025-52379 |
| NLnet Labs--Unbound | A multi-vendor cache poisoning vulnerability named 'Rebirthday Attack' has been discovered in caching resolvers that support EDNS Client Subnet (ECS). Unbound is also vulnerable when compiled with ECS support, i.e., '--enable-subnet', AND configured to send ECS information along with queries to upstream name servers, i.e., at least one of the 'send-client-subnet', 'client-subnet-zone' or 'client-subnet-always-forward' options is used. Resolvers supporting ECS need to segregate outgoing queries to accommodate for different outgoing ECS information. This re-opens up resolvers to a birthday paradox attack (Rebirthday Attack) that tries to match the DNS transaction ID in order to cache non-ECS poisonous replies. | 2025-07-16 | not yet calculated | CVE-2025-5994 |
| nodejs--node | The V8 release used in Node.js v24.0.0 has changed how string hashes are computed using rapidhash. This implementation re-introduces the HashDoS vulnerability as an attacker who can control the strings to be hashed can generate many hash collisions - an attacker can generate collisions even without knowing the hash-seed. * This vulnerability affects Node.js v24.x users. | 2025-07-18 | not yet calculated | CVE-2025-27209 |
| nodejs--node | An incomplete fix has been identified for CVE-2025-23084 in Node.js, specifically affecting Windows device names like CON, PRN, and AUX. This vulnerability affects Windows users of `path.join` API. | 2025-07-18 | not yet calculated | CVE-2025-27210 |
| opencv--opencv | OpenCV is an Open Source Computer Vision Library. Versions prior to 4.12.0 have an uninitialized pointer variable on stack that may lead to arbitrary heap buffer write when reading crafted JPEG images. Version 4.12.0 fixes the vulnerability. | 2025-07-17 | not yet calculated | CVE-2025-53644 |
| OpenZeppelin--openzeppelin-contracts | OpenZeppelin Contracts is a library for secure smart contract development. Starting in version 5.2.0 and prior to version 5.4.0, the `lastIndexOf(bytes,byte,uint256)` function of the `Bytes.sol` library may access uninitialized memory when the following two conditions hold: 1) the provided buffer length is empty (i.e. `buffer.length == 0`) and position is not `2**256 - 1` (i.e. `pos != type(uint256).max`). The `pos` argument could be used to access arbitrary data outside of the buffer bounds. This could lead to the operation running out of gas, or returning an invalid index (outside of the empty buffer). Processing this invalid result for accessing the `buffer` would cause a revert under normal conditions. When triggered, the function reads memory at offset `buffer + 0x20 + pos`. If memory at that location (outside the `buffer`) matches the search pattern, the function would return an out of bound index instead of the expected `type(uint256).max`. This creates unexpected behavior where callers receive a valid-looking index pointing outside buffer bounds. Subsequent memory accesses that don't check bounds and use the returned index must carefully review the potential impact depending on their setup. Code relying on this function returning `type(uint256).max` for empty buffers or using the returned index without bounds checking could exhibit undefined behavior. Users should upgrade to version 5.4.0 to receive a patch. | 2025-07-17 | not yet calculated | CVE-2025-54070 |
| OS4Ed--openSIS | SQL Injection vulnerability in openSIS v.9.1 allows a remote attacker to execute arbitrary code via the id parameter in Ajax.php | 2025-07-15 | not yet calculated | CVE-2025-26186 |
| Panda Security--Panda Global Protection 2016 | PSEvents.exe in multiple Panda Security products runs hourly with SYSTEM privileges and loads DLL files from a user-writable directory without proper validation. An attacker with low-privileged access who can write DLL files to the monitored directory can achieve arbitrary code execution with SYSTEM privileges. Affected products include Panda Global Protection 2016, Panda Antivirus Pro 2016, Panda Small Business Protection, and Panda Internet Security 2016 (all versions up to 16.1.2). | 2025-07-15 | not yet calculated | CVE-2025-34109 |
| Perplexity AI--Perplexity AI Web Application | An issue in Perplexity AI GPT-4 v.2.51.0 allows a remote attacker to obtain sensitive information via the token component in the shared chat URL | 2025-07-18 | not yet calculated | CVE-2025-50708 |
| Pharmacy POS PHP Script--Pharmacy POS PHP Script | Stored Cross-Site Scripting (XSS) vulnerability in Pharmacy POS PHP Script. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the u_medicine_name parameter in /edit_medicine.php. This vulnerability can be exploited to steal sensitive user data such as session cookies or to perform actions on behalf of the user. | 2025-07-16 | not yet calculated | CVE-2025-40724 |
| Piwik (now Matomo)--Web Analytics Platform | An authenticated remote code execution vulnerability exists in Piwik (now Matomo) versions prior to 3.0.3 via the plugin upload mechanism. In vulnerable versions, an authenticated user with Superuser privileges can upload and activate a malicious plugin (ZIP archive), leading to arbitrary PHP code execution on the underlying system. Starting with version 3.0.3, plugin upload functionality is disabled by default unless explicitly enabled in the configuration file. | 2025-07-15 | not yet calculated | CVE-2025-34104 |
| RIOT-OS--RIOT | RIOT-OS, an operating system that supports Internet of Things devices, has an ineffective size check implemented with `assert()` can lead to buffer overflow in versions up to and including 2025.04. Assertions are usually compiled out in production builds. If assertions are the only defense against untrusted inputs, the software may be exposed to attacks that utilize the lack of proper input checks. In the `l2filter_add()` function shown below, `addr_len` is checked using an assertion and is subsequently used as an argument in a `memcpy()` call. When assertions are disabled, there would be no size check for `addr_len`. As a consequence, if an attacker were to provide an `addr_len` value larger than `CONFIG_L2FILTER_ADDR_MAXLEN`, they can trigger a buffer overflow and write past the `list[i].addr` buffer. If the unchecked input is attacker-controlled, the impact of the buffer overflow can range from a denial of service to arbitrary code execution. Commit f6f7de4ccc107c018630e4c15500825caf02e1c2 contains a patch for the vulnerability. | 2025-07-18 | not yet calculated | CVE-2025-53888 |
| RIPS Technologies--RIPS Scanner | A path traversal vulnerability exists in RIPS Scanner version 0.54. The vulnerability allows remote attackers to read arbitrary files on the system with the privileges of the web server by sending crafted HTTP GET requests to the 'windows/code.php' script with a manipulated 'file' parameter. This can lead to disclosure of sensitive information. | 2025-07-16 | not yet calculated | CVE-2025-34126 |
| Riverbed Technology--SteelCentral NetExpress | An authenticated multi-stage remote code execution vulnerability exists in Riverbed SteelCentral NetProfiler and NetExpress 10.8.7 virtual appliances. A SQL injection vulnerability in the '/api/common/1.0/login' endpoint can be exploited to create a new user account in the appliance database. This user can then trigger a command injection vulnerability in the '/index.php?page=licenses' endpoint to execute arbitrary commands. The attacker may escalate privileges to root by exploiting an insecure sudoers configuration that allows the 'mazu' user to execute arbitrary commands as root via SSH key extraction and command chaining. Successful exploitation allows full remote root access to the virtual appliance. | 2025-07-15 | not yet calculated | CVE-2025-34112 |
| rommapp--romm | RomM is a self-hosted rom manager and player. Versions prior to 3.10.3 and 4.0.0-beta.3 have an authenticated path traversal vulnerability in the `/api/raw` endpoint. Anyone running the latest version of RomM and has multiple users, even unprivileged users, such as the kiosk user in the official implementation, may be affected. This allows the leakage of passwords and users that may be stored on the system. Versions 3.10.3 and 4.0.0-beta.3 contain a patch. | 2025-07-16 | not yet calculated | CVE-2025-53908 |
| rsjoomla.com--RSBlog! component for Joomla | A stored XSS vulnerability in the RSBlog! component 1.11.6-1.14.5 Joomla was discovered. The issue allows remote authenticated users to inject arbitrary web script or HTML via the jform[tags_text] parameter. | 2025-07-18 | not yet calculated | CVE-2025-50126 |
| rsjoomla.com--RSDirectory! component for Joomla | A stored XSS vulnerability in the RSDirectory! component 1.0.0-2.2.8 Joomla was discovered. The issue allows remote authenticated attackers to inject arbitrary web script or HTML via the review reply component. | 2025-07-18 | not yet calculated | CVE-2025-50058 |
| rsjoomla.com--RSFiles! component for Joomla | A DOS vulnerability in RSFiles! component 1.16.3-1.17.7 Joomla was discovered. The issue allows unauthenticated remote attackers to deny access to service via the search feature. | 2025-07-18 | not yet calculated | CVE-2025-50057 |
| rsjoomla.com--RSMail! component for Joomla | A reflected XSS vulnerability in RSMail! component 1.19.20 - 1.22.26 28 Joomla was discovered. The issue allows remote attackers to inject arbitrary web script or HTML via the crafted parameter. | 2025-07-18 | not yet calculated | CVE-2025-50056 |
| rucio--helm-charts | Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. The common Rucio helm-charts for the `rucio-server`, `rucio-ui`, and `rucio-webui` define the log format for the apache access log of these components. The `X-Rucio-Auth-Token`, which is part of each request header sent to Rucio, is part of this log format. Thus, each access log line potentially exposes the credentials (Internal Rucio token, or JWT in case of OIDC authentication) of the user. Due to the length of the token (Especially for a JWT) the tokens are often truncated, and thus not usable as credential; nevertheless, the (partial) credential should not be part of the logfile. The impact of this issue is amplified if the access logs are made available to a larger group of people than the instance administrators themselves. An updated release has been supplied for the `rucio-server`, `rucio-ui` and `rucio-webui` helm-chart. The change was also retrofitted for the currently supported Rucio LTS releases. The patched versions are rucio-server 37.0.2, 35.0.1, and 32.0.1; rucio-ui 37.0.4, 35.0.1, and 32.0.2; and rucio-webui 37.0.2, 35.1.1, and 32.0.1. As a workaround, one may update the `logFormat` variable and remove the `X-Rucio-Auth-Token`. | 2025-07-17 | not yet calculated | CVE-2025-54064 |
| RVC-Boss--GPT-SoVITS | GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in the webui.py open_slice function. slice_opt_root and slice-inp-path takes user input, which is passed to the open_slice function, which concatenates the user input into a command and runs it on the server, leading to arbitrary command execution. At time of publication, no known patched versions are available. | 2025-07-15 | not yet calculated | CVE-2025-49833 |
| RVC-Boss--GPT-SoVITS | GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in webui.py open_denoise function. denoise_inp_dir and denoise_opt_dir take user input, which is passed to the open_denoise function, which concatenates the user input into a command and runs it on the server, leading to arbitrary command execution. At time of publication, no known patched versions are available. | 2025-07-15 | not yet calculated | CVE-2025-49834 |
| RVC-Boss--GPT-SoVITS | GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in webui.py open_asr function. asr_inp_dir (and a number of other variables) takes user input, which is passed to the open_asr function, which concatenates the user input into a command and runs it on the server, leading to arbitrary command execution. At time of publication, no known patched versions are available. | 2025-07-15 | not yet calculated | CVE-2025-49835 |
| RVC-Boss--GPT-SoVITS | GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is a command injection vulnerability in webui.py change_label function. path_list takes user input, which is passed to the change_label function, which concatenates the user input into a command and runs it on the server, leading to arbitrary command execution. At time of publication, no known patched versions are available. | 2025-07-15 | not yet calculated | CVE-2025-49836 |
| RVC-Boss--GPT-SoVITS | GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in vr.py AudioPre. The model_choose variable takes user input (e.g. a path to a model) and passes it to the uvr function. In uvr, a new instance of AudioPre class is created with the model_path attribute containing the aforementioned user input (here called locally model_name). Note that in this step the .pth extension is added to the path. In the AudioPre class, the user input, here called model_path, is used to load the model on that path with torch.load, which can lead to unsafe deserialization. At time of publication, no known patched versions are available. | 2025-07-15 | not yet calculated | CVE-2025-49837 |
| RVC-Boss--GPT-SoVITS | GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in vr.py AudioPreDeEcho. The model_choose variable takes user input (e.g. a path to a model) and passes it to the uvr function. In uvr, a new instance of AudioPreDeEcho class is created with the model_path attribute containing the aforementioned user input (here called locally model_name). Note that in this step the .pth extension is added to the path. In the AudioPreDeEcho class, the user input, here called model_path, is used to load the model on that path with torch.load, which can lead to unsafe deserialization. At time of publication, no known patched versions are available. | 2025-07-15 | not yet calculated | CVE-2025-49838 |
| RVC-Boss--GPT-SoVITS | GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in bsroformer.py. The model_choose variable takes user input (e.g. a path to a model) and passes it to the uvr function. In uvr, a new instance of Roformer_Loader class is created with the model_path attribute containing the aformentioned user input (here called locally model_name). Note that in this step the .ckpt extension is added to the path. In the Roformer_Loader class, the user input, here called model_path, is used to load the model on that path with torch.load, which can lead to unsafe deserialization. At time of publication, no known patched versions are available. | 2025-07-15 | not yet calculated | CVE-2025-49839 |
| RVC-Boss--GPT-SoVITS | GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in inference_webui.py. The GPT_dropdown variable takes user input and passes it to the change_gpt_weights function. In change_gpt_weights, the user input, here gpt_path is used to load a model with torch.load, leading to unsafe deserialization. At time of publication, no known patched versions are available. | 2025-07-15 | not yet calculated | CVE-2025-49840 |
| RVC-Boss--GPT-SoVITS | GPT-SoVITS-WebUI is a voice conversion and text-to-speech webUI. In versions 20250228v3 and prior, there is an unsafe deserialization vulnerability in process_ckpt.py. The SoVITS_dropdown variable takes user input and passes it to the load_sovits_new function in process_ckpt.py. In load_sovits_new, the user input, here sovits_path is used to load a model with torch.load, leading to unsafe deserialization. At time of publication, no known patched versions are available. | 2025-07-15 | not yet calculated | CVE-2025-49841 |
| SALVA--Authen::DigestMD5 | Authen::DigestMD5 versions 0.01 through 0.02 for Perl generate the cnonce insecurely. The cnonce (client nonce) is generated from an MD5 hash of the PID, the epoch time and the built-in rand function. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. According to RFC 2831, "The cnonce-value is an opaque quoted string value provided by the client and used by both client and server to avoid chosen plaintext attacks, and to provide mutual authentication. The security of the implementation depends on a good choice. It is RECOMMENDED that it contain at least 64 bits of entropy." | 2025-07-16 | not yet calculated | CVE-2025-40919 |
| Samsung Electronics--WLAN AP WEA453e | An unauthenticated remote command execution vulnerability exists in Samsung WLAN AP WEA453e firmware prior to version 5.2.4.T1 via improper input validation in the "Tech Support" diagnostic functionality. The command1 and command2 POST or GET parameters accept arbitrary shell commands that are executed with root privileges on the underlying operating system. An attacker can exploit this by crafting a request that injects shell commands to create output files in writable directories and then access their contents via the download endpoint. This flaw allows complete compromise of the device without authentication. | 2025-07-15 | not yet calculated | CVE-2025-34068 |
| Sawtooth Software--Lighthouse Studio | A template injection vulnerability exists in Sawtooth Software's Lighthouse Studio versions prior to 9.16.14 via the ciwweb.pl http://ciwweb.pl/ Perl web application. Exploitation allows an unauthenticated attacker can execute arbitrary commands. | 2025-07-16 | not yet calculated | CVE-2025-34300 |
| SCATI--SCATI Vision Web | SQL injection vulnerability in SCATI Vision Web of SCATI Labs from version 4.8 to 7.2. This vulnerability allows an attacker to exfiltrate some data from the database via the 'login' parameter in the endpoint '/scatevision_web/index.php/loginForm'. | 2025-07-16 | not yet calculated | CVE-2025-40985 |
| Shopify--job-iteration | The Job Iteration API is an an extension for ActiveJob that make jobs interruptible and resumable Versions prior to 1.11.0 have an arbitrary code execution vulnerability in the `CsvEnumerator` class. This vulnerability can be exploited by an attacker to execute arbitrary commands on the system where the application is running, potentially leading to unauthorized access, data leakage, or complete system compromise. The issue is fixed in versions `1.11.0` and above. Users can mitigate the risk by avoiding the use of untrusted input in the `CsvEnumerator` class and ensuring that any file paths are properly sanitized and validated before being passed to the class methods. Users should avoid using the `count_of_rows_in_file` method with untrusted CSV filenames. | 2025-07-14 | not yet calculated | CVE-2025-53623 |
| SQLite--SQLite | There exists a vulnerability in SQLite versions before 3.50.2 where the number of aggregate terms could exceed the number of columns available. This could lead to a memory corruption issue. We recommend upgrading to version 3.50.2 or above. | 2025-07-15 | not yet calculated | CVE-2025-6965 |
| Sunwood-ai-labs--github-kanban-mcp-server | GitHub Kanban MCP Server is a Model Context Protocol (MCP) server for managing GitHub issues in Kanban board format and streamlining LLM task management. Version 0.3.0 of the MCP Server is written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP Server exposes the tool `add_comment` which relies on Node.js child process API `exec` to execute the GitHub (`gh`) command, is an unsafe and vulnerable API if concatenated with untrusted user input. As of time of publication, no known patches are available. | 2025-07-14 | not yet calculated | CVE-2025-53818 |
| TECNO--tech.palm.id | Authentication vulnerability in the mobile application(tech.palm.id)may lead to the risk of information leakage. | 2025-07-16 | not yet calculated | CVE-2025-7703 |
| Tenda--CP3 Pro Firmware | Tenda CP3 Pro Firmware V22.5.4.93 contains a hardcoded root password hash in the /etc/passwd file and /etc/passwd-. An attacker with access to the firmware image can extract and attempt to crack the root password hash, potentially obtaining administrative access | 2025-07-14 | not yet calculated | CVE-2025-52363 |
| The 3DO Company--Heroes of Might and Magic III | A buffer overflow vulnerability exists in Heroes of Might and Magic III Complete 4.0.0.0, HD Mod 3.808 build 9, and Demo 1.0.0.0 via malicious .h3m map files that exploit object sprite name parsing logic. The vulnerability occurs during in-game map loading when a crafted object name causes a buffer overflow, potentially allowing arbitrary code execution. Exploitation requires the victim to open a malicious map file within the game. | 2025-07-16 | not yet calculated | CVE-2025-34124 |
| The-Scratch-Channel--the-scratch-channel.github.io | The Scratch Channel is a news website that is under development as of time of this writing. The file `/api/users.js` doesn't properly sanitize text box inputs, leading to a potential vulnerability to cross-site scripting attacks. Commit 90b39eb56b27b2bac29001abb1a3cac0964b8ddb addresses this issue. | 2025-07-15 | not yet calculated | CVE-2025-53903 |
| The-Scratch-Channel--the-scratch-channel.github.io | The Scratch Channel is a news website that is under development as of time of this writing. The file `/api/admin.js` contains code that could make the website vulnerable to cross-site scripting. No known patches exist as of time of publication. | 2025-07-16 | not yet calculated | CVE-2025-53904 |
| Tiki Software Community Association--Wiki CMS Groupware | An unauthenticated arbitrary file upload vulnerability exists in Tiki Wiki CMS Groupware version 15.1 and earlier via the ELFinder component's default connector (connector.minimal.php), which allows remote attackers to upload and execute malicious PHP scripts in the context of the web server. The vulnerable component does not enforce file type validation, allowing attackers to craft a POST request to upload executable PHP payloads through the ELFinder interface exposed at /vendor_extra/elfinder/. | 2025-07-15 | not yet calculated | CVE-2025-34111 |
| Tiki Software Community Association--Wiki CMS Groupware | An authenticated command injection vulnerability exists in Tiki Wiki CMS versions ≤14.1, ≤12.4 LTS, ≤9.10 LTS, and ≤6.14 via the `viewmode` GET parameter in `tiki-calendar.php`. When the calendar module is enabled and an authenticated user has permission to access it, an attacker can inject and execute arbitrary PHP code. Successful exploitation leads to remote code execution in the context of the web server user. | 2025-07-15 | not yet calculated | CVE-2025-34113 |
| Tinasoft--EasyCafe Server | A remote file disclosure vulnerability exists in EasyCafe Server 2.2.14, exploitable by unauthenticated remote attackers via TCP port 831. The server listens for a custom protocol where opcode 0x43 can be used to request arbitrary files by absolute path. If the file exists and is accessible, its content is returned without authentication. This flaw allows attackers to retrieve sensitive files such as system configuration, password files, or application data. | 2025-07-16 | not yet calculated | CVE-2025-34119 |
| Totolink--Totolink A3300R | Totolink A3300R V17.0.0cu.596_B20250515 was found to contain a command injection vulnerability in the sub_4197C0 function via the mac and desc parameters. This vulnerability allows unauthenticated attackers to execute arbitrary commands via a crafted request. | 2025-07-17 | not yet calculated | CVE-2025-52046 |
| TOTOLINK--TOTOLINK N350RT | TOTOLINK N350RT V9.3.5u.6139_B20201216 was discovered to contain a buffer overflow via the ePort parameter in the function setIpPortFilterRules. | 2025-07-17 | not yet calculated | CVE-2025-51630 |
| TP-Link System Inc.--Archer C1200 | A Clickjacking vulnerability in TP-Link Archer C1200 web management page allows an attacker to trick users into performing unintended actions via rendered UI layers or frames.This issue affects Archer C1200 <= 1.1.5. | 2025-07-16 | not yet calculated | CVE-2025-6983 |
| TP-Link System Inc.--Archer C50 V3 | Use of Hard-coded Credentials in TP-Link Archer C50 V3( <= 180703)/V4( <= 250117 )/V5( <= 200407 ), allows attackers to decrypt the config.xml files. | 2025-07-16 | not yet calculated | CVE-2025-6982 |
| Unknown--Stop User Enumeration | The Stop User Enumeration WordPress plugin before version 1.7.3 blocks REST API /wp-json/wp/v2/users/ requests for non-authorized users. However, this can be bypassed by URL-encoding the API path. | 2025-07-17 | not yet calculated | CVE-2025-4302 |
| Vectorized--solady | Solady is software that provides Solidity snippets with APIs. Starting in version 0.0.125 and prior to version 0.1.24, when an account is deployed via a proxy, using regular Solidity to call its initialization function may result in a silent failure, if the initialization function does not return a `bool` or some other return data. This is because regular Solidity uses `extcodesize(proxy)` to decide if call succeeds. This is insufficient in the case when the proxy points to an empty implementation. Users should upgrade to Solady v0.1.24 or later to receive a patch. Deploy any affected implementations and their factories on new EVM chains as soon as possible. | 2025-07-17 | not yet calculated | CVE-2025-53638 |
| VideoCharge Software--Studio | A stack-based buffer overflow vulnerability exists in VideoCharge Studio 2.12.3.685 when processing a specially crafted .VSC configuration file. The issue occurs due to improper handling of user-supplied data in the XML 'Name' attribute, leading to an SEH overwrite condition. An attacker can exploit this vulnerability by convincing a user to open a malicious .VSC file, resulting in arbitrary code execution under the context of the user. | 2025-07-16 | not yet calculated | CVE-2025-34123 |
| Wavlink--Wavlink WN535K3 | Wavlink WN535K3 20191010 was found to contain a command injection vulnerability in the set_sys_adm function via the newpass parameter. This vulnerability allows attackers to execute arbitrary commands via a crafted request. | 2025-07-14 | not yet calculated | CVE-2025-50756 |
| WePresent (Barco)--WiPG-1000 | An unauthenticated command injection vulnerability exists in WePresent WiPG-1000 firmware versions prior to 2.2.3.0, due to improper input handling in the undocumented /cgi-bin/rdfs.cgi endpoint. The Client parameter is not sanitized before being passed to a system call, allowing an unauthenticated remote attacker to execute arbitrary commands as the web server user. | 2025-07-15 | not yet calculated | CVE-2025-34103 |
| wolfSSL--wolfSSL | In the OpenSSL compatibility layer implementation, the function RAND_poll() was not behaving as expected and leading to the potential for predictable values returned from RAND_bytes() after fork() is called. This can lead to weak or predictable random numbers generated in applications that are both using RAND_bytes() and doing fork() operations. This only affects applications explicitly calling RAND_bytes() after fork() and does not affect any internal TLS operations. Although RAND_bytes() documentation in OpenSSL calls out not being safe for use with fork() without first calling RAND_poll(), an additional code change was also made in wolfSSL to make RAND_bytes() behave similar to OpenSSL after a fork() call without calling RAND_poll(). Now the Hash-DRBG used gets reseeded after detecting running in a new process. If making use of RAND_bytes() and calling fork() we recommend updating to the latest version of wolfSSL. Thanks to Per Allansson from Appgate for the report. | 2025-07-18 | not yet calculated | CVE-2025-7394 |
| wolfSSL--wolfSSL | A certificate verification error in wolfSSL when building with the WOLFSSL_SYS_CA_CERTS and WOLFSSL_APPLE_NATIVE_CERT_VALIDATION options results in the wolfSSL client failing to properly verify the server certificate's domain name, allowing any certificate issued by a trusted CA to be accepted regardless of the hostname. | 2025-07-18 | not yet calculated | CVE-2025-7395 |
| wolfSSL--wolfSSL | In wolfSSL release 5.8.2 blinding support is turned on by default for Curve25519 in applicable builds. The blinding configure option is only for the base C implementation of Curve25519. It is not needed, or available with; ARM assembly builds, Intel assembly builds, and the small Curve25519 feature. While the side-channel attack on extracting a private key would be very difficult to execute in practice, enabling blinding provides an additional layer of protection for devices that may be more susceptible to physical access or side-channel observation. | 2025-07-18 | not yet calculated | CVE-2025-7396 |
| X360Soft--X360 VideoPlayer ActiveX Control | A buffer overflow vulnerability exists in the X360 VideoPlayer ActiveX control (VideoPlayer.ocx) version 2.6 when handling overly long arguments to the ConvertFile() method. An attacker can exploit this vulnerability by supplying crafted input to cause memory corruption and execute arbitrary code within the context of the current process. | 2025-07-16 | not yet calculated | CVE-2025-34128 |
| Xen--Xen | When setting up interrupt remapping for legacy PCI(-X) devices, including PCI(-X) bridges, a lookup of the upstream bridge is required. This lookup, itself involving acquiring of a lock, is done in a context where acquiring that lock is unsafe. This can lead to a deadlock. | 2025-07-17 | not yet calculated | CVE-2025-1713 |
| Xen--Xen | Certain instructions need intercepting and emulating by Xen. In some cases Xen emulates the instruction by replaying it, using an executable stub. Some instructions may raise an exception, which is supposed to be handled gracefully. Certain replayed instructions have additional logic to set up and recover the changes to the arithmetic flags. For replayed instructions where the flags recovery logic is used, the metadata for exception handling was incorrect, preventing Xen from handling the the exception gracefully, treating it as fatal instead. | 2025-07-16 | not yet calculated | CVE-2025-27465 |
| ZEXELON CO., LTD.--ZWX-2000CSW2-HN | Use of hard-coded credentials issue exists in ZWX-2000CSW2-HN prior to 0.3.19 and ZWX-2000CS2-HN firmware all versions. If this vulnerability is exploited, an attacker may tamper with the settings of the device by obtaining the credentials. This vulnerability is caused by an insufficient fix for CVE-2024-39838. | 2025-07-16 | not yet calculated | CVE-2025-53842 |
| zitadel--zitadel | ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL's session management API allows any authenticated user to update a session if they know its ID, due to a missing permission check. This flaw enables session hijacking, allowing an attacker to impersonate another user and access sensitive resources. Versions prior to `2.53.0` are not affected, as they required the session token for updates. Versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14 fix the issue. | 2025-07-15 | not yet calculated | CVE-2025-53895 |
Vulnerability Summary for the Week of July 7, 2025
Posted on Monday July 14, 2025
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| Radiflow--iSAP Smart Collector | The device has two web servers that expose unauthenticated REST APIs on the management network (TCP ports 8084 and 8086). Exploiting OS command injection through these APIs, an attacker can send arbitrary commands that are executed with administrative permissions by the underlying operating system. | 2025-07-09 | 10 | CVE-2025-3499 |
| WAGO--Wago Device Sphere | A remote unauthenticated attacker may use default certificates to generate JWT Tokens and gain full access to the tool and all connected devices. | 2025-07-07 | 10 | CVE-2025-41672 |
| wftpserver--Wing FTP Server | In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used to execute arbitrary system commands with the privileges of the FTP service (root or SYSTEM by default). This is thus a remote code execution vulnerability that guarantees a total server compromise. This is also exploitable via anonymous FTP accounts. | 2025-07-10 | 10 | CVE-2025-47812 |
| webbertakken--docusaurus-plugin-content-gists | The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuration options. The token, intended for build-time API access only, is inadvertently included in client-side JavaScript bundles, making it accessible to anyone who can view the website's source code. This vulnerability is fixed in 4.0.0. | 2025-07-09 | 10 | CVE-2025-53624 |
| eemitch--Simple File List | The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 4.2.2 via the rename function which can be used to rename uploaded PHP code with a png extension to use a php extension. This allows unauthenticated attackers to execute code on the server. | 2025-07-12 | 9.8 | CVE-2020-36847 |
| AIT Themes--AIT CSV import/export | The AIT CSV import/export plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the /wp-content/plugins/ait-csv-import-export/admin/upload-handler.php file in versions up to, and including, 3.0.3. This makes it possible for unauthorized attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | 2025-07-12 | 9.8 | CVE-2020-36849 |
| Qualcomm, Inc.--Snapdragon | Cryptographic issue occurs due to use of insecure connection method while downloading. | 2025-07-08 | 9.1 | CVE-2025-21450 |
| Honeywell--C300 PCNT02 | The Honeywell Experion PKS and OneWireless WDM contains an Integer Underflow vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to a Communication Channel Manipulation, which could result in a failure during subtraction allowing remote code execution. Honeywell recommends updating to the most recent version of Honeywell Experion PKS:520.2 TCU9 HF1 and 530.1 TCU3 HF1 and OneWireless: 322.5 and 331.1. The affected Experion PKS products are C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The Experion PKS versions affected are from 520.1 through 520.2 TCU9 and from 530 through 530 TCU3. The OneWireless WDM affected versions are 322.1 through 322.4 and 330.1 through 330.3. | 2025-07-10 | 9.4 | CVE-2025-2523 |
| Phoenix Contact--CHARX SEC-3150 | An unauthenticated remote attacker can alter the device configuration in a way to get remote code execution as root with specific configurations. | 2025-07-08 | 9.8 | CVE-2025-25270 |
| Adobe--Adobe Connect | Adobe Connect versions 24.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does require user interaction and scope is changed. | 2025-07-08 | 9.6 | CVE-2025-27203 |
| Axis Communications AB--AXIS Camera Station Pro | The communication protocol used between client and server had a flaw that could lead to an authenticated user performing a remote code execution attack. | 2025-07-11 | 9 | CVE-2025-30023 |
| Radiflow--iSAP Smart Collector | An unauthenticated user with management network access can get and modify the Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) configuration. The device has two web servers that expose unauthenticated REST APIs on the management network (TCP ports 8084 and 8086). An attacker can use these APIs to get access to all system settings, modify the configuration and execute some commands (e.g., system reboot). | 2025-07-09 | 9.9 | CVE-2025-3498 |
| Frauscher--FDS102 | A remote attacker with administrator account can gain full control of the device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') while uploading a config file via webUI. | 2025-07-07 | 9.1 | CVE-2025-3626 |
| Hewlett Packard Enterprise (HPE)--HPE Networking Instant On | Hard-coded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication. Successful exploitation could allow a remote attacker to gain administrative access to the system. | 2025-07-08 | 9.8 | CVE-2025-37103 |
| Siemens--SINEC NMS | A vulnerability has been identified in SINEC NMS (All versions < V4.0). The affected application exposes an endpoint that allows an unauthorized modification of administrative credentials. This could allow an unauthenticated attacker to reset the superadmin password and gain full control of the application (ZDI-CAN-26569). | 2025-07-08 | 9.8 | CVE-2025-40736 |
| SAP_SE--SAP NetWeaver Application Server for Java (Log Viewer ) | A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. Successful exploitation can lead to full operating system compromise, granting attackers complete control over the affected system. This results in a severe impact on the confidentiality, integrity, and availability of the application and host environment. | 2025-07-08 | 9.1 | CVE-2025-42963 |
| SAP_SE--SAP NetWeaver Enterprise Portal Administration | SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system. | 2025-07-08 | 9.1 | CVE-2025-42964 |
| SAP_SE--SAP NetWeaver (XML Data Archiving Service) | SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. This could lead to high impact on confidentiality, integrity, and availability of the application. | 2025-07-08 | 9.1 | CVE-2025-42966 |
| SAP_SE--SAP S/4HANA and SAP SCM (Characteristic Propagation) | SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. This allows an attacker with user level privileges to create a new report with his own code potentially gaining full control of the affected SAP system causing high impact on confidentiality, integrity, and availability of the application. | 2025-07-08 | 9.9 | CVE-2025-42967 |
| SAP_SE--SAP NetWeaver Enterprise Portal Federated Portal Network | SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system. | 2025-07-08 | 9.1 | CVE-2025-42980 |
| uxper--Sala - Startup & SaaS WordPress Theme | The Sala - Startup & SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. This is due to the theme not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | 2025-07-09 | 9.8 | CVE-2025-4606 |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over a network. | 2025-07-08 | 9.8 | CVE-2025-47981 |
| Schiocco--Support Board | The Support Board plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the sb_file_delete function in all versions up to, and including, 3.8.0. This makes it possible for attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). An attacker can leverage CVE-2025-4855 vulnerability to exploit this vulnerability unauthenticated. | 2025-07-08 | 9.8 | CVE-2025-4828 |
| Schiocco--Support Board | The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. This makes it possible for unauthenticated attackers to bypass authorization and execute arbitrary AJAX actions defined in the sb_ajax_execute() function. An attacker can use this vulnerability to exploit CVE-2025-4828 and various other functions unauthenticated. | 2025-07-08 | 9.8 | CVE-2025-4855 |
| Adobe--Adobe Experience Manager (MS) | Adobe Experience Manager (MS) versions 6.5.23.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. Exploitation of this issue does not require user interaction. Scope is unchanged. | 2025-07-08 | 9.8 | CVE-2025-49533 |
| Adobe--ColdFusion | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. An attacker could exploit this vulnerability to access sensitive information or denial of service by bypassing security measures. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses. | 2025-07-08 | 9.3 | CVE-2025-49535 |
| Emerson--ValveLink SOLO | Emerson ValveLink Products store sensitive information in cleartext in memory. The sensitive memory might be saved to disk, stored in a core dump, or remain uncleared if the product crashes, or if the programmer does not properly clear the memory before freeing it. | 2025-07-10 | 9.4 | CVE-2025-52579 |
| Juniper Networks--Juniper Security Director | A Missing Authorization vulnerability in Juniper Networks Security Director allows an unauthenticated network-based attacker to read or tamper with multiple sensitive resources via the web interface. Numerous endpoints on the Juniper Security Director appliance do not validate authorization and will deliver information to the caller that is outside their authorization level. An attacker can access data that is outside the user's authorization level. The information obtained can be used to gain access to additional information or perpetrate other attacks, impacting downstream managed devices. This issue affects Security Director version 24.4.1. | 2025-07-11 | 9.6 | CVE-2025-52950 |
| miraheze--DiscordNotifications | DiscordNotifications is an extension for MediaWiki that sends notifications of actions in your Wiki to a Discord channel. DiscordNotifications allows sending requests via curl and file_get_contents to arbitrary URLs set via $wgDiscordIncomingWebhookUrl and $wgDiscordAdditionalIncomingWebhookUrls. This allows for DOS by causing the server to read large files. SSRF is also possible if there are internal unprotected APIs that can be accessed using HTTP POST requests, which could also possibly lead to RCE. This vulnerability is fixed in commit 1f20d850cbcce5b15951c7c6127b87b927a5415e. | 2025-07-10 | 9.1 | CVE-2025-53371 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. An SQL Injection vulnerability was identified in the /html/funcionario/profile_funcionario.php endpoint. The id_funcionario parameter is not properly sanitized or validated before being used in a SQL query, allowing an unauthenticated attacker to inject arbitrary SQL commands. The vulnerability is fixed in 3.4.3. | 2025-07-07 | 9.8 | CVE-2025-53529 |
| RSSNext--Folo | Folo organizes feeds content into one timeline. Using pull_request_target on .github/workflows/auto-fix-lint-format-commit.yml can be exploited by attackers, since untrusted code can be executed having full access to secrets (from the base repo). By exploiting the vulnerability is possible to exfiltrate GITHUB_TOKEN which has high privileges. GITHUB_TOKEN can be used to completely overtake the repo since the token has content write privileges. This vulnerability is fixed in commit 585c6a591440cd39f92374230ac5d65d7dd23d6a. | 2025-07-09 | 9.1 | CVE-2025-53546 |
| gb-plugins--GB Forms DB | The GB Forms DB plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.2 via the gbfdb_talk_to_front() function. This is due to the function accepting user input and then passing that through call_user_func(). This makes it possible for unauthenticated attackers to execute code on the server which can be leverage to inject backdoors or create new administrative user accounts to name a few things. | 2025-07-11 | 9.8 | CVE-2025-5392 |
| iqonicdesign--WPBookit | The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_booking_type' route in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-07-12 | 9.8 | CVE-2025-6058 |
| N/A--mcp-remote | mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL | 2025-07-09 | 9.6 | CVE-2025-6514 |
| D-Link--DIR-825 | A vulnerability, which was classified as critical, has been found in D-Link DIR-825 2.10. This issue affects the function sub_410DDC of the file switch_language.cgi of the component httpd. The manipulation of the argument Language leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-07-08 | 9.8 | CVE-2025-7206 |
| aa-team--Premium Age Verification / Restriction for WordPress | The Premium Age Verification / Restriction for WordPress plugin for WordPress is vulnerable to arbitrary file read and write due to the existence of an insufficiently protected remote support functionality in remote_tunnel.php in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to read from or write to arbitrary files on the affected site's server which may make the exposure of sensitive information or remote code execution possible. | 2025-07-11 | 9.8 | CVE-2025-7401 |
| Linksys--E1000 | Linksys E1000 devices through 2.1.02, E1200 devices before 2.0.05, and E3200 devices through 1.0.04 allow OS command injection via shell metacharacters in the apply.cgi ping_ip parameter on TCP port 52000. | 2025-07-11 | 8.3 | CVE-2013-3307 |
| Siemens--SICAM TOOLBOX II | A vulnerability has been identified in SICAM TOOLBOX II (All versions < V07.11). During establishment of a https connection to the TLS server of a managed device, the affected application doesn't check the extended key usage attribute of that device's certificate. This could allow an attacker to execute an on-path network (MitM) attack. | 2025-07-08 | 8.1 | CVE-2024-31853 |
| Siemens--SICAM TOOLBOX II | A vulnerability has been identified in SICAM TOOLBOX II (All versions < V07.11). During establishment of a https connection to the TLS server of a managed device, the affected application doesn't check device's certificate common name against an expected value. This could allow an attacker to execute an on-path network (MitM) attack. | 2025-07-08 | 8.1 | CVE-2024-31854 |
| Canonical--Juju | In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution. | 2025-07-08 | 8.8 | CVE-2025-0928 |
| scriptsbundle--Nokri Job Board WordPress Theme | The Nokri - Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email address. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | 2025-07-12 | 8.8 | CVE-2025-1313 |
| End-of-Train and Head-of-Train remote linking protocol--End-of-Train and Head-of-Train remote linking protocol | The protocol used for remote linking over RF for End-of-Train and Head-of-Train (also known as a FRED) relies on a BCH checksum for packet creation. It is possible to create these EoT and HoT packets with a software defined radio and issue brake control commands to the EoT device, disrupting operations or potentially overwhelming the brake systems. | 2025-07-10 | 8.1 | CVE-2025-1727 |
| Qualcomm, Inc.--Snapdragon | Information disclosure while decoding this RTP packet Payload when UE receives the RTP packet from the network. | 2025-07-08 | 8.2 | CVE-2025-21427 |
| Phoenix Contact--CHARX SEC-3150 | An unauthenticated remote attacker can use MQTT messages to trigger out-of-bounds writes in charging stations complying with German Calibration Law, resulting in a loss of integrity for only EichrechtAgents and potential denial-of-service for these stations. | 2025-07-08 | 8.2 | CVE-2025-24003 |
| Honeywell--C300 PCNT02 | The Honeywell Experion PKS and OneWireless WDM contains a Memory Buffer vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to an Overread Buffers, which could result in improper index validation against buffer borders leading to remote code execution. Honeywell recommends updating to the most recent version of Honeywell Experion PKS: 520.2 TCU9 HF1 and 530.1 TCU3 HF1 and OneWireless: 322.5 and 331.1. The affected Experion PKS products are C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The Experion PKS versions affected are from 520.1 through 520.2 TCU9 and from 530 through 530 TCU3.The OneWireless WDM affected versions are 322.1 through 322.4 and 330.1 through 330.3. | 2025-07-10 | 8.6 | CVE-2025-2521 |
| Phoenix Contact--CHARX SEC-3150 | An unauthenticated adjacent attacker can modify configuration by sending specific requests to an API-endpoint resulting in read and write access due to missing authentication. | 2025-07-08 | 8.8 | CVE-2025-25268 |
| Phoenix Contact--CHARX SEC-3150 | An unauthenticated local attacker can inject a command that is subsequently executed as root, leading to a privilege escalation. | 2025-07-08 | 8.4 | CVE-2025-25269 |
| Phoenix Contact--CHARX SEC-3150 | An unauthenticated adjacent attacker is able to configure a new OCPP backend, due to insecure defaults for the configuration interface. | 2025-07-08 | 8.8 | CVE-2025-25271 |
| j6t--gitk | Gitk is a Tcl/Tk based Git history browser. Starting with 2.41.0, a Git repository can be crafted in such a way that with some social engineering a user who has cloned the repository can be tricked into running any script (e.g., Bourne shell, Perl, Python, ...) supplied by the attacker by invoking gitk filename, where filename has a particular structure. The script is run with the privileges of the user. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50. | 2025-07-10 | 8.6 | CVE-2025-27614 |
| Microsoft--Windows 11 version 22H2 | Insufficient UI warning of dangerous operations in Remote Desktop Client allows an unauthorized attacker to perform spoofing over a network. | 2025-07-08 | 8.1 | CVE-2025-33054 |
| Radiflow--iSAP Smart Collector | The Linux distribution underlying the Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) is obsolete and reached end of life (EOL) on June 30, 2024. Thus, any unmitigated vulnerability could be exploited to affect this product. | 2025-07-09 | 8.7 | CVE-2025-3497 |
| IBM--Integration Bus | IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.5 is vulnerable to code injection by a privileged user with access to the IIB install directory. | 2025-07-07 | 8.2 | CVE-2025-36014 |
| Dell--Client Platform BIOS | Dell Client Platform BIOS contains an Improper Access Control Applied to Mirrored or Aliased Memory Regions vulnerability in an externally developed component. A high privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution. | 2025-07-08 | 8.2 | CVE-2025-36600 |
| Honeywell--C300 PCNT02 | The Honeywell Experion PKS and OneWireless WDM contains a Deployment of Wrong Handler vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to Input Data Manipulation, which could result in incorrect handling of packets leading to remote code execution. Honeywell recommends updating to the most recent version of Honeywell Experion PKS:520.2 TCU9 HF1 and 530.1 TCU3 HF1 and OneWireless: 322.5 and 331.1. The affected Experion PKS products are C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The Experion PKS versions affected are from 520.1 through 520.2 TCU9 and from 530 through 530 TCU3. The OneWireless WDM affected versions are 322.1 through 322.4 and 330.1 through 330.3. | 2025-07-10 | 8.2 | CVE-2025-3946 |
| Honeywell--C300 PCNT02 | The Honeywell Experion PKS contains an Integer Underflow vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to Input Data Manipulation, which could result in improper integer data value checking during subtraction leading to a denial of service. Honeywell recommends updating to the most recent version of Honeywell Experion PKS:520.2 TCU9 HF1 and 530.1 TCU3 HF1. The affected Experion PKS products are C300 PCNT02, C300 PCNT05, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The Experion PKS versions affected are from 520.1 through 520.2 TCU9 and from 530 through 530 TCU3. | 2025-07-10 | 8.2 | CVE-2025-3947 |
| Siemens--SINEC NMS | A vulnerability has been identified in SINEC NMS (All versions < V4.0). The affected devices are vulnerable to SQL injection. This could allow an unauthenticated remote attacker to execute arbitrary SQL queries on the server database. | 2025-07-08 | 8.8 | CVE-2025-40735 |
| Siemens--SINEC NMS | A vulnerability has been identified in SINEC NMS (All versions < V4.0). The affected application does not properly validate file paths when extracting uploaded ZIP files. This could allow an attacker to write arbitrary files to restricted locations and potentially execute code with elevated privileges (ZDI-CAN-26571). | 2025-07-08 | 8.8 | CVE-2025-40737 |
| Siemens--SINEC NMS | A vulnerability has been identified in SINEC NMS (All versions < V4.0). The affected application does not properly validate file paths when extracting uploaded ZIP files. This could allow an attacker to write arbitrary files to restricted locations and potentially execute code with elevated privileges (ZDI-CAN-26572). | 2025-07-08 | 8.8 | CVE-2025-40738 |
| Siemens--RUGGEDCOM RMC8388 V5.X | A vulnerability has been identified in RUGGEDCOM RMC8388 V5.X (All versions < V5.10.0), RUGGEDCOM RMC8388NC V5.X (All versions < V5.10.0), RUGGEDCOM RS416NCv2 V5.X (All versions < V5.10.0), RUGGEDCOM RS416PNCv2 V5.X (All versions < V5.10.0), RUGGEDCOM RS416Pv2 V5.X (All versions < V5.10.0), RUGGEDCOM RS416v2 V5.X (All versions < V5.10.0), RUGGEDCOM RS900 (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RS900G (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RS900GNC(32M) V5.X (All versions < V5.10.0), RUGGEDCOM RS900NC(32M) V5.X (All versions < V5.10.0), RUGGEDCOM RSG2100 (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RSG2100NC(32M) V5.X (All versions < V5.10.0), RUGGEDCOM RSG2100P (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RSG2100PNC (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RSG2288 V5.X (All versions < V5.10.0), RUGGEDCOM RSG2288NC V5.X (All versions < V5.10.0), RUGGEDCOM RSG2300 V5.X (All versions < V5.10.0), RUGGEDCOM RSG2300NC V5.X (All versions < V5.10.0), RUGGEDCOM RSG2300P V5.X (All versions < V5.10.0), RUGGEDCOM RSG2300PNC V5.X (All versions < V5.10.0), RUGGEDCOM RSG2488 V5.X (All versions < V5.10.0), RUGGEDCOM RSG2488NC V5.X (All versions < V5.10.0), RUGGEDCOM RSG907R (All versions < V5.10.0), RUGGEDCOM RSG908C (All versions < V5.10.0), RUGGEDCOM RSG909R (All versions < V5.10.0), RUGGEDCOM RSG910C (All versions < V5.10.0), RUGGEDCOM RSG920P V5.X (All versions < V5.10.0), RUGGEDCOM RSG920PNC V5.X (All versions < V5.10.0), RUGGEDCOM RSL910 (All versions < V5.10.0), RUGGEDCOM RSL910NC (All versions < V5.10.0), RUGGEDCOM RST2228 (All versions < V5.10.0), RUGGEDCOM RST2228P (All versions < V5.10.0), RUGGEDCOM RST916C (All versions < V5.10.0), RUGGEDCOM RST916P (All versions < V5.10.0). The affected products do not properly enforce interface access restrictions when changing from management to non-management interface configurations until a system reboot occurs, despite configuration being saved. This could allow an attacker with network access and credentials to gain access to device through non-management and maintain SSH access to the device until reboot. | 2025-07-08 | 8.8 | CVE-2025-41224 |
| PHOENIX CONTACT--AXC F 1152 | A low privileged remote attacker with file access can replace a critical file used by the watchdog to get read, write and execute access to any file on the device after the watchdog has been initialized. | 2025-07-08 | 8.8 | CVE-2025-41666 |
| PHOENIX CONTACT--AXC F 1152 | A low privileged remote attacker with file access can replace a critical file used by the arp-preinit script to get read, write and execute access to any file on the device. | 2025-07-08 | 8.8 | CVE-2025-41667 |
| PHOENIX CONTACT--AXC F 1152 | A low privileged remote attacker with file access can replace a critical file or folder used by the service security-profile to get read, write and execute access to any file on the device. | 2025-07-08 | 8.8 | CVE-2025-41668 |
| SAP_SE--SAP NetWeaver Application Server for ABAP | SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This could completely compromise the integrity and availability with no impact on confidentiality of the system. | 2025-07-08 | 8.1 | CVE-2025-42953 |
| SAP_SE--SAP NetWeaver ABAP Server and ABAP Platform | An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched, successful exploitation could result in complete system compromise, affecting confidentiality, integrity, and availability. | 2025-07-08 | 8.1 | CVE-2025-42959 |
| j6t--git-gui | Git GUI allows you to use the Git source control management tools via a GUI. A malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. Due to the unfortunate design of Tcl on Windows, the search path when looking for an executable always includes the current directory. The mentioned programs are invoked when the user selects Git Bash or Browse Files from the menu. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. | 2025-07-10 | 8.6 | CVE-2025-46334 |
| j6t--git-gui | Git GUI allows you to use the Git source control management tools via a GUI. When a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite files for which the user has write permission. This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. | 2025-07-10 | 8.5 | CVE-2025-46835 |
| Microsoft--Microsoft Configuration Manager | Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an authorized attacker to execute code over an adjacent network. | 2025-07-08 | 8 | CVE-2025-47178 |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Input Method Editor (IME) allows an authorized attacker to elevate privileges over a network. | 2025-07-08 | 8 | CVE-2025-47972 |
| Microsoft--Windows 10 Version 1809 | Use after free in Universal Print Management Service allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 8.8 | CVE-2025-47986 |
| Microsoft--Windows Server 2019 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2025-07-08 | 8.8 | CVE-2025-47998 |
| git--git | Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered path is read resulting in the submodule being checked out to an incorrect location. If a symlink exists that points the altered path to the submodule hooks directory, and the submodule contains an executable post-checkout hook, the script may be unintentionally executed after checkout. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1. | 2025-07-08 | 8.1 | CVE-2025-48384 |
| Microsoft--Windows App Client for Windows Desktop | Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | 2025-07-08 | 8.8 | CVE-2025-48817 |
| Microsoft--Windows 10 Version 1809 | Out-of-bounds read in Windows Hyper-V allows an unauthorized attacker to execute code locally. | 2025-07-08 | 8.6 | CVE-2025-48822 |
| Microsoft--Windows Server 2019 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2025-07-08 | 8.8 | CVE-2025-48824 |
| Adobe--ColdFusion | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Use of Hard-coded Credentials vulnerability that could result in privilege escalation. An attacker could leverage this vulnerability to gain unauthorized access to sensitive systems or data. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses. | 2025-07-08 | 8.8 | CVE-2025-49551 |
| Microsoft--Windows Server 2019 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2025-07-08 | 8.8 | CVE-2025-49657 |
| Microsoft--Windows Server 2019 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2025-07-08 | 8.8 | CVE-2025-49663 |
| Microsoft--Windows Server 2019 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2025-07-08 | 8.8 | CVE-2025-49668 |
| Microsoft--Windows Server 2019 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2025-07-08 | 8.8 | CVE-2025-49669 |
| Microsoft--Windows Server 2019 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2025-07-08 | 8.8 | CVE-2025-49672 |
| Microsoft--Windows Server 2019 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2025-07-08 | 8.8 | CVE-2025-49673 |
| Microsoft--Windows Server 2019 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2025-07-08 | 8.8 | CVE-2025-49674 |
| Microsoft--Windows Server 2019 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2025-07-08 | 8.8 | CVE-2025-49676 |
| Microsoft--Windows 10 Version 1809 | Out-of-bounds read in Microsoft Input Method Editor (IME) allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 8.8 | CVE-2025-49687 |
| Microsoft--Windows Server 2019 | Double free in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2025-07-08 | 8.8 | CVE-2025-49688 |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code over an adjacent network. | 2025-07-08 | 8 | CVE-2025-49691 |
| Microsoft--Microsoft Office 2019 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | 2025-07-08 | 8.4 | CVE-2025-49695 |
| Microsoft--Microsoft Office 2019 | Out-of-bounds read in Microsoft Office allows an unauthorized attacker to execute code locally. | 2025-07-08 | 8.4 | CVE-2025-49696 |
| Microsoft--Microsoft Office 2019 | Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. | 2025-07-08 | 8.4 | CVE-2025-49697 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper authorization in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 2025-07-08 | 8.8 | CVE-2025-49701 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | 2025-07-08 | 8.8 | CVE-2025-49704 |
| Microsoft--Microsoft SQL Server 2019 (GDR) | Heap-based buffer overflow in SQL Server allows an authorized attacker to execute code over a network. | 2025-07-08 | 8.5 | CVE-2025-49717 |
| Microsoft--Windows 10 Version 1809 | Missing authorization in Windows StateRepository API allows an authorized attacker to perform tampering locally. | 2025-07-08 | 8.8 | CVE-2025-49723 |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Connected Devices Platform Service allows an unauthorized attacker to execute code over a network. | 2025-07-08 | 8.8 | CVE-2025-49724 |
| Microsoft--Windows Server 2019 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2025-07-08 | 8.8 | CVE-2025-49729 |
| Microsoft--Windows Server 2019 | Use after free in Windows KDC Proxy Service (KPSSVC) allows an unauthorized attacker to execute code over a network. | 2025-07-08 | 8.1 | CVE-2025-49735 |
| Microsoft--Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8) | Improper link resolution before file access ('link following') in Visual Studio allows an unauthorized attacker to elevate privileges over a network. | 2025-07-08 | 8.8 | CVE-2025-49739 |
| Microsoft--Windows 10 Version 1809 | Protection mechanism failure in Windows SmartScreen allows an unauthorized attacker to bypass a security feature over a network. | 2025-07-08 | 8.8 | CVE-2025-49740 |
| Microsoft--Windows Server 2019 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2025-07-08 | 8.8 | CVE-2025-49753 |
| Advantech--iView | A vulnerability exists in Advantech iView that could allow SQL injection and remote code execution through NetworkServlet.archiveTrapRange(). This issue requires an authenticated attacker with at least user-level privileges. Certain input parameters are not properly sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the 'nt authority\local service' account. | 2025-07-10 | 8.8 | CVE-2025-52577 |
| Advantech--iView | A vulnerability exists in Advantech iView that could allow for SQL injection and remote code execution through NetworkServlet.getNextTrapPage(). This issue requires an authenticated attacker with at least user-level privileges. Certain parameters in this function are not properly sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the 'nt authority\local service' account. | 2025-07-10 | 8.8 | CVE-2025-53475 |
| Canonical--Juju | The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. Uploading a malicious charm that exploits a Zip Slip vulnerability could allow an attacker to gain access to a machine running a unit through the affected charm. | 2025-07-08 | 8.8 | CVE-2025-53513 |
| Advantech--iView | A vulnerability exists in Advantech iView that allows for SQL injection and remote code execution through NetworkServlet.archiveTrap(). This issue requires an authenticated attacker with at least user-level privileges. Certain input parameters are not sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the 'nt authority\local service' account. | 2025-07-10 | 8.8 | CVE-2025-53515 |
| RooCodeInc--Roo-Code | Roo Code is an AI-powered autonomous coding agent. Prior to 3.22.6, if the victim had "Write" auto-approved, an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. There were multiple ways to achieve that. One example is with the php.validate.executablePath setting which lets you set the path for the php executable for syntax validation. The attacker could have written the path to an arbitrary command there and then created a php file to trigger it. This vulnerability is fixed in 3.22.6. | 2025-07-07 | 8.1 | CVE-2025-53536 |
| helm--helm | Helm is a package manager for Charts for Kubernetes. Prior to 3.18.4, a specially crafted Chart.yaml file along with a specially linked Chart.lock file can lead to local code execution when dependencies are updated. Fields in a Chart.yaml file, that are carried over to a Chart.lock file when dependencies are updated and this file is written, can be crafted in a way that can cause execution if that same content were in a file that is executed (e.g., a bash.rc file or shell script). If the Chart.lock file is symlinked to one of these files updating dependencies will write the lock file content to the symlinked file. This can lead to unwanted execution. Helm warns of the symlinked file but did not stop execution due to symlinking. This issue has been resolved in Helm v3.18.4. | 2025-07-08 | 8.5 | CVE-2025-53547 |
| gitroomhq--postiz-app | Postiz is an AI social media scheduling tool. From 1.45.1 to 1.62.3, the Postiz frontend application allows an attacker to inject arbitrary HTTP headers into the middleware pipeline. This flaw enables a server-side request forgery (SSRF) condition, which can be exploited to initiate unauthorized outbound requests from the server hosting the Postiz application. This vulnerability is fixed in 1.62.3. | 2025-07-11 | 8.2 | CVE-2025-53641 |
| iqonicdesign--WPBookit | The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_image_upload() function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-07-12 | 8.8 | CVE-2025-6057 |
| beeteam368--BeeTeam368 Extensions | The BeeTeam368 Extensions plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_submit_upload_file() function in all versions up to, and including, 2.3.5. This makes it possible for authenticated attackers with Subscriber-level access or higher to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-07-12 | 8.8 | CVE-2025-6423 |
| brainstormforce--SureForms Drag and Drop Form Builder for WordPress | The SureForms - Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.7.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2025-07-09 | 8.1 | CVE-2025-6691 |
| xTemos--Woodmart | The WoodMart plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.2.3 via the 'layout' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php files can be uploaded and included. | 2025-07-08 | 8.8 | CVE-2025-6746 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content. | 2025-07-10 | 8.7 | CVE-2025-6948 |
| Ivanti--Endpoint Manager | Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a local authenticated attacker to decrypt other users' passwords. | 2025-07-08 | 8.4 | CVE-2025-6995 |
| Ivanti--Endpoint Manager | Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a local authenticated attacker to decrypt other users' passwords. | 2025-07-08 | 8.4 | CVE-2025-6996 |
| UTT-- 750W | A vulnerability classified as critical has been found in UTT 进取 750W up to 3.2.2-191225. This affects an unknown part of the file /goform/Fast_wireless_conf. The manipulation of the argument ssid leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-07 | 8.8 | CVE-2025-7116 |
| UTT--HiPER 840G | A vulnerability classified as critical was found in UTT HiPER 840G up to 3.1.1-190328. This vulnerability affects unknown code of the file /goform/websWhiteList. The manipulation of the argument addHostFilter leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-07 | 8.8 | CVE-2025-7117 |
| UTT--HiPER 840G | A vulnerability, which was classified as critical, has been found in UTT HiPER 840G up to 3.1.1-190328. This issue affects some unknown processing of the file /goform/formPictureUrl. The manipulation of the argument importpictureurl leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-07 | 8.8 | CVE-2025-7118 |
| D-Link--DI-500WF | A vulnerability was found in D-Link DI-500WF 17.04.10A1T. It has been declared as critical. Affected by this vulnerability is the function sprintf of the file ip_position.asp of the component jhttpd. The manipulation of the argument ip leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 8.8 | CVE-2025-7194 |
| techlabpro1--Widget for Google Reviews | The Widget for Google Reviews plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.15 via the layout parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included. This is limited to just PHP files. | 2025-07-08 | 8.8 | CVE-2025-7327 |
| Tenda--O3V2 | A vulnerability, which was classified as critical, was found in Tenda O3V2 1.0.0.12(3880). Affected is the function fromSysToolTime of the file /goform/setSysTimeInfo of the component httpd. The manipulation of the argument Time leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-10 | 8.8 | CVE-2025-7416 |
| Tenda--O3V2 | A vulnerability has been found in Tenda O3V2 1.0.0.12(3880) and classified as critical. Affected by this vulnerability is the function fromNetToolGet of the file /goform/setPingInfo of the component httpd. The manipulation of the argument ip leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-10 | 8.8 | CVE-2025-7417 |
| Tenda--O3V2 | A vulnerability was found in Tenda O3V2 1.0.0.12(3880) and classified as critical. Affected by this issue is the function fromPingResultGet of the file /goform/setPing of the component httpd. The manipulation of the argument destIP leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-10 | 8.8 | CVE-2025-7418 |
| Tenda--O3V2 | A vulnerability was found in Tenda O3V2 1.0.0.12(3880). It has been classified as critical. This affects the function fromSpeedTestSet of the file /goform/setRateTest of the component httpd. The manipulation of the argument destIP leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-10 | 8.8 | CVE-2025-7419 |
| Tenda--O3V2 | A vulnerability was found in Tenda O3V2 1.0.0.12(3880). It has been declared as critical. This vulnerability affects the function formWifiBasicSet of the file /goform/setWrlBasicInfo of the component httpd. The manipulation of the argument extChannel leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-10 | 8.8 | CVE-2025-7420 |
| Tenda--O3V2 | A vulnerability was found in Tenda O3V2 1.0.0.12(3880). It has been rated as critical. This issue affects the function fromMacFilterModify of the file /goform/operateMacFilter of the component httpd. The manipulation of the argument mac leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-11 | 8.8 | CVE-2025-7421 |
| Tenda--O3V2 | A vulnerability classified as critical has been found in Tenda O3V2 1.0.0.12(3880). Affected is the function setAutoReboot of the file /goform/setNetworkService of the component httpd. The manipulation of the argument week leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-11 | 8.8 | CVE-2025-7422 |
| Tenda--O3V2 | A vulnerability classified as critical was found in Tenda O3V2 1.0.0.12(3880). Affected by this vulnerability is the function formWifiMacFilterSet of the file /goform/setWrlFilterList of the component httpd. The manipulation of the argument macList leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-11 | 8.8 | CVE-2025-7423 |
| Tenda--FH451 | A vulnerability was found in Tenda FH451 up to 1.0.0.9 and classified as critical. Affected by this issue is the function fromAddressNat of the file /goform/addressNat of the component POST Request Handler. The manipulation of the argument page leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-11 | 8.8 | CVE-2025-7434 |
| TOTOLINK--T6 | A vulnerability has been found in TOTOLINK T6 4.1.5cu.748_B20211015 and classified as critical. Affected by this vulnerability is the function setWiFiAclRules of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument mac leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-11 | 8.8 | CVE-2025-7460 |
| Tenda--FH1201 | A vulnerability was found in Tenda FH1201 1.2.0.14. It has been declared as critical. This vulnerability affects the function formWrlsafeset of the file /goform/AdvSetWrlsafeset of the component HTTP POST Request Handler. The manipulation of the argument mit_ssid leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 8.8 | CVE-2025-7463 |
| Tenda--FH1201 | A vulnerability classified as critical was found in Tenda FH1201 1.2.0.14. Affected by this vulnerability is the function fromRouteStatic of the file /goform/fromRouteStatic of the component HTTP POST Request Handler. The manipulation of the argument page leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 8.8 | CVE-2025-7465 |
| Tenda--FH1201 | A vulnerability has been found in Tenda FH1201 1.2.0.14 and classified as critical. This vulnerability affects the function fromSafeUrlFilter of the file /goform/fromSafeUrlFilter of the component HTTP POST Request Handler. The manipulation of the argument page leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 8.8 | CVE-2025-7468 |
| Tenda--FH451 | A vulnerability classified as critical has been found in Tenda FH451 1.0.0.9. Affected is the function frmL7ProtForm of the file /goform/L7Prot of the component HTTP POST Request Handler. The manipulation of the argument page leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 8.8 | CVE-2025-7505 |
| Tenda--FH451 | A vulnerability classified as critical was found in Tenda FH451 1.0.0.9. Affected by this vulnerability is the function fromNatlimit of the file /goform/Natlimit of the component HTTP POST Request Handler. The manipulation of the argument page leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 8.8 | CVE-2025-7506 |
| Tenda--FH1202 | A vulnerability was found in Tenda FH1202 1.2.0.14(408). It has been rated as critical. This issue affects the function fromAdvSetWan of the file /goform/AdvSetWan. The manipulation of the argument PPPOEPassword leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 8.8 | CVE-2025-7527 |
| Tenda--FH1202 | A vulnerability classified as critical has been found in Tenda FH1202 1.2.0.14(408). Affected is the function fromGstDhcpSetSer of the file /goform/GstDhcpSetSer. The manipulation of the argument dips leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 8.8 | CVE-2025-7528 |
| Tenda--FH1202 | A vulnerability classified as critical was found in Tenda FH1202 1.2.0.14(408). Affected by this vulnerability is the function fromNatlimit of the file /goform/Natlimit. The manipulation of the argument page leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 8.8 | CVE-2025-7529 |
| Tenda--FH1202 | A vulnerability, which was classified as critical, has been found in Tenda FH1202 1.2.0.14(408). Affected by this issue is the function fromPptpUserAdd of the file /goform/PPTPDClient. The manipulation of the argument Username leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 8.8 | CVE-2025-7530 |
| Tenda--FH1202 | A vulnerability, which was classified as critical, was found in Tenda FH1202 1.2.0.14(408). This affects the function fromPptpUserSetting of the file /goform/PPTPUserSetting. The manipulation of the argument delno leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 8.8 | CVE-2025-7531 |
| Tenda--FH1202 | A vulnerability has been found in Tenda FH1202 1.2.0.14(408) and classified as critical. This vulnerability affects the function fromwebExcptypemanFilter of the file /goform/webExcptypemanFilter. The manipulation of the argument page leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 8.8 | CVE-2025-7532 |
| Tenda--AC1206 | A vulnerability was found in Tenda AC1206 15.03.06.23. It has been rated as critical. This issue affects the function formSetMacFilterCfg of the file /goform/setMacFilterCfg. The manipulation of the argument deviceList leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 8.8 | CVE-2025-7544 |
| Tenda--FH1201 | A vulnerability has been found in Tenda FH1201 1.2.0.14(408) and classified as critical. This vulnerability affects the function formSafeEmailFilter of the file /goform/SafeEmailFilter. The manipulation of the argument page leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 8.8 | CVE-2025-7548 |
| Tenda--FH1201 | A vulnerability was found in Tenda FH1201 1.2.0.14(408) and classified as critical. This issue affects the function frmL7ProtForm of the file /goform/L7Prot. The manipulation of the argument page leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 8.8 | CVE-2025-7549 |
| Tenda--FH1201 | A vulnerability was found in Tenda FH1201 1.2.0.14(408). It has been classified as critical. Affected is the function fromGstDhcpSetSer of the file /goform/GstDhcpSetSer. The manipulation of the argument dips leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 8.8 | CVE-2025-7550 |
| Tenda--FH1201 | A vulnerability was found in Tenda FH1201 1.2.0.14(408). It has been declared as critical. Affected by this vulnerability is the function fromPptpUserAdd of the file /goform/PPTPDClient. The manipulation of the argument modino/username leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 8.8 | CVE-2025-7551 |
| boldgrid--Total Upkeep WordPress Backup Plugin plus Restore & Migrate by BoldGrid | The Total Upkeep - WordPress Backup Plugin plus Restore & Migrate by BoldGrid plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.14.9 via the env-info.php and restore-info.json files. This makes it possible for unauthenticated attackers to find the location of back-up files and subsequently download them. | 2025-07-12 | 7.5 | CVE-2020-36848 |
| Siemens--RUGGEDCOM i800 | A vulnerability has been identified in RUGGEDCOM i800 (All versions), RUGGEDCOM i801 (All versions), RUGGEDCOM i802 (All versions), RUGGEDCOM i803 (All versions), RUGGEDCOM M2100 (All versions), RUGGEDCOM M2200 (All versions), RUGGEDCOM M969 (All versions), RUGGEDCOM RMC30 (All versions), RUGGEDCOM RMC8388 V4.X (All versions), RUGGEDCOM RMC8388 V5.X (All versions < V5.10.0), RUGGEDCOM RP110 (All versions), RUGGEDCOM RS1600 (All versions), RUGGEDCOM RS1600F (All versions), RUGGEDCOM RS1600T (All versions), RUGGEDCOM RS400 (All versions), RUGGEDCOM RS401 (All versions), RUGGEDCOM RS416 (All versions), RUGGEDCOM RS416P (All versions), RUGGEDCOM RS416Pv2 V4.X (All versions), RUGGEDCOM RS416Pv2 V5.X (All versions < V5.10.0), RUGGEDCOM RS416v2 V4.X (All versions), RUGGEDCOM RS416v2 V5.X (All versions < V5.10.0), RUGGEDCOM RS8000 (All versions), RUGGEDCOM RS8000A (All versions), RUGGEDCOM RS8000H (All versions), RUGGEDCOM RS8000T (All versions), RUGGEDCOM RS900 (All versions), RUGGEDCOM RS900 (32M) V4.X (All versions), RUGGEDCOM RS900 (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RS900G (All versions), RUGGEDCOM RS900G (32M) V4.X (All versions), RUGGEDCOM RS900G (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RS900GP (All versions), RUGGEDCOM RS900L (All versions), RUGGEDCOM RS900M-GETS-C01 (All versions), RUGGEDCOM RS900M-GETS-XX (All versions), RUGGEDCOM RS900M-STND-C01 (All versions), RUGGEDCOM RS900M-STND-XX (All versions), RUGGEDCOM RS900W (All versions), RUGGEDCOM RS910 (All versions), RUGGEDCOM RS910L (All versions), RUGGEDCOM RS910W (All versions), RUGGEDCOM RS920L (All versions), RUGGEDCOM RS920W (All versions), RUGGEDCOM RS930L (All versions), RUGGEDCOM RS930W (All versions), RUGGEDCOM RS940G (All versions), RUGGEDCOM RS969 (All versions), RUGGEDCOM RSG2100 (All versions), RUGGEDCOM RSG2100 (32M) V4.X (All versions), RUGGEDCOM RSG2100 (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RSG2100P (All versions), RUGGEDCOM RSG2100P (32M) V4.X (All versions), RUGGEDCOM RSG2100P (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RSG2200 (All versions), RUGGEDCOM RSG2288 V4.X (All versions), RUGGEDCOM RSG2288 V5.X (All versions < V5.10.0), RUGGEDCOM RSG2300 V4.X (All versions), RUGGEDCOM RSG2300 V5.X (All versions < V5.10.0), RUGGEDCOM RSG2300P V4.X (All versions), RUGGEDCOM RSG2300P V5.X (All versions < V5.10.0), RUGGEDCOM RSG2488 V4.X (All versions), RUGGEDCOM RSG2488 V5.X (All versions < V5.10.0), RUGGEDCOM RSG907R (All versions < V5.10.0), RUGGEDCOM RSG908C (All versions < V5.10.0), RUGGEDCOM RSG909R (All versions < V5.10.0), RUGGEDCOM RSG910C (All versions < V5.10.0), RUGGEDCOM RSG920P V4.X (All versions), RUGGEDCOM RSG920P V5.X (All versions < V5.10.0), RUGGEDCOM RSL910 (All versions < V5.10.0), RUGGEDCOM RST2228 (All versions < V5.10.0), RUGGEDCOM RST2228P (All versions < V5.10.0), RUGGEDCOM RST916C (All versions < V5.10.0), RUGGEDCOM RST916P (All versions < V5.10.0). The affected products support insecure cryptographic algorithms. An attacker could leverage these legacy algorithms to achieve a man-in-the-middle attack or impersonate communicating parties. | 2025-07-08 | 7 | CVE-2023-52236 |
| Gavias--Halpes | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gavias Halpes allows Reflected XSS.This issue affects Halpes: from n/a before 1.2.5. | 2025-07-07 | 7.1 | CVE-2024-43334 |
| IBM--InfoSphere Data Replication VSAM for z/OS Remote Source | IBM InfoSphere Data Replication VSAM for z/OS Remote Source 11.4 could allow a remote user to cause a denial of service by sending an invalid HTTP request to the log reading service. | 2025-07-08 | 7.5 | CVE-2024-56468 |
| SugarCRM--SugarCRM | SugarCRM before 13.0.4 and 14.x before 14.0.1 allows SSRF in the API module because a limited type of code injection can occur. | 2025-07-13 | 7.2 | CVE-2024-58258 |
| OMRON Corporation--Machine Automation Controller NJ-series | Least Privilege Violation (CWE-272) Vulnerability exists in the communication function between the NJ/NX-series Machine Automation Controllers and the Sysmac Studio Software. An attacker may use this vulnerability to perform unauthorized access and to execute unauthorized code remotely to the controller products. | 2025-07-13 | 7 | CVE-2025-1384 |
| Samsung Mobile--libsavsvc.so | Out-of-bounds write in handling of macro blocks for MPEG4 codec in libsavsvc.so prior to Android 15 allows local attackers to write out-of-bounds memory. | 2025-07-08 | 7 | CVE-2025-21006 |
| Adobe--Substance3D - Designer | Substance3D - Designer versions 14.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-21164 |
| Adobe--Substance3D - Designer | Substance3D - Designer versions 14.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-21165 |
| Adobe--Substance3D - Designer | Substance3D - Designer versions 14.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-21166 |
| Qualcomm, Inc.--Snapdragon | Cryptographic issue while processing crypto API calls, missing checks may lead to corrupted key usage or IV reuses. | 2025-07-08 | 7.1 | CVE-2025-21422 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while retrieving the CBOR data from TA. | 2025-07-08 | 7.8 | CVE-2025-21432 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while copying the result to the transmission queue in EMAC. | 2025-07-08 | 7.8 | CVE-2025-21444 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while copying the result to the transmission queue which is shared between the virtual machine and the host. | 2025-07-08 | 7.8 | CVE-2025-21445 |
| Qualcomm, Inc.--Snapdragon | Transient DOS may occur when processing vendor-specific information elements while parsing a WLAN frame for BTM requests. | 2025-07-08 | 7.5 | CVE-2025-21446 |
| Qualcomm, Inc.--Snapdragon | Transient DOS may occur while processing malformed length field in SSID IEs. | 2025-07-08 | 7.5 | CVE-2025-21449 |
| Qualcomm, Inc.--Snapdragon | Transient DOS while processing received beacon frame. | 2025-07-08 | 7.5 | CVE-2025-21454 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing a private escape command in an event trigger. | 2025-07-08 | 7.8 | CVE-2025-21466 |
| Siemens--TIA Administrator | A vulnerability has been identified in TIA Administrator (All versions < V3.0.6). The affected application allows low-privileged users to trigger installations by overwriting cache files and modifying the downloads path. This would allow an attacker to escalate privilege and exceute arbitrary code. | 2025-07-08 | 7.8 | CVE-2025-23365 |
| Phoenix Contact--CHARX SEC-3150 | A local attacker with a local user account can leverage a vulnerable script via SSH to escalate privileges to root due to improper input validation. | 2025-07-08 | 7.8 | CVE-2025-24005 |
| Phoenix Contact--CHARX SEC-3150 | A low privileged local attacker can leverage insecure permissions via SSH on the affected devices to escalate privileges to root. | 2025-07-08 | 7.8 | CVE-2025-24006 |
| Honeywell--C300 PCNT02 | The Honeywell Experion PKS contains an Uninitialized Variable in the common Epic Platform Analyzer (EPA) communications. An attacker could potentially exploit this vulnerability, leading to a Communication Channel Manipulation, which results in a dereferencing of an uninitialized pointer leading to a denial of service. Honeywell recommends updating to the most recent version of Honeywell Experion PKS: 520.2 TCU9 HF1and 530.1 TCU3 HF1. The affected Experion PKS products are C300 PCNT02, EHB, EHPM, ELMM, Classic ENIM, ETN, FIM4, FIM8, PGM, and RFIM. The Experion PKS versions affected are from 520.1 through 520.2 TCU9 and from 530 through 530 TCU3. | 2025-07-10 | 7.5 | CVE-2025-2520 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing video packets received from video firmware. | 2025-07-08 | 7.8 | CVE-2025-27042 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing manipulated payload in video firmware. | 2025-07-08 | 7.8 | CVE-2025-27043 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while executing timestamp video decode command with large input values. | 2025-07-08 | 7.8 | CVE-2025-27044 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing multiple simultaneous escape calls. | 2025-07-08 | 7.8 | CVE-2025-27046 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing the TESTPATTERNCONFIG escape path. | 2025-07-08 | 7.8 | CVE-2025-27047 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing event close when client process terminates abruptly. | 2025-07-08 | 7.8 | CVE-2025-27050 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing command message in WLAN Host. | 2025-07-08 | 7.8 | CVE-2025-27051 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing data packets in diag received from Unix clients. | 2025-07-08 | 7.8 | CVE-2025-27052 |
| Qualcomm, Inc.--Snapdragon | Memory corruption during the image encoding process. | 2025-07-08 | 7.8 | CVE-2025-27055 |
| Qualcomm, Inc.--Snapdragon | Memory corruption during sub-system restart while processing clean-up to free up resources. | 2025-07-08 | 7.8 | CVE-2025-27056 |
| Qualcomm, Inc.--Snapdragon | Transient DOS while handling beacon frames with invalid IE header length. | 2025-07-08 | 7.5 | CVE-2025-27057 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing packet data with exceedingly large packet. | 2025-07-08 | 7.8 | CVE-2025-27058 |
| Qualcomm, Inc.--Snapdragon | Memory corruption whhile handling the subsystem failure memory during the parsing of video packets received from the video firmware. | 2025-07-08 | 7.8 | CVE-2025-27061 |
| Adobe--Dimension | Dimension versions 4.1.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-30312 |
| Juniper Networks--Junos OS | An Incorrect Permission Assignment for Critical Resource vulnerability in line card script processing of Juniper Networks Junos OS allows a local, low-privileged user to install scripts to be executed as root, leading to privilege escalation. A local user with access to the local file system can copy a script to the router in a way that will be executed as root, as the system boots. Execution of the script as root can lead to privilege escalation, potentially providing the adversary complete control of the system. This issue only affects specific line cards, such as the MPC10, MPC11, LC4800, LC9600, MX304-LMIC16, SRX4700, and EX9200-15C. This issue affects Junos OS: * from 23.2 before 23.2R2-S4, * from 23.4 before 23.4R2-S5, * from 24.2 before 24.2R2-S1, * from 24.4 before 24.4R1-S3, 24.4R2. This issue does not affect versions prior to 23.1R2. | 2025-07-11 | 7.3 | CVE-2025-30661 |
| redis--redis | Redis is an open source, in-memory database that persists on disk. From 2.8 to before 8.0.3, 7.4.5, 7.2.10, and 6.2.19, an authenticated user may use a specially crafted string to trigger a stack/heap out of bounds write on hyperloglog operations, potentially leading to remote code execution. The bug likely affects all Redis versions with hyperloglog operations implemented. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing hyperloglog operations. This can be done using ACL to restrict HLL commands. | 2025-07-07 | 7 | CVE-2025-32023 |
| Hewlett Packard Enterprise (HPE)--HPE Networking Instant On | An authenticated command injection vulnerability exists in the Command line interface of HPE Networking Instant On Access Points. A successful exploitation could allow a remote attacker with elevated privileges to execute arbitrary commands on the underlying operating system as a highly privileged user. | 2025-07-08 | 7.2 | CVE-2025-37102 |
| Siemens--Solid Edge SE2025 | A vulnerability has been identified in Solid Edge SE2025 (All versions < V225.0 Update 5). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process. | 2025-07-08 | 7.8 | CVE-2025-40739 |
| Siemens--Solid Edge SE2025 | A vulnerability has been identified in Solid Edge SE2025 (All versions < V225.0 Update 5). The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process. | 2025-07-08 | 7.8 | CVE-2025-40740 |
| Siemens--Solid Edge SE2025 | A vulnerability has been identified in Solid Edge SE2025 (All versions < V225.0 Update 5). The affected applications contain a stack based overflow vulnerability while parsing specially crafted CFG files. This could allow an attacker to execute code in the context of the current process. | 2025-07-08 | 7.8 | CVE-2025-40741 |
| SAP_SE--SAP Business Warehouse and SAP Plug-In Basis | SAP Business Warehouse and SAP Plug-In Basis allows an authenticated attacker to add fields to arbitrary SAP database tables and/or structures, potentially rendering the system unusable. On successful exploitation, an attacker can render the system unusable by triggering short dumps on login. This could cause a high impact on availability. Data confidentiality and integrity are not affected. No data can be read, changed or deleted. | 2025-07-08 | 7.7 | CVE-2025-42952 |
| Adobe--Substance3D - Viewer | Substance3D - Viewer versions 0.22 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user, scope unchanged. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-43582 |
| Adobe--InDesign Desktop | InDesign Desktop versions 19.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-43591 |
| Adobe--InDesign Desktop | InDesign Desktop versions 19.5.3 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-43592 |
| Adobe--InDesign Desktop | InDesign Desktop versions 19.5.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-43594 |
| Emerson--ValveLink SOLO | Emerson ValveLink products do not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. | 2025-07-10 | 7.7 | CVE-2025-46358 |
| Zoom Communications Inc.--Zoom Workplace for Linux | Improper certificate validation in Zoom Workplace for Linux before version 6.4.13 may allow an unauthorized user to conduct an information disclosure via network access. | 2025-07-10 | 7.4 | CVE-2025-46788 |
| Adobe--InCopy | InCopy versions 20.3, 19.5.3 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-47097 |
| Adobe--InCopy | InCopy versions 20.3, 19.5.3 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-47098 |
| Adobe--InCopy | InCopy versions 20.3, 19.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-47099 |
| Adobe--InDesign Desktop | InDesign Desktop versions 19.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-47103 |
| Adobe--Adobe Framemaker | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-47121 |
| Adobe--Adobe Framemaker | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-47122 |
| Adobe--Adobe Framemaker | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-47123 |
| Adobe--Adobe Framemaker | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-47124 |
| Adobe--Adobe Framemaker | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-47125 |
| Adobe--Adobe Framemaker | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-47126 |
| Adobe--Adobe Framemaker | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-47127 |
| Adobe--Adobe Framemaker | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-47128 |
| Adobe--Adobe Framemaker | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-47129 |
| Adobe--Adobe Framemaker | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-47130 |
| Adobe--Adobe Framemaker | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-47131 |
| Adobe--Adobe Framemaker | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-47132 |
| Adobe--Adobe Framemaker | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-47133 |
| Adobe--InDesign Desktop | InDesign Desktop versions 19.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-47134 |
| Adobe--InDesign Desktop | InDesign Desktop versions 19.5.3 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-47136 |
| Microsoft--Windows 10 Version 1809 | Protection mechanism failure in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-47159 |
| Microsoft--Windows Server 2022 | Buffer over-read in Virtual Hard Disk (VHDX) allows an unauthorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-47971 |
| Microsoft--Windows 10 Version 1809 | Buffer over-read in Virtual Hard Disk (VHDX) allows an unauthorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-47973 |
| Microsoft--Windows 10 Version 1809 | Double free in Windows SSDP Service allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7 | CVE-2025-47975 |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows SSDP Service allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-47976 |
| Microsoft--Windows 10 Version 1809 | Improper input validation in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-47982 |
| Microsoft--Windows 10 Version 1809 | Protection mechanism failure in Windows GDI allows an unauthorized attacker to disclose information over a network. | 2025-07-08 | 7.5 | CVE-2025-47984 |
| Microsoft--Windows 10 Version 1809 | Untrusted pointer dereference in Windows Event Tracing allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-47985 |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows Cred SSProvider Protocol allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-47987 |
| Microsoft--Azure Monitor | Improper control of generation of code ('code injection') in Azure Monitor Agent allows an unauthorized attacker to execute code over an adjacent network. | 2025-07-08 | 7.5 | CVE-2025-47988 |
| Microsoft--Windows 10 Version 1809 | Use after free in Microsoft Input Method Editor (IME) allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-47991 |
| Microsoft--Windows Server 2025 (Server Core installation) | Improper access control in Microsoft PC Manager allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-47993 |
| Microsoft--Microsoft Office 2019 | Deserialization of untrusted data in Microsoft Office allows an unauthorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-47994 |
| Microsoft--Windows 10 Version 1809 | Integer underflow (wrap or wraparound) in Windows MBT Transport driver allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-47996 |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-48000 |
| redis--redis | Redis is an open source, in-memory database that persists on disk. An unauthenticated connection can cause repeated IP protocol errors, leading to client starvation and, ultimately, a denial of service. This vulnerability is fixed in 8.0.3, 7.4.5, 7.2.10, and 6.2.19. | 2025-07-07 | 7.5 | CVE-2025-48367 |
| Microsoft--Windows 10 Version 1809 | Improper link resolution before file access ('link following') in Windows Update Service allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-48799 |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Microsoft MPEG-2 Video Extension allows an authorized attacker to execute code locally. | 2025-07-08 | 7.8 | CVE-2025-48805 |
| Microsoft--Windows 10 Version 1809 | Use after free in Microsoft MPEG-2 Video Extension allows an authorized attacker to execute code locally. | 2025-07-08 | 7.8 | CVE-2025-48806 |
| Microsoft--Windows 10 Version 1809 | Missing authentication for critical function in Windows Remote Desktop Licensing Service allows an unauthorized attacker to bypass a security feature over a network. | 2025-07-08 | 7.5 | CVE-2025-48814 |
| Microsoft--Windows 10 Version 1809 | Access of resource using incompatible type ('type confusion') in Windows SSDP Service allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-48815 |
| Microsoft--Windows 10 Version 1809 | Integer overflow or wraparound in HID class driver allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-48816 |
| Microsoft--Windows 10 Version 1809 | Sensitive data storage in improperly locked memory in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges over an adjacent network. | 2025-07-08 | 7.1 | CVE-2025-48819 |
| Microsoft--Windows 10 Version 1809 | Improper link resolution before file access ('link following') in Windows AppX Deployment Service allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-48820 |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges over an adjacent network. | 2025-07-08 | 7.1 | CVE-2025-48821 |
| Advantech--iView | A vulnerability exists in Advantech iView that could allow for SQL injection through the CUtils.checkSQLInjection() function. This vulnerability can be exploited by an authenticated attacker with at least user-level privileges, potentially leading to information disclosure or a denial-of-service condition. | 2025-07-10 | 7.6 | CVE-2025-48891 |
| Adobe--Illustrator | Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-49526 |
| Adobe--Illustrator | Illustrator versions 28.7.6, 29.5.1 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-49527 |
| Adobe--Illustrator | Illustrator versions 28.7.6, 29.5.1 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-49528 |
| Adobe--Illustrator | Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-49529 |
| Adobe--Illustrator | Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-49530 |
| Adobe--Illustrator | Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-49531 |
| Adobe--Illustrator | Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 7.8 | CVE-2025-49532 |
| Adobe--ColdFusion | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized access. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses. | 2025-07-08 | 7.3 | CVE-2025-49536 |
| Adobe--ColdFusion | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead to arbitrary code execution by a high-privileged attacker. Exploitation of this issue requires user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses. | 2025-07-08 | 7.9 | CVE-2025-49537 |
| Adobe--ColdFusion | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An attacker can exploit this issue by injecting crafted XML or XPath queries to access unauthorized files or lead to denial of service. Exploitation of this issue does not require user interaction, and attack must have access to shared secrets. | 2025-07-08 | 7.4 | CVE-2025-49538 |
| Microsoft--Windows 10 Version 1809 | Buffer over-read in Windows TDX.sys allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-49659 |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Event Tracing allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-49660 |
| Microsoft--Windows 10 Version 1809 | Untrusted pointer dereference in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-49661 |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Workspace Broker allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-49665 |
| Microsoft--Windows Server 2019 | Heap-based buffer overflow in Windows Kernel allows an authorized attacker to execute code over a network. | 2025-07-08 | 7.2 | CVE-2025-49666 |
| Microsoft--Windows 10 Version 1809 | Double free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-49667 |
| Microsoft--Windows 10 Version 1809 | Use after free in Kernel Streaming WOW Thunk Service Driver allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-49675 |
| Microsoft--Windows 11 version 22H2 | Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7 | CVE-2025-49677 |
| Microsoft--Windows 10 Version 1809 | Null pointer dereference in Windows NTFS allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7 | CVE-2025-49678 |
| Microsoft--Windows 10 Version 1809 | Numeric truncation error in Windows Shell allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-49679 |
| Microsoft--Windows 10 Version 1809 | Improper link resolution before file access ('link following') in Windows Performance Recorder allows an authorized attacker to deny service locally. | 2025-07-08 | 7.3 | CVE-2025-49680 |
| Microsoft--Windows Server 2022 | Use after free in Windows Media allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.3 | CVE-2025-49682 |
| Microsoft--Windows 10 Version 1809 | Integer overflow or wraparound in Virtual Hard Disk (VHDX) allows an unauthorized attacker to execute code locally. | 2025-07-08 | 7.8 | CVE-2025-49683 |
| Microsoft--Windows 10 Version 1809 | Use after free in Microsoft Windows Search Component allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7 | CVE-2025-49685 |
| Microsoft--Windows 10 Version 1809 | Null pointer dereference in Windows TCP/IP allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-49686 |
| Microsoft--Windows 10 Version 1809 | Integer overflow or wraparound in Virtual Hard Disk (VHDX) allows an unauthorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-49689 |
| Microsoft--Windows 10 Version 1809 | Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an unauthorized attacker to elevate privileges locally. | 2025-07-08 | 7.4 | CVE-2025-49690 |
| Microsoft--Windows 11 version 22H2 | Double free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-49693 |
| Microsoft--Windows Server 2025 (Server Core installation) | Null pointer dereference in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-49694 |
| Microsoft--Microsoft Office 2019 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2025-07-08 | 7.8 | CVE-2025-49698 |
| Microsoft--Microsoft Office 2019 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | 2025-07-08 | 7 | CVE-2025-49699 |
| Microsoft--Microsoft Office 2019 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2025-07-08 | 7.8 | CVE-2025-49700 |
| Microsoft--Microsoft Office 2019 | Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally. | 2025-07-08 | 7.8 | CVE-2025-49702 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | 2025-07-08 | 7.8 | CVE-2025-49703 |
| Microsoft--Microsoft Office 2019 | Heap-based buffer overflow in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally. | 2025-07-08 | 7.8 | CVE-2025-49705 |
| Microsoft--Office Online Server | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | 2025-07-08 | 7.8 | CVE-2025-49711 |
| Microsoft--Python extension for Visual Studio Code | Trust boundary violation in Visual Studio Code - Python extension allows an unauthorized attacker to execute code locally. | 2025-07-08 | 7.8 | CVE-2025-49714 |
| Microsoft--Microsoft SQL Server 2019 (GDR) | Use of uninitialized resource in SQL Server allows an unauthorized attacker to disclose information over a network. | 2025-07-08 | 7.5 | CVE-2025-49718 |
| Microsoft--Microsoft SQL Server 2017 (GDR) | Improper input validation in SQL Server allows an unauthorized attacker to disclose information over a network. | 2025-07-08 | 7.5 | CVE-2025-49719 |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows Fast FAT Driver allows an unauthorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-49721 |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Notification allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-49725 |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Notification allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-49726 |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7 | CVE-2025-49727 |
| Microsoft--Windows 10 Version 1809 | Time-of-check time-of-use (toctou) race condition in Microsoft Windows QoS scheduler allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-49730 |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-49732 |
| Microsoft--Windows 10 Version 1809 | Use after free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-49733 |
| Microsoft--Microsoft Teams for Mac | Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Teams allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7 | CVE-2025-49737 |
| Microsoft--Microsoft PC Manager | Improper link resolution before file access ('link following') in Microsoft PC Manager allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7.8 | CVE-2025-49738 |
| Microsoft--Windows 10 Version 1809 | Integer overflow or wraparound in Microsoft Graphics Component allows an authorized attacker to execute code locally. | 2025-07-08 | 7.8 | CVE-2025-49742 |
| Microsoft--Windows 10 Version 1809 | Heap-based buffer overflow in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 7 | CVE-2025-49744 |
| Emerson--ValveLink SOLO | Emerson ValveLink Products store sensitive information in cleartext within a resource that might be accessible to another control sphere. | 2025-07-10 | 7.7 | CVE-2025-50109 |
| FUJI ELECTRIC CO., LTD. / Hakko Electronics Co., Ltd.--V-SFT-6 | A heap-based buffer overflow vulnerability exists in VS6Sim.exe contained in V-SFT and TELLUS provided by FUJI ELECTRIC CO., LTD. Opening V9 files or X1 files specially crafted by an attacker on the affected product may lead to arbitrary code execution. | 2025-07-08 | 7.8 | CVE-2025-50130 |
| Mitsubishi Electric Corporation--PV-DR004J | Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor "EcoGuideTAB" PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to disclose information such as generated power and electricity sold back to the grid stored in the product, tamper with or destroy stored or configured information in the product, or cause a Denial-of-Service (DoS) condition on the product, by using hardcoded user ID and password common to the product series obtained by exploiting CVE-2025-5022. However, the product is not affected by this vulnerability when it remains unused for a certain period of time (default: 5 minutes) and enters the power-saving mode with the display unit's LCD screen turned off. The affected products discontinued in 2015, support ended in 2020. | 2025-07-10 | 7.1 | CVE-2025-5023 |
| Autodesk--Revit | A maliciously crafted RFA, RTE, or RVT file, when parsed through Autodesk Revit, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2025-07-10 | 7.8 | CVE-2025-5037 |
| Autodesk--Revit | A maliciously crafted RTE file, when parsed through Autodesk Revit, can force a Heap-Based Overflow vulnerability. A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. | 2025-07-10 | 7.8 | CVE-2025-5040 |
| Canonical--Multipass | In Canonical Multipass up to and including version 1.15.1 on macOS, incorrect default permissions allow a local attacker to escalate privileges by modifying files executed with administrative privileges by a Launch Daemon during system startup. | 2025-07-11 | 7.3 | CVE-2025-5199 |
| Trend Micro, Inc.--Trend Micro Security (Consumer) | Trend Micro Security 17.8 (Consumer) is vulnerable to a link following local privilege escalation vulnerability that could allow a local attacker to unintentionally delete privileged Trend Micro files including its own. | 2025-07-10 | 7.8 | CVE-2025-52521 |
| Trend Micro, Inc.--Trend Micro Password Manager | Trend Micro Password Manager (Consumer) version 5.8.0.1327 and below is vulnerable to a Link Following Privilege Escalation Vulnerability that could allow an attacker the opportunity to abuse symbolic links and other methods to delete any file/folder and achieve privilege escalation. | 2025-07-10 | 7.8 | CVE-2025-52837 |
| Juniper Networks--Junos OS | A Use After Free vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an attacker sending a BGP update with a specifically malformed AS PATH to cause rpd to crash, resulting in a Denial of Service (DoS). Continuous receipt of the malformed AS PATH attribute will cause a sustained DoS condition. On all Junos OS and Junos OS Evolved platforms, the rpd process will crash and restart when a specifically malformed AS PATH is received within a BGP update and traceoptions are enabled. This issue only affects systems with BGP traceoptions enabled and requires a BGP session to be already established. Systems without BGP traceoptions enabled are not impacted by this issue. This issue affects: Junos OS: * All versions before 21.2R3-S9, * all versions of 21.4, * from 22.2 before 22.2R3-S6, * from 22.4 before 22.4R3-S5, * from 23.2 before 23.2R2-S3, * from 23.4 before 23.4R2-S4, * from 24.2 before 24.2R2; Junos OS Evolved: * All versions before 22.4R3-S5-EVO, * from 23.2-EVO before 23.2R2-S3-EVO, * from 23.4-EVO before 23.4R2-S4-EVO, * from 24.2-EVO before 24.2R2-EVO. This is a more complete fix for previously published CVE-2024-39549 (JSA83011). | 2025-07-11 | 7.5 | CVE-2025-52946 |
| Juniper Networks--Junos OS Evolved | A Missing Authorization vulnerability in the internal virtual routing and forwarding (VRF) of Juniper Networks Junos OS Evolved allows a local, low-privileged user to gain root privileges, leading to a system compromise. Any low-privileged user with the capability to send packets over the internal VRF can execute arbitrary Junos commands and modify the configuration, and thus compromise the system. This issue affects Junos OS Evolved: * All versions before 22.2R3-S7-EVO, * from 22.4 before 22.4R3-S7-EVO, * from 23.2 before 23.2R2-S4-EVO, * from 23.4 before 23.4R2-S5-EVO, * from 24.2 before 24.2R2-S1-EVO * from 24.4 before 24.4R1-S2-EVO, 24.4R2-EVO. | 2025-07-11 | 7.8 | CVE-2025-52954 |
| Juniper Networks--Junos OS | A Use of Incorrect Byte Ordering vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS on SRX300 Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). When a BGP update is received over an established BGP session which contains a specific, valid, optional, transitive path attribute, rpd will crash and restart. This issue affects eBGP and iBGP over IPv4 and IPv6. This issue affects: Junos OS: * 22.1 versions from 22.1R1 before 22.2R3-S4, * 22.3 versions before 22.3R3-S3, * 22.4 versions before 22.4R3-S2, * 23.2 versions before 23.2R2, * 23.4 versions before 23.4R2. | 2025-07-11 | 7.5 | CVE-2025-52980 |
| Juniper Networks--Junos OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on SRX1600, SRX2300, SRX 4000 Series, and SRX5000 Series with SPC3 allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). If a sequence of specific PIM packets is received, this will cause a flowd crash and restart. This issue affects Junos OS: * all versions before 21.2R3-S9, * 21.4 versions before 21.4R3-S11, * 22.2 versions before 22.2R3-S7, * 22.4 versions before 22.4R3-S6, * 23.2 versions before 23.2R2-S4, * 23.4 versions before 23.4R2-S4, * 24.2 versions before 24.2R2. This is a similar, but different vulnerability than the issue reported as CVE-2024-47503, published in JSA88133. | 2025-07-11 | 7.5 | CVE-2025-52981 |
| Juniper Networks--Junos OS | A UI Discrepancy for Security Feature vulnerability in the UI of Juniper Networks Junos OS on VM Host systems allows a network-based, unauthenticated attacker to access the device. On VM Host Routing Engines (RE), even if the configured public key for root has been removed, remote users which are in possession of the corresponding private key can still log in as root. This issue affects Junos OS: * all versions before 22.2R3-S7, * 22.4 versions before 22.4R3-S5, * 23.2 versions before 23.2R2-S3, * 23.4 versions before 23.4R2-S3, * 24.2 versions before 24.2R1-S2, 24.2R2. | 2025-07-11 | 7.2 | CVE-2025-52983 |
| Huawei--HarmonyOS | Vulnerability of bypassing the process to start SA and use related functions on distributed cameras Impact: Successful exploitation of this vulnerability may allow the peer device to use the camera without user awareness. | 2025-07-07 | 7.6 | CVE-2025-53169 |
| Flux159--mcp-server-kubernetes | MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. A command injection vulnerability exists in the mcp-server-kubernetes MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to child_process.execSync, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. This vulnerability is fixed in 2.5.0. | 2025-07-08 | 7.5 | CVE-2025-53355 |
| alfonsograziano--node-code-sandbox-mcp | node-code-sandbox-mcp is a Node.js-based Model Context Protocol server that spins up disposable Docker containers to execute arbitrary JavaScript. Prior to 1.3.0, a command injection vulnerability exists in the node-code-sandbox-mcp MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to child_process.execSync, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges on the host machine, bypassing the sandbox protection of running code inside docker. This vulnerability is fixed in 1.3.0. | 2025-07-08 | 7.5 | CVE-2025-53372 |
| Trend Micro, Inc.--Trend Micro Worry-Free Business Security Services | A missing authentication vulnerability in Trend Micro Worry-Free Business Security Services (WFBSS) agent could have allowed an unauthenticated attacker to remotely take control of the agent on affected installations. Also note: this vulnerability only affected the SaaS client version of WFBSS only, meaning the on-premise version of Worry-Free Business Security was not affected, and this issue was addressed in a WFBSS monthly maintenance update. Therefore no other customer action is required to mitigate if the WFBSS agents are on the regular SaaS maintenance deployment schedule and this disclosure is for informational purposes only. | 2025-07-10 | 7.6 | CVE-2025-53378 |
| Trend Micro, Inc.--Trend Micro Cleaner One Pro | Trend Micro Cleaner One Pro is vulnerable to a Privilege Escalation vulnerability that could allow a local attacker to unintentionally delete privileged Trend Micro files including its own. | 2025-07-10 | 7.8 | CVE-2025-53503 |
| kubernetes-sigs--headlamp | Headlamp is an extensible Kubernetes web UI. A command injection vulnerability was discovered in the codeSign.js script used in the macOS packaging workflow of the Kubernetes Headlamp project. This issue arises due to the improper use of Node.js's execSync() function with unsanitized input derived from environment variables, which can be influenced by an attacker. The variables ${teamID}, ${entitlementsPath}, and ${config.app} are dynamically derived from the environment or application config and passed directly to the shell command without proper escaping or argument separation. This exposes the system to command injection if any of the values contain malicious input. This vulnerability is fixed in 0.31.1. | 2025-07-10 | 7.8 | CVE-2025-53542 |
| clerk--javascript | Clerk helps developers build user management. Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. The issue was resolved in @clerk/backend 2.4.0. | 2025-07-09 | 7.5 | CVE-2025-53548 |
| yhirose--cpp-httplib | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.23.0, incoming requests using Transfer-Encoding: chunked in the header can allocate memory arbitrarily in the server, potentially leading to its exhaustion. This vulnerability is fixed in 0.23.0. NOTE: This vulnerability is related to CVE-2025-53628. | 2025-07-10 | 7.5 | CVE-2025-53629 |
| MongoDB Inc--MongoDB Server | An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. This may lead to access to data without further authorisation. This issue affects MongoDB Server MongoDB Server v8.0 versions prior to 8.0.7, MongoDB Server v7.0 versions prior to 7.0.20 and MongoDB Server v6.0 versions prior to 6.0.22 | 2025-07-07 | 7.7 | CVE-2025-6713 |
| MongoDB Inc--MongoDB Server | MongoDB Server's mongos component can become unresponsive to new connections due to incorrect handling of incomplete data. This affects MongoDB when configured with load balancer support. This issue affects MongoDB Server v6.0 prior to 6.0.23, MongoDB Server v7.0 prior to 7.0.20 and MongoDB Server v8.0 prior to 8.0.9 Required Configuration: This affects MongoDB sharded clusters when configured with load balancer support for mongos using HAProxy on specified ports. | 2025-07-07 | 7.5 | CVE-2025-6714 |
| brainstormforce--SureForms Drag and Drop Form Builder for WordPress | The SureForms - Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of file_exists() in the delete_entry_files() function without restriction on the path provided. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | 2025-07-09 | 7.5 | CVE-2025-6742 |
| xTemos--Woodmart | The The Woodmart theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode through the woodmart_get_products_shortcode() function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | 2025-07-08 | 7.3 | CVE-2025-6744 |
| Ivanti--Endpoint Manager Mobile | OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2 allows a remote authenticated attacker with high privileges to achieve remote code execution | 2025-07-08 | 7.2 | CVE-2025-6770 |
| Ivanti--Endpoint Manager Mobile | OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high privileges to achieve remote code execution | 2025-07-08 | 7.2 | CVE-2025-6771 |
| apos37--Broken Link Notifier | The Broken Link Notifier plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.0 via the ajax_blinks() function which ultimately calls the check_url_status_code() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-07-11 | 7.2 | CVE-2025-6851 |
| netweblogic--Events Manager Calendar, Bookings, Tickets, and more! | The Events Manager - Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to time-based SQL Injection via the 'orderby' parameter in all versions up to, and including, 7.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-07-09 | 7.5 | CVE-2025-6970 |
| Ivanti--Endpoint Manager | SQL injection in Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a remote authenticated attacker with admin privileges to read arbitrary data from the database | 2025-07-08 | 7.2 | CVE-2025-7037 |
| SimStudioAI--sim | A vulnerability was found in SimStudioAI sim up to 37786d371e17d35e0764e1b5cd519d873d90d97b. It has been declared as critical. Affected by this vulnerability is the function POST of the file apps/sim/app/api/files/upload/route.ts of the component Session Handler. The manipulation of the argument Request leads to missing authentication. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-07 | 7.3 | CVE-2025-7114 |
| rowboatlabs--rowboat | A vulnerability was found in rowboatlabs rowboat up to 8096eaf63b5a0732edd8f812bee05b78e214ee97. It has been rated as critical. Affected by this issue is the function PUT of the file apps/rowboat/app/api/uploads/[fileId]/route.ts of the component Session Handler. The manipulation of the argument params leads to missing authentication. The attack may be launched remotely. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. It is expected that this issue will be fixed in the near future. | 2025-07-07 | 7.3 | CVE-2025-7115 |
| Campcodes--Complaint Management System | A vulnerability has been found in Campcodes Complaint Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /users/index.php. The manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 7.3 | CVE-2025-7119 |
| Campcodes--Complaint Management System | A vulnerability was found in Campcodes Complaint Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /users/check_availability.php. The manipulation of the argument email leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 7.3 | CVE-2025-7120 |
| Campcodes--Complaint Management System | A vulnerability was found in Campcodes Complaint Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/index.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 7.3 | CVE-2025-7122 |
| Campcodes--Payroll Management System | A vulnerability has been found in Campcodes Payroll Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /ajax.php?action=calculate_payroll. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 7.3 | CVE-2025-7128 |
| Campcodes--Payroll Management System | A vulnerability was found in Campcodes Payroll Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /ajax.php?action=delete_employee_attendance_single. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 7.3 | CVE-2025-7129 |
| Campcodes--Payroll Management System | A vulnerability was found in Campcodes Payroll Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /ajax.php?action=delete_payroll. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 7.3 | CVE-2025-7130 |
| Campcodes--Payroll Management System | A vulnerability was found in Campcodes Payroll Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=save_employee_attendance. The manipulation of the argument employee_id leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 7.3 | CVE-2025-7131 |
| Campcodes--Payroll Management System | A vulnerability was found in Campcodes Payroll Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /ajax.php?action=save_payroll. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 7.3 | CVE-2025-7132 |
| Campcodes--Online Recruitment Management System | A vulnerability classified as critical was found in Campcodes Online Recruitment Management System 1.0. This vulnerability affects unknown code of the file /admin/ajax.php?action=delete_application. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 7.3 | CVE-2025-7134 |
| Campcodes--Online Recruitment Management System | A vulnerability, which was classified as critical, has been found in Campcodes Online Recruitment Management System 1.0. This issue affects some unknown processing of the file /admin/ajax.php?action=save_vacancy. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 7.3 | CVE-2025-7135 |
| Campcodes--Online Recruitment Management System | A vulnerability, which was classified as critical, was found in Campcodes Online Recruitment Management System 1.0. Affected is an unknown function of the file /admin/view_vacancy.php. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 7.3 | CVE-2025-7136 |
| TeamT5--ThreatSonar Anti-Ransomware | ThreatSonar Anti-Ransomware developed by TeamT5 has an OS Command Injection vulnerability, allowing remote attackers with product platform intermediate privileges to inject arbitrary OS commands and execute them on the server, thereby gaining administrative access to the remote host. | 2025-07-07 | 7.2 | CVE-2025-7145 |
| Jhenggao--iPublish System | The iPublish System developed by Jhenggao has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to read arbitrary system file. | 2025-07-08 | 7.5 | CVE-2025-7146 |
| CodeAstro--Patient Record Management System | A vulnerability has been found in CodeAstro Patient Record Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /login.php. The manipulation of the argument uname leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 7.3 | CVE-2025-7147 |
| PHPGurukul--Online Notes Sharing System | A vulnerability, which was classified as critical, was found in PHPGurukul Online Notes Sharing System 1.0. This affects an unknown part of the file /Dashboard of the component Cookie Handler. The manipulation of the argument sessionid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The original researcher disclosure suspects an XPath Injection vulnerability; however, the provided attack payload appears to be characteristic of an SQL Injection attack. | 2025-07-08 | 7.3 | CVE-2025-7155 |
| code-projects--Online Note Sharing | A vulnerability was found in code-projects Online Note Sharing 1.0. It has been classified as critical. Affected is an unknown function of the file /login.php. The manipulation of the argument username/password leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7157 |
| PHPGurukul--Zoo Management System | A vulnerability classified as critical has been found in PHPGurukul Zoo Management System 2.1. This affects an unknown part of the file /admin/index.php. The manipulation of the argument Username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7160 |
| PHPGurukul--Cyber Cafe Management System | A vulnerability has been found in PHPGurukul/Campcodes Cyber Cafe Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument Username leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7164 |
| PHPGurukul--Cyber Cafe Management System | A vulnerability was found in PHPGurukul/Campcodes Cyber Cafe Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /forgot-password.php. The manipulation of the argument email leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7165 |
| code-projects--Crime Reporting System | A vulnerability was found in code-projects Crime Reporting System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /userlogin.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7168 |
| code-projects--Crime Reporting System | A vulnerability classified as critical has been found in code-projects Crime Reporting System 1.0. Affected is an unknown function of the file /complainer_page.php. The manipulation of the argument location leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7169 |
| code-projects--Crime Reporting System | A vulnerability classified as critical was found in code-projects Crime Reporting System 1.0. Affected by this vulnerability is an unknown functionality of the file /registration.php. The manipulation of the argument Name leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7170 |
| code-projects--Crime Reporting System | A vulnerability, which was classified as critical, has been found in code-projects Crime Reporting System 1.0. Affected by this issue is some unknown functionality of the file /policelogin.php. The manipulation of the argument email leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7171 |
| code-projects--Crime Reporting System | A vulnerability, which was classified as critical, was found in code-projects Crime Reporting System 1.0. This affects an unknown part of the file /headlogin.php. The manipulation of the argument email leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7172 |
| code-projects--Library System | A vulnerability has been found in code-projects Library System 1.0 and classified as critical. This vulnerability affects unknown code of the file /add-student.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7173 |
| code-projects--Library System | A vulnerability was found in code-projects Library System 1.0 and classified as critical. This issue affects some unknown processing of the file /teacher-issue-book.php. The manipulation of the argument idn leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7174 |
| PHPGurukul--Hospital Management System | A vulnerability was found in PHPGurukul Hospital Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file view-medhistory.php. The manipulation of the argument viewid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7176 |
| code-projects--Food Distributor Site | A vulnerability classified as critical has been found in code-projects Food Distributor Site 1.0. This affects an unknown part of the file /admin/login.php. The manipulation of the argument Username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7178 |
| code-projects--Library System | A vulnerability classified as critical was found in code-projects Library System 1.0. This vulnerability affects unknown code of the file /add-teacher.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7179 |
| code-projects--Staff Audit System | A vulnerability, which was classified as critical, has been found in code-projects Staff Audit System 1.0. This issue affects some unknown processing of the file /login.php. The manipulation of the argument User leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7180 |
| Campcodes--Sales and Inventory System | A vulnerability was found in Campcodes Sales and Inventory System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /pages/customer_account.php. The manipulation of the argument Customer leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7183 |
| code-projects--Library System | A vulnerability was found in code-projects Library System 1.0. It has been classified as critical. This affects an unknown part of the file /user/teacher/books.php. The manipulation of the argument Search leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7184 |
| code-projects--Library System | A vulnerability was found in code-projects Library System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /approve.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7185 |
| code-projects--Student Enrollment System | A vulnerability has been found in code-projects Student Enrollment System 1.0 and classified as critical. This vulnerability affects unknown code of the file /login.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7191 |
| itsourcecode--Agri-Trading Online Shopping System | A vulnerability was found in itsourcecode Agri-Trading Online Shopping System up to 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/suppliercontroller.php. The manipulation of the argument supplier leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7193 |
| code-projects--Jonnys Liquor | A vulnerability was found in code-projects Jonnys Liquor 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /browse.php. The manipulation of the argument Search leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7196 |
| code-projects--Jonnys Liquor | A vulnerability classified as critical has been found in code-projects Jonnys Liquor 1.0. This affects an unknown part of the file /admin/delete-row.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7197 |
| code-projects--Jonnys Liquor | A vulnerability classified as critical was found in code-projects Jonnys Liquor 1.0. This vulnerability affects unknown code of the file /admin/admin-area.php. The manipulation of the argument drink leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7198 |
| code-projects--Library System | A vulnerability, which was classified as critical, has been found in code-projects Library System 1.0. This issue affects some unknown processing of the file /notapprove.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 7.3 | CVE-2025-7199 |
| code-projects--LifeStyle Store | A vulnerability was found in code-projects LifeStyle Store 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /cart_add.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-09 | 7.3 | CVE-2025-7211 |
| lty628--Aidigu | A vulnerability, which was classified as critical, was found in lty628 Aidigu up to 1.8.2. This affects the function checkUserCookie of the file /application/common.php of the component PHP Object Handler. The manipulation of the argument rememberMe leads to deserialization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-09 | 7.3 | CVE-2025-7216 |
| Campcodes--Payroll Management System | A vulnerability has been found in Campcodes Payroll Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /ajax.php?action=save_position. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-09 | 7.3 | CVE-2025-7217 |
| Campcodes--Payroll Management System | A vulnerability was found in Campcodes Payroll Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /ajax.php?action=delete_position. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-09 | 7.3 | CVE-2025-7218 |
| Campcodes--Payroll Management System | A vulnerability was found in Campcodes Payroll Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /ajax.php?action=delete_allowances. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-09 | 7.3 | CVE-2025-7219 |
| Campcodes--Payroll Management System | A vulnerability was found in Campcodes Payroll Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=save_deductions. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-09 | 7.3 | CVE-2025-7220 |
| Microsoft--ASP.NET Core 6.0 | Weak authentication in EOL ASP.NET Core allows an unauthorized attacker to elevate privileges over a network. NOTE: This CVE affects only End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry. | 2025-07-08 | 7 | CVE-2025-7326 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw exists in gdk‑pixbuf within the gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in glib's g_base64_encode_step (glib/gbase64.c). When processing maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding, allowing out-of-bounds reads from heap memory, potentially causing application crashes or arbitrary code execution. | 2025-07-08 | 7.5 | CVE-2025-7345 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libsoup. A NULL pointer dereference vulnerability occurs in libsoup's cookie parsing functionality. When processing a cookie without a domain parameter, the soup_cookie_jar_add_cookie() function will crash, resulting in a denial of service. | 2025-07-10 | 7.5 | CVE-2025-7370 |
| code-projects--Mobile Shop | A vulnerability was found in code-projects Mobile Shop 1.0 and classified as critical. This issue affects some unknown processing of the file /LoginAsAdmin.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-10 | 7.3 | CVE-2025-7409 |
| code-projects--LifeStyle Store | A vulnerability was found in code-projects LifeStyle Store 1.0. It has been classified as critical. Affected is an unknown function of the file /cart_remove.php. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-10 | 7.3 | CVE-2025-7410 |
| code-projects--LifeStyle Store | A vulnerability was found in code-projects LifeStyle Store 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /success.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-10 | 7.3 | CVE-2025-7411 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in the libxslt library. The same memory field, psvi, is used for both stylesheet and input data, which can lead to type confusion during XML transformations. This vulnerability allows an attacker to crash the application or corrupt memory. In some cases, it may lead to denial of service or unexpected behavior. | 2025-07-10 | 7.8 | CVE-2025-7424 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption. | 2025-07-10 | 7.8 | CVE-2025-7425 |
| Campcodes--Online Recruitment Management System | A vulnerability was found in Campcodes Online Recruitment Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/ajax.php?action=delete_vacancy. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-11 | 7.3 | CVE-2025-7436 |
| dasinfomedia--WPGYM - Wordpress Gym Management System | The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to SQL Injection via several parameters in the MJ_gmgt_delete_class_limit_for_member, MJ_gmgt_get_yearly_income_expense, MJ_gmgt_get_monthly_income_expense, MJ_gmgt_add_class_limit, MJ_gmgt_view_meeting_detail, and MJ_gmgt_create_meeting functions in all versions up to 67.8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-07-11 | 7.5 | CVE-2025-7442 |
| Campcodes--Online Movie Theater Seat Reservation System | A vulnerability classified as critical has been found in Campcodes Online Movie Theater Seat Reservation System 1.0. Affected is an unknown function of the file /admin/manage_theater.php. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-11 | 7.3 | CVE-2025-7454 |
| Campcodes--Online Movie Theater Seat Reservation System | A vulnerability classified as critical was found in Campcodes Online Movie Theater Seat Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file /manage_reserve.php. The manipulation of the argument mid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-11 | 7.3 | CVE-2025-7455 |
| Campcodes--Online Movie Theater Seat Reservation System | A vulnerability, which was classified as critical, has been found in Campcodes Online Movie Theater Seat Reservation System 1.0. Affected by this issue is some unknown functionality of the file /reserve.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-11 | 7.3 | CVE-2025-7456 |
| Campcodes--Online Movie Theater Seat Reservation System | A vulnerability, which was classified as critical, was found in Campcodes Online Movie Theater Seat Reservation System 1.0. This affects an unknown part of the file /admin/manage_movie.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-11 | 7.3 | CVE-2025-7457 |
| code-projects--Mobile Shop | A vulnerability classified as critical was found in code-projects Mobile Shop 1.0. This vulnerability affects unknown code of the file /EditMobile.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-11 | 7.3 | CVE-2025-7459 |
| code-projects--Modern Bag | A vulnerability was found in code-projects Modern Bag 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /action.php. The manipulation of the argument proId leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 7.3 | CVE-2025-7461 |
| 1000projects--ABC Courier Management | A vulnerability, which was classified as critical, has been found in 1000projects ABC Courier Management 1.0. Affected by this issue is some unknown functionality of the file /add_dealerrequest.php. The manipulation of the argument Name leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 7.3 | CVE-2025-7466 |
| code-projects--Modern Bag | A vulnerability, which was classified as critical, was found in code-projects Modern Bag 1.0. This affects an unknown part of the file /product-detail.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 7.3 | CVE-2025-7467 |
| Campcodes--Sales and Inventory System | A vulnerability was found in Campcodes Sales and Inventory System 1.0 and classified as critical. This issue affects some unknown processing of the file /pages/product_add.php. The manipulation of the argument prod_name leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 7.3 | CVE-2025-7469 |
| Campcodes--Sales and Inventory System | A vulnerability was found in Campcodes Sales and Inventory System 1.0. It has been classified as critical. Affected is an unknown function of the file /pages/product_add.php. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 7.3 | CVE-2025-7470 |
| code-projects--Modern Bag | A vulnerability was found in code-projects Modern Bag 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/login-back.php. The manipulation of the argument user-name leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 7.3 | CVE-2025-7471 |
| code-projects--Job Diary | A vulnerability was found in code-projects Job Diary 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /search.php. The manipulation of the argument Search leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 7.3 | CVE-2025-7474 |
| code-projects--Simple Car Rental System | A vulnerability classified as critical has been found in code-projects Simple Car Rental System 1.0. This affects an unknown part of the file /pay.php. The manipulation of the argument mpesa leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 7.3 | CVE-2025-7475 |
| code-projects--Simple Car Rental System | A vulnerability classified as critical was found in code-projects Simple Car Rental System 1.0. This vulnerability affects unknown code of the file /admin/approve.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 7.3 | CVE-2025-7476 |
| code-projects--Modern Bag | A vulnerability, which was classified as critical, was found in code-projects Modern Bag 1.0. Affected is an unknown function of the file /admin/category-list.php. The manipulation of the argument idCate leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 7.3 | CVE-2025-7478 |
| PHPGurukul--Vehicle Parking Management System | A vulnerability was found in PHPGurukul Vehicle Parking Management System 1.13 and classified as critical. Affected by this issue is some unknown functionality of the file /users/signup.php. The manipulation of the argument email leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 7.3 | CVE-2025-7480 |
| PHPGurukul--Vehicle Parking Management System | A vulnerability was found in PHPGurukul Vehicle Parking Management System 1.13. It has been rated as critical. This issue affects some unknown processing of the file /users/forgot-password.php. The manipulation of the argument email leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 7.3 | CVE-2025-7483 |
| akirk--Friends | The Friends plugin for WordPress is vulnerable to PHP Object Injection in version 3.5.1 via deserialization of untrusted input of the query_vars parameter This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. This requires access to the sites SALT_NONCE and and SALT_KEY to exploit. | 2025-07-12 | 7.5 | CVE-2025-7504 |
| code-projects--Modern Bag | A vulnerability, which was classified as critical, has been found in code-projects Modern Bag 1.0. Affected by this issue is some unknown functionality of the file /admin/product-update.php. The manipulation of the argument idProduct leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 7.3 | CVE-2025-7508 |
| code-projects--Modern Bag | A vulnerability, which was classified as critical, was found in code-projects Modern Bag 1.0. This affects an unknown part of the file /admin/slide.php. The manipulation of the argument idSlide leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 7.3 | CVE-2025-7509 |
| code-projects--Modern Bag | A vulnerability has been found in code-projects Modern Bag 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/productadd_back.php. The manipulation of the argument namepro leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 7.3 | CVE-2025-7510 |
| code-projects--Modern Bag | A vulnerability was found in code-projects Modern Bag 1.0. It has been classified as critical. Affected is an unknown function of the file /contact-back.php. The manipulation of the argument contact-name leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 7.3 | CVE-2025-7512 |
| code-projects--Modern Bag | A vulnerability was found in code-projects Modern Bag 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/slideupdate.php. The manipulation of the argument idSlide leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 7.3 | CVE-2025-7513 |
| code-projects--Modern Bag | A vulnerability was found in code-projects Modern Bag 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/contact-list.php. The manipulation of the argument idStatus leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 7.3 | CVE-2025-7514 |
| code-projects--Online Appointment Booking System | A vulnerability classified as critical has been found in code-projects Online Appointment Booking System 1.0. This affects an unknown part of the file /ulocateus.php. The manipulation of the argument doctorname leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 7.3 | CVE-2025-7515 |
| code-projects--Online Appointment Booking System | A vulnerability classified as critical was found in code-projects Online Appointment Booking System 1.0. This vulnerability affects unknown code of the file /cancelbookingpatient.php. The manipulation of the argument appointment leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 7.3 | CVE-2025-7516 |
| code-projects--Online Appointment Booking System | A vulnerability, which was classified as critical, has been found in code-projects Online Appointment Booking System 1.0. This issue affects some unknown processing of the file /getDay.php. The manipulation of the argument cidval leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 7.3 | CVE-2025-7517 |
| PHPGurukul--Vehicle Parking Management System | A vulnerability, which was classified as critical, was found in PHPGurukul Vehicle Parking Management System 1.13. Affected is an unknown function of the file /admin/index.php. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 7.3 | CVE-2025-7521 |
| Jinher--OA | A vulnerability was found in Jinher OA 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /c6/Jhsoft.Web.message/ToolBar/DelTemp.aspx. The manipulation leads to xml external entity reference. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 7.3 | CVE-2025-7523 |
| code-projects--Job Diary | A vulnerability was found in code-projects Job Diary 1.0 and classified as critical. This issue affects some unknown processing of the file /view-details.php. The manipulation of the argument job_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 7.3 | CVE-2025-7533 |
| PHPGurukul--Student Result Management System | A vulnerability was found in PHPGurukul Student Result Management System 2.0. It has been classified as critical. Affected is an unknown function of the file /notice-details.php of the component GET Parameter Handler. The manipulation of the argument nid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 7.3 | CVE-2025-7534 |
| Campcodes--Sales and Inventory System | A vulnerability was found in Campcodes Sales and Inventory System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /pages/reprint_cash.php. The manipulation of the argument sid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 7.3 | CVE-2025-7535 |
| Campcodes--Sales and Inventory System | A vulnerability was found in Campcodes Sales and Inventory System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /pages/receipt_credit.php. The manipulation of the argument sid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 7.3 | CVE-2025-7536 |
| Campcodes--Sales and Inventory System | A vulnerability classified as critical has been found in Campcodes Sales and Inventory System 1.0. This affects an unknown part of the file /pages/product_update.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 7.3 | CVE-2025-7537 |
| Campcodes--Sales and Inventory System | A vulnerability classified as critical was found in Campcodes Sales and Inventory System 1.0. This vulnerability affects unknown code of the file /pages/product_update.php. The manipulation of the argument image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 7.3 | CVE-2025-7538 |
| code-projects--Online Appointment Booking System | A vulnerability, which was classified as critical, has been found in code-projects Online Appointment Booking System 1.0. This issue affects some unknown processing of the file /getdoctordaybooking.php. The manipulation of the argument cid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 7.3 | CVE-2025-7539 |
| code-projects--Online Appointment Booking System | A vulnerability, which was classified as critical, was found in code-projects Online Appointment Booking System 1.0. Affected is an unknown function of the file /getclinic.php. The manipulation of the argument townid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 2025-07-13 | 7.3 | CVE-2025-7540 |
| code-projects--Online Appointment Booking System | A vulnerability has been found in code-projects Online Appointment Booking System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /get_town.php. The manipulation of the argument countryid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 2025-07-13 | 7.3 | CVE-2025-7541 |
| PHPGurukul--User Registration & Login and User Management System | A vulnerability was found in PHPGurukul User Registration & Login and User Management System 3.3 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/user-profile.php. The manipulation of the argument uid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 7.3 | CVE-2025-7542 |
| Campcodes--Online Movie Theater Seat Reservation System | A vulnerability, which was classified as critical, was found in Campcodes Online Movie Theater Seat Reservation System 1.0. This affects the function save_movie of the file /admin/admin_class.php. The manipulation of the argument cover leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 7.3 | CVE-2025-7547 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| IBM--OpenPages with Watson | IBM OpenPages with Watson 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session | 2025-07-08 | 6.1 | CVE-2023-43039 |
| IBM--Analytics Content Hub | IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 is vulnerable to information exposure and further attacks due to an exposed JavaScript source map which could assist an attacker to read and debug JavaScript used in the application's API. | 2025-07-10 | 6.8 | CVE-2024-38327 |
| IBM--Analytics Content Hub | IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 could be vulnerable to malicious file upload by not validating the type of file uploaded to Explore Content. Attackers can make use of this weakness and upload malicious executable files into the system, and it can be sent to victim for performing further attacks. | 2025-07-10 | 6.8 | CVE-2024-39752 |
| Fortinet--FortiOS | A missing critical step in authentication vulnerability [CWE-304] in Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.10, and before 7.0.16 & FortiProxy version 7.6.0 through 7.6.1, 7.4.0 through 7.4.8, 7.2.0 through 7.2.13 and before 7.0.20 allows an API-user using api-key + PKI user certificate authentication to login even if the certificate is invalid. | 2025-07-08 | 6.8 | CVE-2024-52965 |
| Ivanti--Connect Secure | CLRF injection in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to write to a protected configuration file on disk. | 2025-07-08 | 6.6 | CVE-2025-0293 |
| IBM--Storage Virtualize | IBM Storage Virtualize 8.5, 8.6, and 8.7 products could allow a user to escalate their privileges to that of another user logging in at the same time due to a race condition in the login function. | 2025-07-07 | 6.7 | CVE-2025-1351 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a user who holds a role that contains the high-privilege capability `edit_scripted` and `list_inputs` capability , could perform a remote command execution due to improper user input sanitization on the scripted input files.<br><br>See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Setting up a scripted input ](https://docs.splunk.com/Documentation/Splunk/9.4.2/AdvancedDev/ScriptSetup)for more information. | 2025-07-07 | 6.8 | CVE-2025-20319 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the `User Interface - Views` configuration page that could potentially lead to a denial of service (DoS).The user could cause the DoS by exploiting a path traversal vulnerability that allows for deletion of arbitrary files within a Splunk directory. The vulnerability requires the low-privileged user to phish the administrator-level victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will. | 2025-07-07 | 6.3 | CVE-2025-20320 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC.<br><br>The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will. | 2025-07-07 | 6.5 | CVE-2025-20321 |
| Samsung Mobile--Samsung Mobile Devices | Out-of-bounds write in setting auth secret in KnoxVault trustlet prior to SMR Jul-2025 Release 1 allows local privileged attackers to write out-of-bounds memory. | 2025-07-08 | 6.4 | CVE-2025-20982 |
| Samsung Mobile--Samsung Mobile Devices | Out-of-bounds write in checking auth secret in KnoxVault trustlet prior to SMR Jul-2025 Release 1 allows local privileged attackers to write out-of-bounds memory. | 2025-07-08 | 6.4 | CVE-2025-20983 |
| Samsung Mobile--Samsung Mobile Devices | Incorrect default permission in Framework for Galaxy Watch prior to SMR Jul-2025 Release 1 allows local attackers to reset some configuration of Galaxy Watch. | 2025-07-08 | 6.2 | CVE-2025-20997 |
| Samsung Mobile--Samsung Mobile Devices | Improper privilege management in Bluetooth prior to SMR Jul-2025 Release 1 allows local attackers to enable Bluetooth. | 2025-07-08 | 6.2 | CVE-2025-21000 |
| Samsung Mobile--Samsung Mobile Devices | Improper access control in LeAudioService prior to SMR Jul-2025 Release 1 allows local attackers to stop broadcasting Auracast. | 2025-07-08 | 6.2 | CVE-2025-21001 |
| Samsung Mobile--Samsung Mobile Devices | Improper access control in LeAudioService prior to SMR Jul-2025 Release 1 allows local attackers to manipulate broadcasting Auracast. | 2025-07-08 | 6.2 | CVE-2025-21002 |
| Samsung Mobile--Samsung Mobile Devices | Improper verification of intent by broadcast receiver in System UI for Galaxy Watch prior to SMR Jul-2025 Release 1 allows local attackers to power off the device. | 2025-07-08 | 6.2 | CVE-2025-21004 |
| Microsoft--Service Fabric | Improper link resolution before file access ('link following') in Service Fabric allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 6 | CVE-2025-21195 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while processing camera TPG write request. | 2025-07-08 | 6.6 | CVE-2025-21426 |
| Qualcomm, Inc.--Snapdragon | Transient DOS when importing a PKCS#8-encoded RSA private key with a zero-sized modulus. | 2025-07-08 | 6.2 | CVE-2025-21433 |
| Siemens--TIA Administrator | A vulnerability has been identified in TIA Administrator (All versions < V3.0.6). The affected application improperly validates code signing certificates. This could allow an attacker to bypass the check and exceute arbitrary code during installations. | 2025-07-08 | 6.2 | CVE-2025-23364 |
| Broadcom--Symantec IT Management Suite | Extraction of Account Connectivity Credentials (ACCs) from the IT Management Agent secure storage | 2025-07-07 | 6.4 | CVE-2025-24508 |
| Honeywell--C300 PCNT02 | The Honeywell Experion PKS and OneWireless WDM contains Sensitive Information in Resource vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to a Communication Channel Manipulation, which could result in buffer reuse which may cause incorrect system behavior. Honeywell also recommends updating to the most recent version of Honeywell Experion PKS:520.2 TCU9 HF1 and 530.1 TCU3 HF1 and OneWireless: 322.5 and 331.1. The affected Experion PKS products are C300, FIM4, FIM8, UOC, CN100, HCA, C300PM, and C200E. The Experion PKS versions affected are 520.1 before 520.2 TCU9 HF1 and 530 before 530 TCU3. The OneWireless WDM affected versions are 322.1 through 322.4 and 330.1 through 330.3. | 2025-07-10 | 6.5 | CVE-2025-2522 |
| Radiflow--iSAP Smart Collector | The Linux deprivileged user vpuser in Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) can read the entire file system content, including files belonging to other users and having restricted access (like, for example, the root password hash). | 2025-07-09 | 6.8 | CVE-2025-27028 |
| Axis Communications AB--AXIS Device Manager | The communication protocol used between client and server had a flaw that could be leveraged to execute a man in the middle attack. | 2025-07-11 | 6.8 | CVE-2025-30024 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in denial of service or memory corruption, depending on allocator behavior. | 2025-07-10 | 6.5 | CVE-2025-32988 |
| Red Hat--Red Hat Enterprise Linux 10 | A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. When it reads certain settings from a template file, it allows an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial-of-service (DoS) that could potentially crash the system. | 2025-07-10 | 6.5 | CVE-2025-32990 |
| Gallagher--Controller 7000 | Improper Certificate Validation (CWE-295) in the Controller 7000 OneLink implementation could allow an unprivileged attacker to perform a limited denial of service or perform privileged overrides during the initial configuration of the Controller, there is no risk for Controllers once they are connected. This issue affects Controller 7000: 9.30 prior to vCR9.30.250624a (distributed in 9.30.1871 (MR1)). | 2025-07-10 | 6.5 | CVE-2025-35983 |
| IBM--Storage Scale | IBM Storage Scale 5.2.3.0 and 5.2.3.1 could allow an authenticated user to obtain sensitive information from files due to the insecure permissions inherited through the SMB protocol. | 2025-07-12 | 6.5 | CVE-2025-36104 |
| IBM--Sterling B2B Integrator | IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.6, 6.2.0.0 through 6.2.0.4, IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2025-07-08 | 6.4 | CVE-2025-3630 |
| IBM--MQ | An IBM MQ 9.3 and 9.4 Client connecting to an MQ Queue Manager can cause a SIGSEGV in the AMQRMPPA channel process terminating it. | 2025-07-11 | 6.5 | CVE-2025-3631 |
| Frauscher--FDS102 | A physical attacker with no privileges can gain full control of the affected device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') when loading a config file from a USB drive. | 2025-07-07 | 6.8 | CVE-2025-3705 |
| wclovers--WCFM Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible | The WCFM - Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup function in all versions up to, and including, 6.7.16. This makes it possible for unauthenticated attackers to view and modify the plugin settings, including payment details and API keys | 2025-07-08 | 6.5 | CVE-2025-3780 |
| Siemens--SIMATIC CN 4100 | A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0). The affected application allows to control the device by storing arbitrary files in the SFTP folder of the device. This could allow an attacker to cause a denial of service condition. | 2025-07-08 | 6.5 | CVE-2025-40593 |
| PHOENIX CONTACT--AXC F 1152 | An low privileged remote attacker can enforce the watchdog of the affected devices to reboot the PLC due to incorrect default permissions of a config file. | 2025-07-08 | 6.5 | CVE-2025-41665 |
| SAP SE--SAP NetWeaver Application Server ABAP | SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. When an authenticated victim clicks on this malicious link, injected input data will be used by the web site page generation to create content which when executed in the victim's browser leading to low impact on Confidentiality and Integrity with no effect on Availability of the application. | 2025-07-08 | 6.1 | CVE-2025-42956 |
| SAP_SE--SAP Business Warehouse (Business Explorer Web 3.5 loading animation) | SAP Business Warehouse (Business Explorer Web) allows an attacker to create a malicious link. If an authenticated user clicks on this link, the injected script gets executed within the scope of victim�s browser. This potentially leads to an impact on confidentiality and integrity. Availability is not impacted. | 2025-07-08 | 6.1 | CVE-2025-42962 |
| SAP_SE--SAP NetWeaver Application Server ABAP and ABAP Platform | SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to inject a malicious script into a dynamically crafted URL. The victim, when tricked into clicking on this crafted URL unknowingly executes the malicious payload in their browser. On successful exploitation, the attacker can access or modify sensitive information within the scope of victim's web browser, with no impact on availability of the application. | 2025-07-08 | 6.1 | CVE-2025-42969 |
| SAP_SE--SAP NetWeaver Application Server ABAP | Due to an open redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft a URL link embedding a malicious script at a location not properly sanitized. When a victim clicks on this link, the script executes within the victim's browser, redirecting them to a site controlled by the attacker. This allows the attacker to access and/or modify restricted information related to the web client. While the vulnerability poses no impact on data availability, it presents a considerable risk to confidentiality and integrity. | 2025-07-08 | 6.1 | CVE-2025-42981 |
| SAP_SE--SAP BusinessObjects Content Administrator workbench | Due to insufficient sanitization in the SAP BusinessObjects Content Administrator Workbench, attackers could craft malicious URLs and execute scripts in a victim�s browser. This could potentially lead to the exposure or modification of web client data, resulting in low impact on confidentiality and integrity, with no impact on application availability. | 2025-07-08 | 6.1 | CVE-2025-42985 |
| SAP_SE--SAPCAR | SAPCAR allows an attacker logged in with high privileges to create a malicious SAR archive in SAPCAR. This could enable the attacker to exploit critical files and directory permissions without breaking signature validation, resulting in potential privilege escalation. This has high impact on integrity, but low impact on confidentiality and availability of the system. | 2025-07-08 | 6.9 | CVE-2025-42992 |
| SAP_SE--SAPCAR | SAPCAR allows an attacker logged in with high privileges to override the permissions of the current and parent directories of the user or process extracting the archive, leading to privilege escalation. On successful exploitation, an attacker could modify the critical files by tampering with signed archives without breaking the signature, but it has a low impact on the confidentiality and availability of the system. | 2025-07-08 | 6.9 | CVE-2025-43001 |
| avimegladon--WP Register Profile With Shortcode | The WP Register Profile With Shortcode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.2 via the 'rp_user_data' shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data from user meta like hashed passwords, usernames, and more. | 2025-07-11 | 6.5 | CVE-2025-4593 |
| Zoom Communications Inc.--Zoom Clients for Windows | Classic buffer overflow in certain Zoom Clients for Windows may allow an authorized user to conduct a denial of service via network access. | 2025-07-10 | 6.5 | CVE-2025-46789 |
| Microsoft--Microsoft Edge (Chromium-based) | No cwe for this issue in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. | 2025-07-11 | 6.3 | CVE-2025-47963 |
| Microsoft--Windows Server 2022 | Out-of-bounds read in Windows Kerberos allows an authorized attacker to deny service over a network. | 2025-07-08 | 6.5 | CVE-2025-47978 |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows Imaging Component allows an unauthorized attacker to disclose information locally. | 2025-07-08 | 6.2 | CVE-2025-47980 |
| Microsoft--Windows 10 Version 1809 | Missing synchronization in Windows Hyper-V allows an authorized attacker to deny service over an adjacent network. | 2025-07-08 | 6.8 | CVE-2025-47999 |
| Microsoft--Windows 10 Version 1809 | Time-of-check time-of-use (toctou) race condition in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. | 2025-07-08 | 6.8 | CVE-2025-48001 |
| Microsoft--Windows 10 Version 1809 | Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. | 2025-07-08 | 6.8 | CVE-2025-48003 |
| git--git | Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential buffer overflows. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1. | 2025-07-08 | 6.3 | CVE-2025-48386 |
| Microsoft--Windows 10 Version 1809 | Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. | 2025-07-08 | 6.8 | CVE-2025-48800 |
| Microsoft--Windows Server 2022 | Improper certificate validation in Windows SMB allows an authorized attacker to perform spoofing over a network. | 2025-07-08 | 6.5 | CVE-2025-48802 |
| Microsoft--Windows 10 Version 1809 | Missing support for integrity check in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 6.7 | CVE-2025-48803 |
| Microsoft--Windows 10 Version 1809 | Acceptance of extraneous untrusted data with trusted data in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. | 2025-07-08 | 6.8 | CVE-2025-48804 |
| Microsoft--Windows 10 Version 1809 | Missing support for integrity check in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally. | 2025-07-08 | 6.7 | CVE-2025-48811 |
| Microsoft--Windows 10 Version 1809 | Time-of-check time-of-use (toctou) race condition in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. | 2025-07-08 | 6.8 | CVE-2025-48818 |
| Zoom Communications Inc.--Zoom Clients for iOS | Insufficient control flow management in certain Zoom Clients for iOS before version 6.4.5 may allow an unauthenticated user to conduct a disclosure of information via network access. | 2025-07-10 | 6.5 | CVE-2025-49463 |
| Zoom Communications Inc.--Zoom Clients for Windows | Classic buffer overflow in certain Zoom Clients for Windows may allow an authorised user to conduct a denial of service via network access. | 2025-07-10 | 6.5 | CVE-2025-49464 |
| Adobe--ColdFusion | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information or bypass security measures. Exploitation of this issue does not require user interaction and scope is changed. | 2025-07-08 | 6.8 | CVE-2025-49544 |
| Adobe--ColdFusion | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. A high-privilege authenticated attacker can force the application to make arbitrary requests via injection of URLs. Exploitation of this issue does not require user interaction and scope is changed. The vulnerable component is restricted to internal IP addresses. | 2025-07-08 | 6.2 | CVE-2025-49545 |
| Microsoft--Windows Server 2019 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. | 2025-07-08 | 6.5 | CVE-2025-49670 |
| Microsoft--Windows Server 2019 | Exposure of sensitive information to an unauthorized actor in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. | 2025-07-08 | 6.5 | CVE-2025-49671 |
| Microsoft--Windows Server 2019 | Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. | 2025-07-08 | 6.5 | CVE-2025-49681 |
| Microsoft--Microsoft SharePoint Enterprise Server 2016 | Improper authentication in Microsoft Office SharePoint allows an authorized attacker to perform spoofing over a network. | 2025-07-08 | 6.3 | CVE-2025-49706 |
| Mitsubishi Electric Corporation--PV-DR004J | Weak Password Requirements vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor "EcoGuideTAB" PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to derive the password from the SSID. However, the product is not affected by this vulnerability when it remains unused for a certain period of time (default: 5 minutes) and enters the power-saving mode with the display unit's LCD screen turned off. The affected products discontinued in 2015, support ended in 2020. | 2025-07-10 | 6.5 | CVE-2025-5022 |
| Advantech--iView | A vulnerability exists in Advantech iView that allows for argument injection in NetworkServlet.backupDatabase(). This issue requires an authenticated attacker with at least user-level privileges. Certain parameters can be used directly in a command without proper sanitization, allowing arbitrary arguments to be injected. This can result in information disclosure, including sensitive database credentials. | 2025-07-10 | 6.5 | CVE-2025-52459 |
| Juniper Networks--Junos OS | An Improper Handling of Exceptional Conditions vulnerability in route processing of Juniper Networks Junos OS on specific end-of-life (EOL) ACX Series platforms allows an attacker to crash the Forwarding Engine Board (FEB) by flapping an interface, leading to a Denial of Service (DoS). On ACX1000, ACX1100, ACX2000, ACX2100, ACX2200, ACX4000, ACX5048, and ACX5096 devices, FEB0 will crash when the primary path port of the L2 circuit IGP (Interior Gateway Protocol) on the local device goes down. This issue is seen only when 'hot-standby' mode is configured for the L2 circuit. This issue affects Junos OS on ACX1000, ACX1100, ACX2000, ACX2100, ACX2200, ACX4000, ACX5048, and ACX5096: * all versions before 21.2R3-S9. | 2025-07-11 | 6.5 | CVE-2025-52947 |
| Juniper Networks--Junos OS | An Improper Handling of Length Parameter Inconsistency vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a logically adjacent BGP peer sending a specifically malformed BGP packet to cause rpd to crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. Only systems configured for Ethernet Virtual Private Networking (EVPN) signaling are vulnerable to this issue. This issue affects iBGP and eBGP, and both IPv4 and IPv6 are affected by this vulnerability.This issue affects: Junos OS: * all versions before 21.4R3-S11, * from 22.2 before 22.2R3-S7, * from 22.4 before 22.4R3-S7, * from 23.2 before 23.2R2-S4, * from 23.4 before 23.4R2-S5, * from 24.2 before 24.2R2-S1, * from 24.4 before 24.4R1-S3, 24.4R2; Junos OS Evolved: * all versions before 22.2R3-S7-EVO, * from 22.4-EVO before 22.4R3-S7-EVO, * from 23.2-EVO before 23.2R2-S4-EVO, * from 23.4-EVO before 23.4R2-S5-EVO, * from 24.2-EVO before 24.2R2-S1-EVO, * from 24.4-EVO before 24.4R1-S3-EVO, 24.4R2-EVO. | 2025-07-11 | 6.5 | CVE-2025-52949 |
| Juniper Networks--Junos OS | An Out-of-bounds Write vulnerability in the connectivity fault management (CFM) daemon of Juniper Networks Junos OS on MX Series with MPC-BUILTIN, MPC1 through MPC9 line cards allows an unauthenticated adjacent attacker to send a malformed packet to the device, leading to an FPC crash and restart, resulting in a Denial of Service (DoS). Continued receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. This issue affects Juniper Networks: Junos OS: * All versions before 22.2R3-S1, * from 22.4 before 22.4R2. This feature is not enabled by default. | 2025-07-11 | 6.5 | CVE-2025-52952 |
| Juniper Networks--Junos OS | An Expected Behavior Violation vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker sending a valid BGP UPDATE packet to cause a BGP session reset, resulting in a Denial of Service (DoS). Continuous receipt and processing of this packet will create a sustained Denial of Service (DoS) condition. This issue affects iBGP and eBGP and both IPv4 and IPv6 are affected by this vulnerability. This issue affects Junos OS: * All versions before 21.2R3-S9, * from 21.4 before 21.4R3-S11, * from 22.2 before 22.2R3-S7, * from 22.4 before 22.4R3-S7, * from 23.2 before 23.2R2-S4, * from 23.4 before 23.4R2-S4, * from 24.2 before 24.2R2, * from 24.4 before 24.4R1-S3, 24.4R2 Junos OS Evolved: * All versions before 22.2R3-S7-EVO, * from 22.4-EVO before 22.4R3-S7-EVO, * from 23.2-EVO before 23.2R2-S4-EVO, * from 23.4-EVO before 23.4R2-S4-EVO, * from 24.2-EVO before 24.2R2-EVO, * from 24.4-EVO before 24.4R1-S3-EVO, 24.4R2-EVO. | 2025-07-11 | 6.5 | CVE-2025-52953 |
| Juniper Networks--Junos OS | An Incorrect Calculation of Buffer Size vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS allows an adjacent unauthenticated attacker to cause a memory corruption that leads to a rpd crash. When the logical interface using a routing instance flaps continuously, specific updates are sent to the jflow/sflow modules. This results in memory corruption, leading to an rpd crash and restart. Continued receipt of these specific updates will cause a sustained Denial of Service condition. This issue affects Junos OS: * All versions before 21.2R3-S9, * All versions of 21.4, * All versions of 22.2, * from 22.4 before 22.4R3-S7, * from 23.2 before 23.2R2-S3, * from 23.4 before 23.4R2-S4, * from 24.2 before 24.2R2. | 2025-07-11 | 6.5 | CVE-2025-52955 |
| Juniper Networks--Junos OS | A Reachable Assertion vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). When the device receives a specific BGP UPDATE packet, the rpd crashes and restarts. Continuous receipt of this specific packet will cause a sustained DoS condition. For the issue to occur, BGP multipath with "pause-computation-during-churn" must be configured on the device, and the attacker must send the paths via a BGP UPDATE from a established BGP peer. This issue affects: Junos OS: * All versions before 21.4R3-S7, * from 22.3 before 22.3R3-S3, * from 22.4 before 22.4R3-S5, * from 23.2 before 23.2R2, * from 23.4 before 23.4R2. Junos OS Evolved: * All versions before 21.4R3-S7-EVO, * from 22.3 before 22.3R3-S3-EVO, * from 22.4 before 22.4R3-S5-EVO, * from 23.2 before 23.2R2-EVO, * from 23.4 before 23.4R2-EVO. | 2025-07-11 | 6.5 | CVE-2025-52964 |
| Juniper Networks--Junos OS | An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in the CLI of Juniper Networks Junos OS and Junos OS Evolved allows a high privileged, local attacker to escalated their privileges to root. When a user provides specifically crafted arguments to the 'request system logout' command, these will be executed as root on the shell, which can completely compromise the device. This issue affects: Junos OS: * all versions before 21.2R3-S9, * 21.4 versions before 21.4R3-S8, * 22.2 versions before 22.2R3-S6, * 22.3 versions before 22.3R3-S3, * 22.4 versions before 22.4R3-S6, * 23.2 versions before 23.2R2-S1, * 23.4 versions before 23.4R1-S2, 23.4R2; Junos OS Evolved: * all versions before 22.4R3-S6-EVO, * 23.2-EVO versions before 23.2R2-S1-EVO, * 23.4-EVO versions before 23.4R1-S2-EVO, 23.4R2-EVO. | 2025-07-11 | 6.7 | CVE-2025-52988 |
| Huawei--HarmonyOS | Authentication vulnerability in the distributed collaboration framework module Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2025-07-07 | 6.9 | CVE-2025-53167 |
| Huawei--HarmonyOS | Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability. | 2025-07-07 | 6.5 | CVE-2025-53179 |
| Huawei--HarmonyOS | Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability. | 2025-07-07 | 6.5 | CVE-2025-53180 |
| Huawei--HarmonyOS | Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability. | 2025-07-07 | 6.5 | CVE-2025-53181 |
| Huawei--HarmonyOS | Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability. | 2025-07-07 | 6.5 | CVE-2025-53182 |
| Huawei--HarmonyOS | Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability. | 2025-07-07 | 6.5 | CVE-2025-53183 |
| Huawei--HarmonyOS | Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability. | 2025-07-07 | 6.5 | CVE-2025-53184 |
| Huawei--HarmonyOS | Virtual address reuse issue in the memory management module, which can be exploited by non-privileged users to access released memory Impact: Successful exploitation of this vulnerability may affect service integrity. | 2025-07-07 | 6.6 | CVE-2025-53185 |
| Advantech--iView | A vulnerability exists in Advantech iView that allows for argument injection in the NetworkServlet.restoreDatabase(). This issue requires an authenticated attacker with at least user-level privileges. An input parameter can be used directly in a command without proper sanitization, allowing arbitrary arguments to be injected. This can result in information disclosure, including sensitive database credentials. | 2025-07-10 | 6.5 | CVE-2025-53509 |
| Canonical--Juju | The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information. | 2025-07-08 | 6.5 | CVE-2025-53512 |
| pdfme--pdfme | pdfme is a TypeScript-based PDF generator and React-based UI. The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and prototype pollution attacks. This vulnerability is fixed in 5.4.1. | 2025-07-10 | 6.1 | CVE-2025-53626 |
| roundup-tracker--Roundup | In Roundup before 2.5.0, XSS can occur via interaction between URLs and issue tracker templates (devel and responsive). | 2025-07-13 | 6.4 | CVE-2025-53865 |
| Ivanti--Connect Secure | Improper access control in the certificate management component of Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated admin with read-only rights to modify settings that should be restricted. | 2025-07-08 | 6.3 | CVE-2025-5450 |
| Ivanti--Connect Secure | Insertion of sensitive information into a log file in Ivanti Connect Secure before version 22.7R2.8 allows a local authenticated attacker to obtain that information. | 2025-07-08 | 6.5 | CVE-2025-5464 |
| wpclever--WPC Smart Compare for WooCommerce | The WPC Smart Compare for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shortcode_btn' shortcode in all versions up to, and including, 6.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-11 | 6.4 | CVE-2025-5530 |
| bradvin--Lightbox & Modal Popup WordPress Plugin FooBox | The Lightbox & Modal Popup WordPress Plugin - FooBox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image alternative texts in all versions up to, and including, 2.7.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-08 | 6.4 | CVE-2025-5537 |
| britner--Gutenberg Blocks with AI by Kadence WP Page Builder Features | The Gutenberg Blocks with AI by Kadence WP - Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'redirectURL' parameter in all versions up to, and including, 3.5.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-09 | 6.4 | CVE-2025-5678 |
| mpol--Gwolle Guestbook | The Gwolle Guestbook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'gwolle_gb_content' parameter in all versions up to, and including, 4.9.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-10 | 6.1 | CVE-2025-5807 |
| bradvin--FooGallery Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel | The FooGallery - Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption-title` & `data-caption-description` HTML attributes in all versions up to, and including, 2.4.31 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-11 | 6.4 | CVE-2025-6068 |
| wpdevteam--Essential Addons for Elementor Popular Elementor Templates & Widgets | The Essential Addons for Elementor - Popular Elementor Templates and Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the via `Calendar` And `Business Reviews` Widgets attributes in all versions up to, and including, 6.1.19 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-08 | 6.4 | CVE-2025-6244 |
| Red Hat--Red Hat Enterprise Linux 10 | A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite(). When it reads certain settings from a template file, it can allow an attacker to cause an out-of-bounds (OOB) NULL pointer write, resulting in memory corruption and a denial of service (DoS) that could crash the system. | 2025-07-10 | 6.5 | CVE-2025-6395 |
| Juniper Networks--Junos OS | An Incorrect Authorization vulnerability in the web server of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to reach the Juniper Web Device Manager (J-Web). When Juniper Secure connect (JSC) is enabled on specific interfaces, or multiple interfaces are configured for J-Web, the J-Web UI is reachable over more than the intended interfaces. This issue affects Junos OS: * all versions before 21.4R3-S9, * 22.2 versions before 22.2R3-S5, * 22.4 versions before 22.4R3-S5, * 23.2 versions before 23.2R2-S3, * 23.4 versions before 23.4R2-S5, * 24.2 versions before 24.2R2. | 2025-07-11 | 6.5 | CVE-2025-6549 |
| MongoDB Inc--MongoDB Server | MongoDB Server may be susceptible to disruption caused by high memory usage, potentially leading to server crash. This condition is linked to inefficiencies in memory management related to internal operations. In scenarios where certain internal processes persist longer than anticipated, memory consumption can increase, potentially impacting server stability and availability. This issue affects MongoDB Server v8.0 versions prior to 8.0.10 | 2025-07-07 | 6.5 | CVE-2025-6712 |
| contest-gallery--Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI | The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery - Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'upload[1][title]' parameter in all versions up to, and including, 26.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-11 | 6.4 | CVE-2025-6716 |
| xTemos--Woodmart | The Woodmart theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'multiple_markers' attribute in all versions up to, and including, 8.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-08 | 6.4 | CVE-2025-6743 |
| netweblogic--Events Manager Calendar, Bookings, Tickets, and more! | The Events Manager - Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'calendar_header' parameter in all versions up to, and including, 7.0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-07-09 | 6.1 | CVE-2025-6975 |
| netweblogic--Events Manager Calendar, Bookings, Tickets, and more! | The Events Manager - Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcodes in all versions up to, and including, 7.0.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-09 | 6.4 | CVE-2025-6976 |
| jdegayojr--Simple Featured Image | The Simple Featured Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slideshow' parameter in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-09 | 6.4 | CVE-2025-7059 |
| n/a--BoyunCMS | A vulnerability was found in BoyunCMS up to 1.4.20 and classified as critical. Affected by this issue is some unknown functionality of the file /application/user/controller/Index.php. The manipulation of the argument image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 6.3 | CVE-2025-7100 |
| n/a--BoyunCMS | A vulnerability was found in BoyunCMS up to 1.4.20. It has been classified as critical. This affects an unknown part of the file /install/install_ok.php of the component Configuration File Handler. The manipulation of the argument db_pass leads to code injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 6.3 | CVE-2025-7101 |
| n/a--BoyunCMS | A vulnerability was found in BoyunCMS up to 1.4.20. It has been declared as critical. This vulnerability affects unknown code of the file application/update/controller/Server.php. The manipulation of the argument phone leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 6.3 | CVE-2025-7102 |
| n/a--BoyunCMS | A vulnerability was found in BoyunCMS up to 1.4.20. It has been rated as critical. This issue affects some unknown processing of the file /application/pay/controller/Index.php of the component curl. The manipulation leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 6.3 | CVE-2025-7103 |
| Campcodes--Complaint Management System | A vulnerability was found in Campcodes Complaint Management System 1.0. It has been classified as critical. This affects an unknown part of the file /users/complaint-details.php. The manipulation of the argument cid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 6.3 | CVE-2025-7121 |
| code-projects--Online Note Sharing | A vulnerability classified as critical has been found in code-projects Online Note Sharing 1.0. Affected is an unknown function of the file /dashboard/userprofile.php of the component Profile Image Handler. The manipulation of the argument image leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 6.3 | CVE-2025-7124 |
| itsourcecode--Employee Management System | A vulnerability classified as critical was found in itsourcecode Employee Management System up to 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/editempeducation.php. The manipulation of the argument coursepg leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 6.3 | CVE-2025-7125 |
| itsourcecode--Employee Management System | A vulnerability, which was classified as critical, has been found in itsourcecode Employee Management System up to 1.0. Affected by this issue is some unknown functionality of the file /admin/adminprofile.php. The manipulation of the argument AdminName leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 6.3 | CVE-2025-7126 |
| SourceCodester--Best Salon Management System | A vulnerability was found in SourceCodester Best Salon Management System 1.0. It has been classified as critical. This affects an unknown part of the file /panel/schedule-staff.php. The manipulation of the argument staff_id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 6.3 | CVE-2025-7137 |
| SourceCodester--Best Salon Management System | A vulnerability was found in SourceCodester Best Salon Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /panel/admin-profile.php. The manipulation of the argument adminname leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 6.3 | CVE-2025-7138 |
| Campcodes--Advanced Online Voting System | A vulnerability was found in Campcodes Advanced Online Voting System 1.0. It has been classified as critical. This affects an unknown part of the file /admin/candidates_delete.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 6.3 | CVE-2025-7149 |
| Campcodes--Advanced Online Voting System | A vulnerability was found in Campcodes Advanced Online Voting System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/voters_delete.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 6.3 | CVE-2025-7150 |
| Campcodes--Advanced Online Voting System | A vulnerability was found in Campcodes Advanced Online Voting System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/voters_add.php. The manipulation of the argument photo leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 6.3 | CVE-2025-7151 |
| Campcodes--Advanced Online Voting System | A vulnerability classified as critical has been found in Campcodes Advanced Online Voting System 1.0. Affected is an unknown function of the file /admin/candidates_add.php. The manipulation of the argument photo leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 6.3 | CVE-2025-7152 |
| TOTOLINK--N200RE | A vulnerability, which was classified as critical, has been found in TOTOLINK N200RE 9.3.5u.6095_B20200916/9.3.5u.6139_B20201216. Affected by this issue is the function sub_41A0F8 of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument Hostname leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 6.3 | CVE-2025-7154 |
| hitsz-ids--airda | A vulnerability has been found in hitsz-ids airda 0.0.3 and classified as critical. This vulnerability affects the function execute of the file /v1/chat/completions. The manipulation of the argument question leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 6.3 | CVE-2025-7156 |
| PHPGurukul--Zoo Management System | A vulnerability was found in PHPGurukul Zoo Management System 2.1. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/manage-normal-ticket.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 6.3 | CVE-2025-7158 |
| PHPGurukul--Zoo Management System | A vulnerability was found in PHPGurukul Zoo Management System 2.1. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/manage-animals.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 6.3 | CVE-2025-7159 |
| PHPGurukul--Zoo Management System | A vulnerability classified as critical was found in PHPGurukul Zoo Management System 2.1. This vulnerability affects unknown code of the file /admin/add-normal-ticket.php. The manipulation of the argument cprice leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 6.3 | CVE-2025-7161 |
| PHPGurukul--Zoo Management System | A vulnerability, which was classified as critical, has been found in PHPGurukul Zoo Management System 2.1. This issue affects some unknown processing of the file /admin/add-foreigners-ticket.php. The manipulation of the argument cprice leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 6.3 | CVE-2025-7162 |
| PHPGurukul--Zoo Management System | A vulnerability, which was classified as critical, was found in PHPGurukul Zoo Management System 2.1. Affected is an unknown function of the file /admin/add-animals.php. The manipulation of the argument cnum leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 6.3 | CVE-2025-7163 |
| code-projects--Responsive Blog Site | A vulnerability was found in code-projects Responsive Blog Site 1.0. It has been classified as critical. This affects an unknown part of the file /single.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 6.3 | CVE-2025-7166 |
| code-projects--Responsive Blog Site | A vulnerability was found in code-projects Responsive Blog Site 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /category.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 6.3 | CVE-2025-7167 |
| code-projects--E-Commerce Site | A vulnerability was found in code-projects E-Commerce Site 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/users_photo.php. The manipulation of the argument photo leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 6.3 | CVE-2025-7175 |
| code-projects--Staff Audit System | A vulnerability, which was classified as critical, was found in code-projects Staff Audit System 1.0. Affected is an unknown function of the file /test.php. The manipulation of the argument uploadedfile leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 6.3 | CVE-2025-7181 |
| code-projects--Chat System | A vulnerability was found in code-projects Chat System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /user/fetch_chat.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 6.3 | CVE-2025-7186 |
| code-projects--Chat System | A vulnerability classified as critical has been found in code-projects Chat System 1.0. Affected is an unknown function of the file /user/fetch_member.php. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 6.3 | CVE-2025-7187 |
| code-projects--Chat System | A vulnerability classified as critical was found in code-projects Chat System 1.0. Affected by this vulnerability is an unknown functionality of the file /user/addmember.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 6.3 | CVE-2025-7188 |
| code-projects--Chat System | A vulnerability, which was classified as critical, has been found in code-projects Chat System 1.0. Affected by this issue is some unknown functionality of the file /user/send_message.php. The manipulation of the argument msg leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 6.3 | CVE-2025-7189 |
| code-projects--Library Management System | A vulnerability, which was classified as critical, was found in code-projects Library Management System 2.0. This affects an unknown part of the file /admin/student_edit_photo.php. The manipulation of the argument photo leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 6.3 | CVE-2025-7190 |
| D-Link--DIR-645 | A vulnerability was found in D-Link DIR-645 up to 1.05B01 and classified as critical. This issue affects the function ssdpcgi_main of the file /htdocs/cgibin of the component ssdpcgi. The manipulation leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-07-08 | 6.3 | CVE-2025-7192 |
| krishna9772--Pharmacy Management System | A vulnerability, which was classified as critical, was found in krishna9772 Pharmacy Management System up to a2efc8442931ec9308f3b4cf4778e5701153f4e5. Affected is an unknown function of the file quantity_upd.php. The manipulation of the argument med_name/med_cat/ex_date leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | 2025-07-08 | 6.3 | CVE-2025-7200 |
| ConnectWise--PSA | In ConnectWise PSA versions older than 2025.9, a vulnerability exists where authenticated users could gain access to sensitive user information. Specific API requests were found to return an overly verbose user object, which included encrypted password hashes for other users. Authenticated users could then retrieve these hashes. An attacker or privileged user could then use these exposed hashes to conduct offline brute-force or dictionary attacks. Such attacks could lead to credential compromise, allowing unauthorized access to accounts, and potentially privilege escalation within the system. | 2025-07-09 | 6.5 | CVE-2025-7204 |
| code-projects--Library Management System | A vulnerability was found in code-projects/Fabian Ros Library Management System 2.0 and classified as critical. Affected by this issue is some unknown functionality of the file admin/profile_update.php. The manipulation of the argument photo leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-09 | 6.3 | CVE-2025-7210 |
| itsourcecode--Insurance Management System | A vulnerability was found in itsourcecode Insurance Management System up to 1.0. It has been rated as critical. This issue affects some unknown processing of the file /insertAgent.php. The manipulation of the argument agent_id leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-09 | 6.3 | CVE-2025-7212 |
| FNKvision--FNK-GU2 | A vulnerability classified as critical has been found in FNKvision FNK-GU2 up to 40.1.7. Affected is an unknown function of the component UART Interface. The manipulation leads to on-chip debug and test interface with improper access control. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. | 2025-07-09 | 6.4 | CVE-2025-7213 |
| MongoDB Inc--MongoDB Server | An authorized user can issue queries with duplicate _id fields, that leads to unexpected behavior in MongoDB Server, which may result to crash. This issue can only be triggered by authorized users and cause Denial of Service. This issue affects MongoDB Server v8.1 version 8.1.0. | 2025-07-07 | 6.5 | CVE-2025-7259 |
| Netgear--D6400 | A vulnerability, which was classified as critical, was found in Netgear D6400 1.0.0.114. This affects an unknown part of the file diag.cgi. The manipulation of the argument host_name leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early and confirmed the existence of the vulnerability. They reacted very quickly, professional and kind. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-07-10 | 6.3 | CVE-2025-7407 |
| code-projects--Library System | A vulnerability was found in code-projects Library System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /user/student/profile.php. The manipulation of the argument image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-10 | 6.3 | CVE-2025-7412 |
| code-projects--Library System | A vulnerability classified as critical has been found in code-projects Library System 1.0. This affects an unknown part of the file /user/teacher/profile.php. The manipulation of the argument image leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-10 | 6.3 | CVE-2025-7413 |
| Tenda--O3V2 | A vulnerability classified as critical was found in Tenda O3V2 1.0.0.12(3880). This vulnerability affects the function fromNetToolGet of the file /goform/setPingInfo of the component httpd. The manipulation of the argument domain leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-10 | 6.3 | CVE-2025-7414 |
| Tenda--O3V2 | A vulnerability, which was classified as critical, has been found in Tenda O3V2 1.0.0.12(3880). This issue affects the function fromTraceroutGet of the file /goform/getTraceroute of the component httpd. The manipulation of the argument dest leads to command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-10 | 6.3 | CVE-2025-7415 |
| kone-net--go-chat | A vulnerability was found in kone-net go-chat up to f9e58d0afa9bbdb31faf25e7739da330692c4c63. It has been declared as critical. This vulnerability affects the function GetFile of the file go-chat/api/v1/file_controller.go of the component Endpoint. The manipulation of the argument fileName leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-07-11 | 6.3 | CVE-2025-7452 |
| PHPGurukul--Vehicle Parking Management System | A vulnerability has been found in PHPGurukul Vehicle Parking Management System 1.13 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /users/view--detail.php. The manipulation of the argument viewid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 6.3 | CVE-2025-7479 |
| PHPGurukul--Vehicle Parking Management System | A vulnerability was found in PHPGurukul Vehicle Parking Management System 1.13. It has been classified as critical. This affects an unknown part of the file /users/profile.php. The manipulation of the argument firstname leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 2025-07-12 | 6.3 | CVE-2025-7481 |
| PHPGurukul--Vehicle Parking Management System | A vulnerability was found in PHPGurukul Vehicle Parking Management System 1.13. It has been declared as critical. This vulnerability affects unknown code of the file /users/print.php. The manipulation of the argument vid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 6.3 | CVE-2025-7482 |
| PHPGurukul--Vehicle Parking Management System | A vulnerability classified as critical has been found in PHPGurukul Vehicle Parking Management System 1.13. Affected is an unknown function of the file /admin/view-outgoingvehicle-detail.php. The manipulation of the argument viewid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 6.3 | CVE-2025-7484 |
| JoeyBling--SpringBoot_MyBatisPlus | A vulnerability, which was classified as critical, was found in JoeyBling SpringBoot_MyBatisPlus up to a6a825513bd688f717dbae3a196bc9c9622fea26. This affects the function SysFileController of the file /file/upload. The manipulation of the argument portraitFile leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | 2025-07-12 | 6.3 | CVE-2025-7487 |
| PHPGurukul--Vehicle Parking Management System | A vulnerability was found in PHPGurukul Vehicle Parking Management System 1.13 and classified as critical. This issue affects some unknown processing of the file /admin/search-vehicle.php. The manipulation of the argument searchdata leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 6.3 | CVE-2025-7489 |
| PHPGurukul--Vehicle Parking Management System | A vulnerability was found in PHPGurukul Vehicle Parking Management System 1.13. It has been classified as critical. Affected is an unknown function of the file /admin/reg-users.php. The manipulation of the argument del leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 6.3 | CVE-2025-7490 |
| PHPGurukul--Vehicle Parking Management System | A vulnerability was found in PHPGurukul Vehicle Parking Management System 1.13. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/manage-outgoingvehicle.php. The manipulation of the argument del leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 6.3 | CVE-2025-7491 |
| PHPGurukul--Vehicle Parking Management System | A vulnerability was found in PHPGurukul Vehicle Parking Management System 1.13. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/manage-incomingvehicle.php. The manipulation of the argument del leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 6.3 | CVE-2025-7492 |
| code-projects--Chat System | A vulnerability was found in code-projects Chat System 1.0 and classified as critical. This issue affects some unknown processing of the file /user/update_account.php. The manipulation of the argument musername leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 6.3 | CVE-2025-7511 |
| PHPGurukul--Vehicle Parking Management System | A vulnerability, which was classified as critical, has been found in PHPGurukul Vehicle Parking Management System 1.13. This issue affects some unknown processing of the file /admin/manage-category.php. The manipulation of the argument del leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 6.3 | CVE-2025-7520 |
| PHPGurukul--Vehicle Parking Management System | A vulnerability has been found in PHPGurukul Vehicle Parking Management System 1.13 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/bwdates-reports-details.php. The manipulation of the argument fromdate/todate leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 6.3 | CVE-2025-7522 |
| TOTOLINK--T6 | A vulnerability was found in TOTOLINK T6 4.1.5cu.748_B20211015. It has been classified as critical. This affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument ip leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 6.3 | CVE-2025-7524 |
| TOTOLINK--T6 | A vulnerability was found in TOTOLINK T6 4.1.5cu.748_B20211015. It has been declared as critical. This vulnerability affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component HTTP POST Request Handler. The manipulation of the argument command leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 6.3 | CVE-2025-7525 |
| PHPGurukul--User Registration & Login and User Management System | A vulnerability was found in PHPGurukul User Registration & Login and User Management System 3.3. It has been classified as critical. This affects an unknown part of the file /admin/manage-users.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-13 | 6.3 | CVE-2025-7543 |
| Dromara--Northstar | A vulnerability was found in Dromara Northstar up to 7.3.5. It has been rated as critical. Affected by this issue is the function preHandle of the file northstar-main/src/main/java/org/dromara/northstar/web/interceptor/AuthorizationInterceptor.java of the component Path Handler. The manipulation of the argument Request leads to improper access controls. The attack may be launched remotely. Upgrading to version 7.3.6 is able to address this issue. The patch is identified as 8d521bbf531de59b09b8629a9cbf667870ad2541. It is recommended to upgrade the affected component. | 2025-07-13 | 6.3 | CVE-2025-7552 |
| webnus/--Modern Events Calendar Lite | The Modern Events Calendar Lite plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter of the 'wp_ajax_mec_load_single_page' AJAX action in all versions up to, and including, 6.3.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is only exploitable on sites with addslashes disabled. | 2025-07-12 | 5.9 | CVE-2021-4458 |
| AMD--AMD EPYC 7003 Series Processors | A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information. | 2025-07-08 | 5.6 | CVE-2024-36350 |
| AMD--AMD EPYC 7003 Series Processors | A transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D cache, potentially resulting in the leakage of sensitive information across privileged boundaries. | 2025-07-08 | 5.6 | CVE-2024-36357 |
| IBM--Analytics Content Hub | IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. | 2025-07-10 | 5.3 | CVE-2024-37524 |
| IBM--Engineering Requirements Management DOORS | IBM Engineering Requirements Management DOORS 9.7.2.9, under certain configurations, could allow a remote attacker to obtain password reset instructions of a legitimate user using man in the middle techniques. | 2025-07-07 | 5.9 | CVE-2024-43190 |
| IBM--OpenPages with Watson | IBM OpenPages with Watson 8.3 and 9.0 could provide weaker than expected security in storage of encrypted data. If an authenticated remote attacker with access to the database or a local attacker with access to server files could extract the encrypted data, they could exploit this vulnerability to use additional cryptographic methods to possibly extract the encrypted data. | 2025-07-08 | 5.3 | CVE-2024-49783 |
| IBM--OpenPages with Watson | IBM OpenPages with Watson 8.3 and 9.0 could provide weaker than expected security in storage of encrypted data with AES encryption and CBC mode. If an authenticated remote attacker with access to the database or a local attacker with access to server files could extract the encrypted data values they could exploit this weaker algorithm to use additional cryptographic methods to possibly extract the encrypted data. | 2025-07-08 | 5.3 | CVE-2024-49784 |
| Qualcomm, Inc.--Snapdragon | Memory corruption while operating the mailbox in Automotive. | 2025-07-08 | 5.3 | CVE-2024-53009 |
| Ivanti--Connect Secure | SSRF in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to access internal network services. | 2025-07-08 | 5.5 | CVE-2025-0292 |
| PHP Group--PHP | In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* pgsql and pdo_pgsql escaping functions do not check if the underlying quoting functions returned errors. This could cause crashes if Postgres server rejects the string as invalid. | 2025-07-13 | 5.9 | CVE-2025-1735 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port. | 2025-07-07 | 5.4 | CVE-2025-20324 |
| Samsung Mobile--Samsung Mobile Devices | Improper access control in SamsungAccount for Galaxy Watch prior to SMR Jul-2025 Release 1 allows local attackers to access phone number. | 2025-07-08 | 5.5 | CVE-2025-20998 |
| Samsung Mobile--isemtelephony | Improper access control in isemtelephony prior to Android 15 allows local attackers to access sensitive information. | 2025-07-08 | 5.5 | CVE-2025-21005 |
| Samsung Mobile--libsavsvc.so | Out-of-bounds write in accessing uninitialized memory in libsavsvc.so prior to Android 15 allows local attackers to cause memory corruption. | 2025-07-08 | 5.5 | CVE-2025-21007 |
| Samsung Mobile--libsavsvc.so | Out-of-bounds read in decoding frame header in libsavsvc.so prior to Android 15 allows local attackers to cause memory corruption. | 2025-07-08 | 5.5 | CVE-2025-21008 |
| Samsung Mobile--libsavsvc.so | Out-of-bounds read in decoding malformed frame header in libsavsvc.so prior to Android 15 allows local attackers to cause memory corruption. | 2025-07-08 | 5.5 | CVE-2025-21009 |
| Adobe--Substance3D - Designer | Substance3D - Designer versions 14.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 5.5 | CVE-2025-21167 |
| Adobe--Substance3D - Designer | Substance3D - Designer versions 14.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 5.5 | CVE-2025-21168 |
| Phoenix Contact--CHARX SEC-3150 | An unauthenticated remote attacker can use MQTT messages to crash a service on charging stations complying with German Calibration Law, resulting in a temporary denial-of-service for these stations until they got restarted by the watchdog. | 2025-07-08 | 5.3 | CVE-2025-24002 |
| Phoenix Contact--CHARX SEC-3150 | A physical attacker with access to the device display via USB-C can send a message to the device which triggers an unsecure copy to a buffer resulting in loss of integrity and a temporary denial-of-service for the stations until they got restarted by the watchdog. | 2025-07-08 | 5.2 | CVE-2025-24004 |
| Microsoft--Windows Server 2025 (Server Core installation) | Processor optimization removal or modification of security-critical code in Windows Kernel allows an authorized attacker to disclose information locally. | 2025-07-08 | 5.5 | CVE-2025-26636 |
| Adobe--Substance3D - Stager | Substance3D - Stager versions 3.1.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 5.5 | CVE-2025-27165 |
| IBM--OpenPages with Watson | IBM OpenPages with Watson 8.3 and 9.0 is vulnerable to improper input validation due to bypassing of client-side validation for the data types and requiredness of fields for GRC Objects when an authenticated user sends a specially crafted payload to the server allowing for data to be saved without storing the required fields. | 2025-07-08 | 5.3 | CVE-2025-27367 |
| IBM--Sterling B2B Integrator | IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.6, 6.2.0.0 through 6.2.0.4, IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2025-07-08 | 5.4 | CVE-2025-2793 |
| Adobe--Illustrator | Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 5.5 | CVE-2025-30313 |
| Red Hat--Red Hat Enterprise Linux 10 | A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. This flaw allows a malicious user to create a certificate containing a malformed SCT extension (OID 1.3.6.1.4.1.11129.2.4.2) that contains sensitive data. This issue leads to the exposure of confidential information when GnuTLS verifies certificates from certain websites when the certificate (SCT) is not checked correctly. | 2025-07-10 | 5.3 | CVE-2025-32989 |
| Siemens--SIPROTEC 5 6MD84 (CP300) | A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions), SIPROTEC 5 6MD85 (CP300) (All versions), SIPROTEC 5 6MD86 (CP300) (All versions), SIPROTEC 5 6MD89 (CP300) (All versions), SIPROTEC 5 6MD89 (CP300) V9.6 (All versions), SIPROTEC 5 6MU85 (CP300) (All versions), SIPROTEC 5 7KE85 (CP300) (All versions), SIPROTEC 5 7SA82 (CP100) (All versions), SIPROTEC 5 7SA82 (CP150) (All versions), SIPROTEC 5 7SA86 (CP300) (All versions), SIPROTEC 5 7SA87 (CP300) (All versions), SIPROTEC 5 7SD82 (CP100) (All versions), SIPROTEC 5 7SD82 (CP150) (All versions), SIPROTEC 5 7SD86 (CP300) (All versions), SIPROTEC 5 7SD87 (CP300) (All versions), SIPROTEC 5 7SJ81 (CP100) (All versions), SIPROTEC 5 7SJ81 (CP150) (All versions), SIPROTEC 5 7SJ82 (CP100) (All versions), SIPROTEC 5 7SJ82 (CP150) (All versions), SIPROTEC 5 7SJ85 (CP300) (All versions), SIPROTEC 5 7SJ86 (CP300) (All versions), SIPROTEC 5 7SK82 (CP100) (All versions), SIPROTEC 5 7SK82 (CP150) (All versions), SIPROTEC 5 7SK85 (CP300) (All versions), SIPROTEC 5 7SL82 (CP100) (All versions), SIPROTEC 5 7SL82 (CP150) (All versions), SIPROTEC 5 7SL86 (CP300) (All versions), SIPROTEC 5 7SL87 (CP300) (All versions), SIPROTEC 5 7SS85 (CP300) (All versions), SIPROTEC 5 7ST85 (CP300) (All versions), SIPROTEC 5 7ST86 (CP300) (All versions), SIPROTEC 5 7SX82 (CP150) (All versions), SIPROTEC 5 7SX85 (CP300) (All versions), SIPROTEC 5 7SY82 (CP150) (All versions), SIPROTEC 5 7UM85 (CP300) (All versions), SIPROTEC 5 7UT82 (CP100) (All versions), SIPROTEC 5 7UT82 (CP150) (All versions), SIPROTEC 5 7UT85 (CP300) (All versions), SIPROTEC 5 7UT86 (CP300) (All versions), SIPROTEC 5 7UT87 (CP300) (All versions), SIPROTEC 5 7VE85 (CP300) (All versions), SIPROTEC 5 7VK87 (CP300) (All versions), SIPROTEC 5 7VU85 (CP300) (All versions), SIPROTEC 5 Compact 7SX800 (CP050) (All versions). The affected devices include session identifiers in URL requests for certain functionalities. This could allow an attacker to retrieve sensitive session data from browser history, logs, or other storage mechanisms, potentially leading to unauthorized access. | 2025-07-08 | 5.3 | CVE-2025-40742 |
| Siemens--RUGGEDCOM i800 | A vulnerability has been identified in RUGGEDCOM i800 (All versions), RUGGEDCOM i801 (All versions), RUGGEDCOM i802 (All versions), RUGGEDCOM i803 (All versions), RUGGEDCOM M2100 (All versions), RUGGEDCOM M2200 (All versions), RUGGEDCOM M969 (All versions), RUGGEDCOM RMC30 (All versions), RUGGEDCOM RMC8388 V4.X (All versions), RUGGEDCOM RMC8388 V5.X (All versions < V5.10.0), RUGGEDCOM RP110 (All versions), RUGGEDCOM RS1600 (All versions), RUGGEDCOM RS1600F (All versions), RUGGEDCOM RS1600T (All versions), RUGGEDCOM RS400 (All versions), RUGGEDCOM RS401 (All versions), RUGGEDCOM RS416 (All versions), RUGGEDCOM RS416P (All versions), RUGGEDCOM RS416Pv2 V4.X (All versions), RUGGEDCOM RS416Pv2 V5.X (All versions < V5.10.0), RUGGEDCOM RS416v2 V4.X (All versions), RUGGEDCOM RS416v2 V5.X (All versions < V5.10.0), RUGGEDCOM RS8000 (All versions), RUGGEDCOM RS8000A (All versions), RUGGEDCOM RS8000H (All versions), RUGGEDCOM RS8000T (All versions), RUGGEDCOM RS900 (All versions), RUGGEDCOM RS900 (32M) V4.X (All versions), RUGGEDCOM RS900 (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RS900G (All versions), RUGGEDCOM RS900G (32M) V4.X (All versions), RUGGEDCOM RS900G (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RS900GP (All versions), RUGGEDCOM RS900L (All versions), RUGGEDCOM RS900M-GETS-C01 (All versions), RUGGEDCOM RS900M-GETS-XX (All versions), RUGGEDCOM RS900M-STND-C01 (All versions), RUGGEDCOM RS900M-STND-XX (All versions), RUGGEDCOM RS900W (All versions), RUGGEDCOM RS910 (All versions), RUGGEDCOM RS910L (All versions), RUGGEDCOM RS910W (All versions), RUGGEDCOM RS920L (All versions), RUGGEDCOM RS920W (All versions), RUGGEDCOM RS930L (All versions), RUGGEDCOM RS930W (All versions), RUGGEDCOM RS940G (All versions), RUGGEDCOM RS969 (All versions), RUGGEDCOM RSG2100 (All versions), RUGGEDCOM RSG2100 (32M) V4.X (All versions), RUGGEDCOM RSG2100 (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RSG2100P (All versions), RUGGEDCOM RSG2100P (32M) V4.X (All versions), RUGGEDCOM RSG2100P (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RSG2200 (All versions), RUGGEDCOM RSG2288 V4.X (All versions), RUGGEDCOM RSG2288 V5.X (All versions < V5.10.0), RUGGEDCOM RSG2300 V4.X (All versions), RUGGEDCOM RSG2300 V5.X (All versions < V5.10.0), RUGGEDCOM RSG2300P V4.X (All versions), RUGGEDCOM RSG2300P V5.X (All versions < V5.10.0), RUGGEDCOM RSG2488 V4.X (All versions), RUGGEDCOM RSG2488 V5.X (All versions < V5.10.0), RUGGEDCOM RSG907R (All versions < V5.10.0), RUGGEDCOM RSG908C (All versions < V5.10.0), RUGGEDCOM RSG909R (All versions < V5.10.0), RUGGEDCOM RSG910C (All versions < V5.10.0), RUGGEDCOM RSG920P V4.X (All versions), RUGGEDCOM RSG920P V5.X (All versions < V5.10.0), RUGGEDCOM RSL910 (All versions < V5.10.0), RUGGEDCOM RST2228 (All versions < V5.10.0), RUGGEDCOM RST2228P (All versions < V5.10.0), RUGGEDCOM RST916C (All versions < V5.10.0), RUGGEDCOM RST916P (All versions < V5.10.0). Affected devices do not properly handle malformed TLS handshake messages. This could allow an attacker with network access to the webserver to cause a denial of service resulting in the web server and the device to crash. | 2025-07-08 | 5.3 | CVE-2025-41222 |
| Advantech--iView | A vulnerability exists in Advantech iView versions prior to 5.7.05 build 7057, which could allow a reflected cross-site scripting (XSS) attack. By manipulating certain input parameters, an attacker could execute unauthorized scripts in the user's browser, potentially leading to information disclosure or other malicious activities. | 2025-07-10 | 5.4 | CVE-2025-41442 |
| SAP_SE--SAP NetWeaver (RFC enabled function module) | SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or controlled conditions. This leads to a low impact on confidentiality with no effect on integrity or availability of the application. | 2025-07-08 | 5 | CVE-2025-42968 |
| SAP_SE--SAPCAR | SAPCAR improperly sanitizes the file paths while extracting SAPCAR archives. Due to this, an attacker could craft a malicious SAPCAR archive containing directory traversal sequences. When a high privileged victim extracts this malicious archive, it is then processed by SAPCAR on their system, causing files to be extracted outside the intended directory and overwriting files in arbitrary locations. This vulnerability has a high impact on the integrity and availability of the application with no impact on confidentiality. | 2025-07-08 | 5.8 | CVE-2025-42970 |
| SAP_SE--SAP Data Services (DQ Report) | Due to a Cross-Site Scripting vulnerability in SAP Data Services Management Console, an authenticated attacker could exploit the search functionality associated with DQ job status reports. By intercepting requests, malicious script can be injected and subsequently executed when a user loads the affected page. This results in a limited impact on the confidentiality and integrity of user session information, while availability remains unaffected. | 2025-07-08 | 5.4 | CVE-2025-42973 |
| SAP_SE--SAP GUI for Windows | The GuiXT application, which is integrated with SAP GUI for Windows, uses obfuscation algorithms instead of secure symmetric ciphers for storing the credentials of an RFC user on the client PC. This leads to a high impact on confidentiality because any attacker who gains access to the user hive of this user�s windows registry could recreate the original password. There is no impact on integrity or availability of the application | 2025-07-08 | 5.6 | CVE-2025-42979 |
| Adobe--Audition | Audition versions 25.2, 24.6.3 and earlier are affected by an Access of Memory Location After End of Buffer vulnerability that could result in application denial-of-service. An attacker could leverage this vulnerability to crash the application or disrupt its functionality. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 5.5 | CVE-2025-43580 |
| Adobe--Substance3D - Viewer | Substance3D - Viewer versions 0.22 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption in service. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 5.5 | CVE-2025-43583 |
| Adobe--Substance3D - Viewer | Substance3D - Viewer versions 0.22 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 5.5 | CVE-2025-43584 |
| Adobe--After Effects | After Effects versions 25.2, 24.6.6 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 5.5 | CVE-2025-43587 |
| tomdever--wpForo Forum | The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. | 2025-07-10 | 5.4 | CVE-2025-4406 |
| Gallagher--Command Centre Server | A Privilege Context Switching Error (CWE-270) in the Command Center Server could allow a privileged Operator with high level access in one Division to perform limited privileged activities across the Division boundary. This issue affects Command Centre Server: 9.30 prior to 9.30.1874 (MR1), 9.20 prior to 9.20.2337 (MR3), 9.10 prior to 9.10.3194 (MR6), 9.00 prior to 9.00.3371 (MR7), all versions of 8.90 and prior. | 2025-07-10 | 5.6 | CVE-2025-46406 |
| Adobe--After Effects | After Effects versions 25.2, 24.6.6 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing disruption to services. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 5.5 | CVE-2025-47109 |
| Adobe--Adobe Framemaker | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing a disruption in service. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 5.5 | CVE-2025-47119 |
| Adobe--Adobe Framemaker | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 5.5 | CVE-2025-47120 |
| Adobe--Dimension | Dimension versions 4.1.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 5.5 | CVE-2025-47135 |
| Microsoft--Microsoft Edge (Chromium-based) | Improper input validation in Microsoft Edge (Chromium-based) allows an authorized attacker to bypass a security feature locally. | 2025-07-11 | 5.6 | CVE-2025-47182 |
| Microsoft--Microsoft Edge (Chromium-based) | Microsoft Edge (Chromium-based) Spoofing Vulnerability | 2025-07-11 | 5.4 | CVE-2025-47964 |
| Microsoft--Windows Server 2025 (Server Core installation) | Integer overflow or wraparound in Windows Hyper-V allows an authorized attacker to disclose information over an adjacent network. | 2025-07-08 | 5.7 | CVE-2025-48002 |
| Emerson--ValveLink SOLO | Emerson ValveLink products use a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. | 2025-07-10 | 5.1 | CVE-2025-48496 |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally. | 2025-07-08 | 5.5 | CVE-2025-48808 |
| Microsoft--Windows Server 2025 (Server Core installation) | Processor optimization removal or modification of security-critical code in Windows Kernel allows an authorized attacker to disclose information locally. | 2025-07-08 | 5.5 | CVE-2025-48809 |
| Microsoft--Windows Server 2025 (Server Core installation) | Processor optimization removal or modification of security-critical code in Windows Secure Kernel Mode allows an authorized attacker to disclose information locally. | 2025-07-08 | 5.5 | CVE-2025-48810 |
| Microsoft--Office Online Server | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. | 2025-07-08 | 5.5 | CVE-2025-48812 |
| Microsoft--Windows 10 Version 1809 | Cryptographic issues in Windows Cryptographic Services allows an unauthorized attacker to disclose information over a network. | 2025-07-08 | 5.9 | CVE-2025-48823 |
| Adobe--Illustrator | Illustrator versions 28.7.6, 29.5.1 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to crash the application, causing a disruption in service. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 5.5 | CVE-2025-49524 |
| Adobe--Illustrator | Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | 2025-07-08 | 5.5 | CVE-2025-49525 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 11.4 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2025-07-08 | 5.4 | CVE-2025-49534 |
| Adobe--ColdFusion | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an unauthenticated attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser, scope is changed. The vulnerable component is restricted to internal IP addresses. | 2025-07-08 | 5.2 | CVE-2025-49542 |
| Adobe--Adobe Experience Manager | Adobe Experience Manager versions 11.4 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field. Scope is changed. | 2025-07-08 | 5.4 | CVE-2025-49547 |
| Microsoft--Windows 10 Version 1809 | Out-of-bounds read in Windows TDX.sys allows an authorized attacker to disclose information locally. | 2025-07-08 | 5.5 | CVE-2025-49658 |
| Microsoft--Windows 10 Version 1809 | Exposure of sensitive information to an unauthorized actor in Windows User-Mode Driver Framework Host allows an authorized attacker to disclose information locally. | 2025-07-08 | 5.5 | CVE-2025-49664 |
| Microsoft--Windows 10 Version 1809 | Buffer over-read in Storage Port Driver allows an authorized attacker to disclose information locally. | 2025-07-08 | 5.5 | CVE-2025-49684 |
| Microsoft--Windows Server 2019 | Uncontrolled resource consumption in Windows Netlogon allows an unauthorized attacker to deny service over a network. | 2025-07-08 | 5.9 | CVE-2025-49716 |
| Microsoft--Windows 10 Version 1809 | Uncontrolled resource consumption in Windows Print Spooler Components allows an authorized attacker to deny service over an adjacent network. | 2025-07-08 | 5.7 | CVE-2025-49722 |
| Mitsubishi Electric Corporation--MELSEC iQ-F Series FX5U-32MT/ES | Overly Restrictive Account Lockout Mechanism vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series allows a remote unauthenticated attacker to lockout legitimate users for a certain period by repeatedly attempting to login with incorrect passwords. The legitimate users will be unable to login until a certain period has passed after the lockout or until the product is reset. | 2025-07-11 | 5.3 | CVE-2025-5241 |
| open-quantum-safe--liboqs | liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Multiple secret-dependent branches have been identified in the reference implementation of the HQC key encapsulation mechanism when it is compiled with Clang for optimization levels above -O0 (-O1, -O2, etc). A proof-of-concept local attack exploits this secret-dependent information to recover the entire secret key. This vulnerability is fixed in 0.14.0. | 2025-07-10 | 5.9 | CVE-2025-52473 |
| Juniper Networks--Junos OS | An Improper Handling of Exceptional Conditions vulnerability in Berkeley Packet Filter (BPF) processing of Juniper Networks Junos OS allows an attacker, in rare cases, sending specific, unknown traffic patterns to cause the FPC and system to crash and restart. BPF provides a raw interface to data link layers in a protocol independent fashion. Internally within the Junos kernel, due to a rare timing issue (race condition), when a BPF instance is cloned, the newly created interface causes an internal structure leakage, leading to a system crash. The precise content and timing of the traffic patterns is indeterminate, but has been seen in a lab environment multiple times. This issue is more likely to occur when packet capturing is enabled. See required configuration below. This issue affects Junos OS: * all versions before 21.2R3-S9, * from 21.4 before 21.4R3-S10, * from 22.2 before 22.2R3-S6, * from 22.4 before 22.4R3-S7, * from 23.2 before 23.2R2-S3, * from 23.4 before 23.4R2-S3, * from 24.2 before 24.2R1-S1, 24.2R2. | 2025-07-11 | 5.9 | CVE-2025-52948 |
| Juniper Networks--Junos OS | A Protection Mechanism Failure vulnerability in kernel filter processing of Juniper Networks Junos OS allows an attacker sending IPv6 traffic to an interface to effectively bypass any firewall filtering configured on the interface. Due to an issue with Junos OS kernel filter processing, the 'payload-protocol' match is not being supported, causing any term containing it to accept all packets without taking any other action. In essence, these firewall filter terms were being processed as an 'accept' for all traffic on the interface. This issue affects Junos OS: * all versions before 21.2R3-S9, * from 21.4 before 21.4R3-S11, * from 22.2 before 22.2R3-S7, * from 22.4 before 22.4R3-S7, * from 23.2 before 23.2R2-S4, * from 23.4 before 23.4R2-S5, * from 24.2 before 24.2R2-S1, * from 24.4 before 24.4R1-S2, 24.4R2. This is a more complete fix for previously published CVE-2024-21607 (JSA75748). | 2025-07-11 | 5.8 | CVE-2025-52951 |
| Juniper Networks--Junos OS | A Reachable Assertion vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker to cause a Denial of Service (DoS).On all Junos OS and Junos OS Evolved devices, when route validation is enabled, a rare condition during BGP initial session establishment can lead to an rpd crash and restart. This occurs specifically when the connection request fails during error-handling scenario. Continued session establishment failures leads to a sustained DoS condition. This issue affects Junos OS: * All versions before 22.2R3-S6, * from 22.4 before 22.4R3-S6, * from 23.2 before 23.2R2-S3, * from 23.4 before 23.4R2-S4, * from 24.2 before 24.2R2; Junos OS Evolved: * All versions before 22.2R3-S6-EVO, * from 22.4 before 22.4R3-S6-EVO, * from 23.2 before 23.2R2-S3-EVO, * from 23.4 before 23.4R2-S4-EVO, * from 24.2 before 24.2R2-EVO. | 2025-07-11 | 5.3 | CVE-2025-52958 |
| Juniper Networks--Junos OS | An Improper Access Control vulnerability in the User Interface (UI) of Juniper Networks Junos OS allows a local, low-privileged attacker to bring down an interface, leading to a Denial-of-Service. Users with "view" permissions can run a specific request interface command which allows the user to shut down the interface. This issue affects Junos OS: * All versions before 21.2R3-S9, * from 21.4 before 21.4R3-S11, * from 22.2 before 22.2R3-S7, * from 22.4 before 22.4R3-S7, * from 23.2 before 23.2R2-S4, * from 23.4 before 23.4R2-S5, * from 24.2 before 24.2R2-S1, * from 24.4 before 24.4R1-S3, 24.4R2. | 2025-07-11 | 5.5 | CVE-2025-52963 |
| Juniper Networks--Junos OS | An Improper Resource Shutdown or Release vulnerability in the SIP ALG of Juniper Networks Junos OS on MX Series with MS-MPC allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). When an MX Series device with an MS-MPC is configured with two or more service sets which are both processing SIP calls, a specific sequence of call events will lead to a crash and restart of the MS-MPC. This issue affects Junos OS: * all versions before 21.2R3-S9, * 21.4 versions from 21.4R1, * 22.2 versions before 22.2R3-S6, * 22.4 versions before 22.4R3-S6. As the MS-MPC is EoL after Junos OS 22.4, later versions are not affected. This issue does not affect MX-SPC3 or SRX Series devices. | 2025-07-11 | 5.9 | CVE-2025-52982 |
| Juniper Networks--Junos OS | A NULL Pointer Dereference vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause impact to the availability of the device. When static route points to a reject next hop and a gNMI query is processed for that static route, rpd crashes and restarts. This issue affects: Junos OS: * all versions before 21.2R3-S9, * 21.4 versions before 21.4R3-S10, * 22.2 versions before 22.2R3-S6, * 22.4 versions before 22.4R3-S6, * 23.2 versions before 23.2R2-S3, * 23.4 versions before 23.4R2-S4, * 24.2 versions before 24.2R1-S2, 24.2R2; Junos OS Evolved: * all versions before 22.4R3-S7-EVO, * 23.2-EVO versions before 23.2R2-S3-EVO, * 23.4-EVO versions before 23.4R2-S4-EVO, * 24.2-EVO versions before 24.2R2-EVO. | 2025-07-11 | 5.9 | CVE-2025-52984 |
| Juniper Networks--Junos OS Evolved | A Use of Incorrect Operator vulnerability in the Routing Engine firewall of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to bypass security restrictions. When a firewall filter which is applied to the lo0 or re:mgmt interface references a prefix list with 'from prefix-list', and that prefix list contains more than 10 entries, the prefix list doesn't match and packets destined to or from the local device are not filtered. This issue affects firewall filters applied to the re:mgmt interfaces as input and output, but only affects firewall filters applied to the lo0 interface as output. This issue is applicable to IPv4 and IPv6 as a prefix list can contain IPv4 and IPv6 prefixes. This issue affects Junos OS Evolved: * 23.2R2-S3-EVO versions before 23.2R2-S4-EVO, * 23.4R2-S3-EVO versions before 23.4R2-S5-EVO, * 24.2R2-EVO versions before 24.2R2-S1-EVO, * 24.4-EVO versions before 24.4R1-S3-EVO, 24.4R2-EVO. This issue doesn't not affect Junos OS Evolved versions before 23.2R1-EVO. | 2025-07-11 | 5.3 | CVE-2025-52985 |
| Juniper Networks--Junos OS | A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low privileged user to cause an impact to the availability of the device. When RIB sharding is enabled and a user executes one of several routing related 'show' commands, a certain amount of memory is leaked. When all available memory has been consumed rpd will crash and restart. The leak can be monitored with the CLI command: show task memory detail | match task_shard_mgmt_cookie where the allocated memory in bytes can be seen to continuously increase with each exploitation. This issue affects: Junos OS: * all versions before 21.2R3-S9, * 21.4 versions before 21.4R3-S11, * 22.2 versions before 22.2R3-S7, * 22.4 versions before 22.4R3-S7, * 23.2 versions before 23.2R2-S4, * 23.4 versions before 23.4R2-S4, * 24.2 versions before 24.2R2, * 24.4 versions before 24.4R1-S2, 24.4R2; Junos OS Evolved: * all versions before 22.2R3-S7-EVO * 22.4-EVO versions before 22.4R3-S7-EVO, * 23.2-EVO versions before 23.2R2-S4-EVO, * 23.4-EVO versions before 23.4R2-S4-EVO, * 24.2-EVO versions before 24.2R2-EVO, * 24.4-EVO versions before 24.4R2-EVO. | 2025-07-11 | 5.5 | CVE-2025-52986 |
| Juniper Networks--Junos OS | An Improper Neutralization of Delimiters vulnerability in the UI of Juniper Networks Junos OS and Junos OS Evolved allows a local, authenticated attacker with high privileges to modify the system configuration. A user with limited configuration and commit permissions, using a specifically crafted annotate configuration command, can change any part of the device configuration. This issue affects: Junos OS: * all versions before 22.2R3-S7, * 22.4 versions before 22.4R3-S7, * 23.2 versions before 23.2R2-S4, * 23.4 versions before 23.4R2-S4, * 24.2 versions before 24.2R2-S1, * 24.4 versions before 24.4R1-S2, 24.4R2; Junos OS Evolved: * all versions before 22.4R3-S7-EVO, * 23.2-EVO versions before 23.2R2-S4-EVO, * 23.4-EVO versions before 23.4R2-S5-EVO, * 24.2-EVO versions before 24.2R2-S1-EVO * 24.4-EVO versions before 24.4R2-EVO. | 2025-07-11 | 5.1 | CVE-2025-52989 |
| Huawei--HarmonyOS | Vulnerability of bypassing the process to start SA and use related functions on distributed cameras Impact: Successful exploitation of this vulnerability may allow the peer device to use the camera without user awareness. | 2025-07-07 | 5.7 | CVE-2025-53168 |
| Huawei--HarmonyOS | Stack overflow risk when vector images are parsed during file preview Impact: Successful exploitation of this vulnerability may affect the file preview function. | 2025-07-07 | 5.3 | CVE-2025-53173 |
| Huawei--HarmonyOS | Vulnerability that allows third-party call apps to send broadcasts without verification in the audio framework module Impact: Successful exploitation of this vulnerability may affect availability. | 2025-07-07 | 5.9 | CVE-2025-53186 |
| parse-community--parse-server | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Starting in 5.3.0 and before 7.5.3 and 8.2.2, the Parse Server GraphQL API previously allowed public access to the GraphQL schema without requiring a session token or the master key. While schema introspection reveals only metadata and not actual data, this metadata can still expand the potential attack surface. This vulnerability is fixed in 7.5.3 and 8.2.2. | 2025-07-10 | 5.3 | CVE-2025-53364 |
| Advantech--iView | A vulnerability exists in Advantech iView versions prior to 5.7.05 build 7057, which could allow a reflected cross-site scripting (XSS) attack. By exploiting this flaw, an attacker could execute unauthorized scripts in the user's browser, potentially leading to information disclosure or other malicious activities. | 2025-07-10 | 5.4 | CVE-2025-53397 |
| Emerson--ValveLink SOLO | Emerson ValveLink products receive input or data, but it do not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. | 2025-07-10 | 5.1 | CVE-2025-53471 |
| Advantech--iView | A vulnerability exists in Advantech iView versions prior to 5.7.05 build 7057, which could allow a reflected cross-site scripting (XSS) attack. By manipulating specific parameters, an attacker could execute unauthorized scripts in the user's browser, potentially leading to information disclosure or other malicious activities. | 2025-07-10 | 5.4 | CVE-2025-53519 |
| giscus--giscus | giscus is a commenting system powered by GitHub Discussions. A bug in giscus' discussions creation API allowed an unauthorized user to create discussions on any repository where giscus is installed. This affects the server-side part of giscus, which is provided via http://giscus.app or your own self-hosted service. This vulnerability is fixed by the c43af7806e65adfcf4d0feeebef76dc36c95cb9a and 4b9745fe1a326ce08d69f8a388331bc993d19389 commits. | 2025-07-07 | 5.3 | CVE-2025-53532 |
| OSC--ondemand | Open OnDemand is an open-source HPC portal. Users can flood logs by interacting with the shell app and generating many errors. Users who flood logs can create very large log files causing a Denial of Service (DoS) to the ondemand system. This vulnerability is fixed in 3.1.14 and 4.0.6. | 2025-07-11 | 5.4 | CVE-2025-53636 |
| Palantir--com.palantir.secupload:secure-upload | Secure-upload is a data submission service that validates single-use tokens when accepting submissions to channels. The service only installed on a small number of environments. Under specific circumstances, privileged users of secure-upload could have selected email templates not necessarily created for their enrollment when sending data upload requests. Authenticated and privileged users of one enrollment could have abused an endpoint to redirect existing submission channels to a dataset they control. An endpoint handling domain validation allowed unauthenticated users to enumerate existing enrollments. Finally, other endpoints allowed enumerating if a resource with a known RID exists across enrollments. The affected service has been patched with version 0.815.0 and automatically deployed to all Apollo-managed Foundry instances. | 2025-07-10 | 5.4 | CVE-2025-53709 |
| Connect2id--Nimbus JOSE+JWT | Connect2id Nimbus JOSE + JWT before 10.0.2 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. NOTE: this is independent of the Gson 2.11.0 issue because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson. | 2025-07-11 | 5.8 | CVE-2025-53864 |
| Ivanti--Connect Secure | Insertion of sensitive information into a log file in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a local authenticated attacker to obtain that information. | 2025-07-08 | 5.5 | CVE-2025-5463 |
| tigroumeow--AI Engine | The AI Engine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the mwai_chatbot shortcode 'id' parameter in all versions up to, and including, 2.8.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-08 | 5.4 | CVE-2025-5570 |
| rcatheme--Guest Support Complete customer support ticket system for WordPress | The Guest Support - Complete customer support ticket system for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'deleteMassTickets' function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to delete arbitrary support tickets. | 2025-07-08 | 5.3 | CVE-2025-5957 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library. If an attacker manages to exhaust the heap space, this error is not detected and may lead to libssh using a partially initialized cipher context. This occurs because the OpenSSL error code returned aliases with the SSH_OK code, resulting in libssh not properly detecting the error returned by the OpenSSL library. This issue can lead to undefined behavior, including compromised data confidentiality and integrity or crashes. | 2025-07-07 | 5 | CVE-2025-5987 |
| PHP Group--PHP | In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 when parsing XML data in SOAP extensions, overly large (>2Gb) XML namespace prefix may lead to null pointer dereference. This may lead to crashes and affect the availability of the target server. | 2025-07-13 | 5.9 | CVE-2025-6491 |
| xTemos--Woodmart | The WoodMart plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 8.2.5 via the woodmart_get_posts_by_query() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. | 2025-07-11 | 5.3 | CVE-2025-6745 |
| SimStudioAI--sim | A vulnerability classified as critical has been found in SimStudioAI sim up to 0.1.17. Affected is the function handleLocalFile of the file apps/sim/app/api/files/parse/route.ts. The manipulation of the argument filePath leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The patch is identified as b2450530d1ddd0397a11001a72aa0fde401db16a. It is recommended to apply a patch to fix this issue. | 2025-07-07 | 5.3 | CVE-2025-7107 |
| risesoft-y9--Digital-Infrastructure | A vulnerability classified as critical was found in risesoft-y9 Digital-Infrastructure up to 9.6.7. Affected by this vulnerability is the function deleteFile of the file /Digital-Infrastructure-9.6.7/y9-digitalbase-webapp/y9-module-filemanager/risenet-y9boot-webapp-filemanager/src/main/java/net/risesoft/y9public/controller/Y9FileController.java. The manipulation of the argument fullPath leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-07 | 5.4 | CVE-2025-7108 |
| 9fans--plan9port | A vulnerability was found in 9fans plan9port up to 9da5b44. It has been classified as critical. This affects the function edump in the library /src/plan9port/src/libsec/port/x509.c. The manipulation leads to heap-based buffer overflow. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The identifier of the patch is b3e06559475b0130a7a2fb56ac4d131d13d2012f. It is recommended to apply a patch to fix this issue. | 2025-07-09 | 5.5 | CVE-2025-7208 |
| Red Hat--Red Hat Build of Keycloak | A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account. | 2025-07-10 | 5.4 | CVE-2025-7365 |
| mautic--Docker Mautic | ImpactThis is an information disclosure vulnerability originating from PHP's base image. This vulnerability exposes the PHP version through an X-Powered-By header, which attackers could exploit to fingerprint the server and identify potential weaknesses. WorkaroundsThe mitigation requires changing the expose_php variable from "On" to "Off" in the file located at /usr/local/etc/php/php.ini. | 2025-07-09 | 5.3 | CVE-2025-7381 |
| lanacodes--Lana Downloads Manager | The Lana Downloads Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the endpoint parameters in versions up to, and including, 1.10.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with administrator-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-10 | 5.5 | CVE-2025-7387 |
| letseeqiji--gorobbs | A vulnerability was found in letseeqiji gorobbs up to 1.0.8. It has been classified as critical. This affects the function ResetUserAvatar of the file controller/api/v1/user.go of the component API. The manipulation of the argument filename leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-11 | 5.4 | CVE-2025-7450 |
| GNU--Binutils | A vulnerability classified as problematic was found in GNU Binutils 2.45. Affected by this vulnerability is the function copy_section of the file binutils/objcopy.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. The patch is named 08c3cbe5926e4d355b5cb70bbec2b1eeb40c2944. It is recommended to apply a patch to fix this issue. | 2025-07-13 | 5.3 | CVE-2025-7545 |
| GNU--Binutils | A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfd_elf_set_group_contents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. The name of the patch is 41461010eb7c79fee7a9d5f6209accdaac66cc6b. It is recommended to apply a patch to fix this issue. | 2025-07-13 | 5.3 | CVE-2025-7546 |
| Fortinet--FortiOS | An Improperly Implemented Security Check for Standard vulnerability [CWE-358] in FortiOS version 7.6.0, version 7.4.7 and below, 7.0 all versions, 6.4 all versions and FortiProxy version 7.6.1 and below, version 7.4.8 and below, 7.2 all versions, 7.0 all versions may allow a remote unauthenticated user to bypass the DNS filter via Apple devices. | 2025-07-08 | 4.9 | CVE-2024-55599 |
| Huawei--HarmonyOS | Stack overflow risk when vector images are parsed during file preview Impact: Successful exploitation of this vulnerability may affect the file preview function. | 2025-07-07 | 4 | CVE-2024-58117 |
| IBM--OpenPages with Watson | IBM OpenPages with Watson 8.3 and 9.0 could allow an authenticated user to obtain sensitive information that should only be available to privileged users. | 2025-07-09 | 4.3 | CVE-2025-1112 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.6, and 9.1.9 and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.112, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles, and has read-only access to a specific alert, could suppress that alert when it triggers. See [Define alert suppression groups to throttle sets of similar alerts](https://help.splunk.com/en/splunk-enterprise/alert-and-respond/alerting-manual/9.4/manage-alert-trigger-conditions-and-throttling/define-alert-suppression-groups-to-throttle-sets-of-similar-alerts). | 2025-07-07 | 4.3 | CVE-2025-20300 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).<br><br>The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.<br><br>See [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information. | 2025-07-07 | 4.3 | CVE-2025-20322 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a low-privileged user that does not hold the "admin" or "power" Splunk roles could turn off the scheduled search `Bucket Copy Trigger` within the Splunk Archiver application. This is because of missing access controls in the saved searches for this app. | 2025-07-07 | 4.3 | CVE-2025-20323 |
| Samsung Mobile--Samsung Mobile Devices | Improper authorization in accessing saved Wi-Fi password for Galaxy Tablet prior to SMR Jul-2025 Release 1 allows secondary users to access owner's saved Wi-Fi password. | 2025-07-08 | 4.1 | CVE-2025-20999 |
| Samsung Mobile--Samsung Mobile Devices | Insecure storage of sensitive information in Emergency SOS prior to SMR Jul-2025 Release 1 allows local attackers to access sensitive information. | 2025-07-08 | 4 | CVE-2025-21003 |
| meshtastic--firmware | Meshtastic is an open source mesh networking solution. From 1.2.1 until 2.6.2, a packet sent to the routing module that contains want_response==true causes a crash. This can lead to a degradation of service for nodes within range of a malicious sender, or via MQTT if downlink is enabled. This vulnerability is fixed in 2.6.2. | 2025-07-10 | 4.3 | CVE-2025-24798 |
| IBM--OpenPages | IBM OpenPages 9.0 is vulnerable to information disclosure of sensitive information due to a weaker than expected security for certain REST end points related to workflow feature of OpenPages. An authenticated user is able to obtain certain information about Workflow related configuration and internal state. | 2025-07-09 | 4.3 | CVE-2025-2670 |
| Radiflow--iSAP Smart Collector | A user with vpuser credentials that opens an SSH connection to the device, gets a restricted shell rbash that allows only a small list of allowed commands. This vulnerability enables the user to get a full-featured Linux shell, bypassing the rbash restrictions. | 2025-07-09 | 4.1 | CVE-2025-27027 |
| Siemens--TIA Project-Server | A vulnerability has been identified in TIA Project-Server (All versions < V2.1.1), TIA Project-Server V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V18 (All versions), Totally Integrated Automation Portal (TIA Portal) V19 (All versions), Totally Integrated Automation Portal (TIA Portal) V20 (All versions < V20 Update 3). The affected application improperly handles uploaded projects in the document root. This could allow an attacker with contributor privileges to cause denial of service by uploading a malicious project. | 2025-07-08 | 4.3 | CVE-2025-27127 |
| IBM--OpenPages with Watson | IBM OpenPages with Watson 8.3 and 9.0 is vulnerable to information disclosure of sensitive information due to a weaker than expected security for certain REST end points used for the administration of OpenPages. An authenticated user is able to obtain certain information about system configuration and internal state which is only intended for administrators of the system. | 2025-07-08 | 4.3 | CVE-2025-27369 |
| IBM--Sterling File Gateway | IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4 could disclose sensitive installation directory information to an authenticated user that could be used in further attacks against the system. | 2025-07-08 | 4.3 | CVE-2025-2827 |
| SAP_SE--SAP BusinessObjects Business Intelligence Platform (Web Intelligence) | SAP�BusinessObjects Business�Intelligence Platform (Web Intelligence) is vulnerable to HTML Injection, allowing an attacker with basic user privileges to inject malicious code into specific input fields. This could lead to unintended redirects or manipulation of application behavior, such as redirecting users to attacker-controlled domains. This issue primarily affects the integrity of the system. However, the confidentiality and availability of the system remain unaffected. | 2025-07-08 | 4.1 | CVE-2025-31326 |
| GitLab--GitLab | An issue has been discovered in GitLab EE affecting all versions from 13.3 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that could have allowed authenticated project owners to bypass group-level forking restrictions by manipulating API requests. | 2025-07-10 | 4.3 | CVE-2025-3396 |
| IBM--Analytics Content Hub | IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 could allow a remote attacker to obtain information about the application framework which could be used in reconnaissance to gather information for future attacks from a detailed technical error message. | 2025-07-10 | 4.3 | CVE-2025-36090 |
| Dell--PowerFlex Manager VM | Dell PowerFlex Manager VM, versions prior to 4.6.2.1, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the system with privileges of the compromised account. | 2025-07-09 | 4.3 | CVE-2025-36599 |
| Siemens--RUGGEDCOM i800 | A vulnerability has been identified in RUGGEDCOM i800 (All versions), RUGGEDCOM i801 (All versions), RUGGEDCOM i802 (All versions), RUGGEDCOM i803 (All versions), RUGGEDCOM M2100 (All versions), RUGGEDCOM M2200 (All versions), RUGGEDCOM M969 (All versions), RUGGEDCOM RMC30 (All versions), RUGGEDCOM RMC8388 V4.X (All versions), RUGGEDCOM RMC8388 V5.X (All versions < V5.10.0), RUGGEDCOM RP110 (All versions), RUGGEDCOM RS1600 (All versions), RUGGEDCOM RS1600F (All versions), RUGGEDCOM RS1600T (All versions), RUGGEDCOM RS400 (All versions), RUGGEDCOM RS401 (All versions), RUGGEDCOM RS416 (All versions), RUGGEDCOM RS416P (All versions), RUGGEDCOM RS416Pv2 V4.X (All versions), RUGGEDCOM RS416Pv2 V5.X (All versions < V5.10.0), RUGGEDCOM RS416v2 V4.X (All versions), RUGGEDCOM RS416v2 V5.X (All versions < V5.10.0), RUGGEDCOM RS8000 (All versions), RUGGEDCOM RS8000A (All versions), RUGGEDCOM RS8000H (All versions), RUGGEDCOM RS8000T (All versions), RUGGEDCOM RS900 (All versions), RUGGEDCOM RS900 (32M) V4.X (All versions), RUGGEDCOM RS900 (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RS900G (All versions), RUGGEDCOM RS900G (32M) V4.X (All versions), RUGGEDCOM RS900G (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RS900GP (All versions), RUGGEDCOM RS900L (All versions), RUGGEDCOM RS900M-GETS-C01 (All versions), RUGGEDCOM RS900M-GETS-XX (All versions), RUGGEDCOM RS900M-STND-C01 (All versions), RUGGEDCOM RS900M-STND-XX (All versions), RUGGEDCOM RS900W (All versions), RUGGEDCOM RS910 (All versions), RUGGEDCOM RS910L (All versions), RUGGEDCOM RS910W (All versions), RUGGEDCOM RS920L (All versions), RUGGEDCOM RS920W (All versions), RUGGEDCOM RS930L (All versions), RUGGEDCOM RS930W (All versions), RUGGEDCOM RS940G (All versions), RUGGEDCOM RS969 (All versions), RUGGEDCOM RSG2100 (All versions), RUGGEDCOM RSG2100 (32M) V4.X (All versions), RUGGEDCOM RSG2100 (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RSG2100P (All versions), RUGGEDCOM RSG2100P (32M) V4.X (All versions), RUGGEDCOM RSG2100P (32M) V5.X (All versions < V5.10.0), RUGGEDCOM RSG2200 (All versions), RUGGEDCOM RSG2288 V4.X (All versions), RUGGEDCOM RSG2288 V5.X (All versions < V5.10.0), RUGGEDCOM RSG2300 V4.X (All versions), RUGGEDCOM RSG2300 V5.X (All versions < V5.10.0), RUGGEDCOM RSG2300P V4.X (All versions), RUGGEDCOM RSG2300P V5.X (All versions < V5.10.0), RUGGEDCOM RSG2488 V4.X (All versions), RUGGEDCOM RSG2488 V5.X (All versions < V5.10.0), RUGGEDCOM RSG907R (All versions < V5.10.0), RUGGEDCOM RSG908C (All versions < V5.10.0), RUGGEDCOM RSG909R (All versions < V5.10.0), RUGGEDCOM RSG910C (All versions < V5.10.0), RUGGEDCOM RSG920P V4.X (All versions), RUGGEDCOM RSG920P V5.X (All versions < V5.10.0), RUGGEDCOM RSL910 (All versions < V5.10.0), RUGGEDCOM RST2228 (All versions < V5.10.0), RUGGEDCOM RST2228P (All versions < V5.10.0), RUGGEDCOM RST916C (All versions < V5.10.0), RUGGEDCOM RST916P (All versions < V5.10.0). The affected devices support the TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 cipher suite, which uses CBC (Cipher Block Chaining) mode that is known to be vulnerable to timing attacks. This could allow an attacker to compromise the integrity and confidentiality of encrypted communications. | 2025-07-08 | 4.8 | CVE-2025-41223 |
| SAP_SE--SAP Business Warehouse and SAP BW/4HANA BEx Tools | SAP Business Warehouse and SAP BW/4HANA BEx Tools allow an authenticated attacker to gain higher access levels than intended by exploiting improper authorization checks. This could potentially impact data integrity by allowing deletion of user table entries.�It has no impact on the confidentiality and availability of the application. | 2025-07-08 | 4.3 | CVE-2025-42960 |
| SAP_SE--SAP NetWeaver Application Server for ABAP | Due to a missing authorization check in SAP NetWeaver Application server for ABAP, an authenticated user with high privileges could exploit the insufficient validation of user permissions to access sensitive database tables. By leveraging overly permissive access configurations, unauthorized reading of critical data is possible, resulting in a significant impact on the confidentiality of the information stored. However, the integrity and availability of the system remain unaffected. | 2025-07-08 | 4.9 | CVE-2025-42961 |
| SAP_SE--SAP BusinessObjects BI Platform Central Management Console Promotion Management Application | SAP CMC Promotion Management allows an authenticated attacker to enumerate internal network systems by submitting crafted requests during job source configuration. By analysing response times for various IP addresses and ports, the attacker can infer valid network endpoints. Successful exploitation may lead to information disclosure. This vulnerability does not impact the integrity or availability of the application. | 2025-07-08 | 4.1 | CVE-2025-42965 |
| SAP_SE--SAPCAR | A memory corruption vulnerability exists in SAPCAR allowing an attacker to craft malicious SAPCAR archives. When a high privileged victim extracts this malicious archive, it gets processed by SAPCAR on their system, resulting in out-of-bounds memory read and write. This could lead to file extraction and file overwrite outside the intended directories. This vulnerability has low impact on the confidentiality, integrity and availability of the application. | 2025-07-08 | 4 | CVE-2025-42971 |
| SAP_SE--SAP NetWeaver and ABAP Platform (SDCCN) | Due to missing authorization check, an attacker authenticated as a non-administrative user could call a remote-enabled function module. This could enable access to information normally restricted, resulting in low impact on confidentiality. There is no impact on integrity or availability. | 2025-07-08 | 4.3 | CVE-2025-42974 |
| SAP_SE--SAP NetWeaver and ABAP Platform | Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. This results in low impact on confidentiality, with no impact on integrity or availability of the application. | 2025-07-08 | 4.3 | CVE-2025-42986 |
| Gallagher--T-Series Readers | Missing Release of Resource after Effective Lifetime (CWE-772) in the Gallagher T-Series Reader allows an attacker with physical access to the reader to perform a limited denial of service when 125 kHz Card Technology is enabled. This issue affects T-Series Readers: 9.20 prior to vCR9.20.250213a (distributed in 9.20.1827 (MR2)), 9.10 prior to vCR9.10.250213a (distributed in 9.10.2692(MR5)), 9.00 prior to vCR9.00.250619a (distributed in vEL9.00.3371 (MR7)), all versions of 8.90 and prior. | 2025-07-10 | 4.3 | CVE-2025-44003 |
| GNU--Tar | GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). | 2025-07-11 | 4.1 | CVE-2025-45582 |
| Advantech--iView | A vulnerability exists in Advantech iView in NetworkServlet.processImportRequest() that could allow for a directory traversal attack. This issue requires an authenticated attacker with at least user-level privileges. A specific parameter is not properly sanitized or normalized, potentially allowing an attacker to determine the existence of arbitrary files on the server. | 2025-07-10 | 4.3 | CVE-2025-46704 |
| wftpserver--Wing FTP Server | In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate ways to execute arbitrary system commands (i.e., through the web console or the task scheduler), and they are automatically executed in the highest possible privilege context. Because administrative users of the web interface are not necessarily also system administrators, one might argue that this is a privilege escalation. (If a privileged application role is not available to an attacker, CVE-2025-47812 can be leveraged.) NOTE: the vendor reportedly considers this behavior "fine to keep." | 2025-07-10 | 4.1 | CVE-2025-47811 |
| wftpserver--Wing FTP Server | loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie. | 2025-07-10 | 4.3 | CVE-2025-47813 |
| Adobe--ColdFusion | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a security feature bypass. A high-privileged attacker could leverage this vulnerability to access sensitive information. Exploitation of this issue does not require user interaction. The vulnerable component is restricted to internal IP addresses. | 2025-07-08 | 4.5 | CVE-2025-49539 |
| Adobe--ColdFusion | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, scope is changed. The vulnerable component is restricted to internal IP addresses. | 2025-07-08 | 4.3 | CVE-2025-49540 |
| Adobe--ColdFusion | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, scope is changed. The vulnerable component is restricted to internal IP addresses. | 2025-07-08 | 4.3 | CVE-2025-49541 |
| Adobe--ColdFusion | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim's browser when they browse to the page containing the vulnerable field, scope is changed. The vulnerable component is restricted to internal IP addresses. | 2025-07-08 | 4.3 | CVE-2025-49543 |
| phpThumb project--phpThumb | gif_outputAsJpeg in phpThumb through 1.7.23 allows phpthumb.gif.php OS Command Injection via a crafted parameter value. This is fixed in 1.7.23-202506081709. | 2025-07-11 | 4.9 | CVE-2025-52994 |
| Huawei--HarmonyOS | Null pointer dereference vulnerability in the application exit cause module Impact: Successful exploitation of this vulnerability may affect function stability. | 2025-07-07 | 4 | CVE-2025-53170 |
| Huawei--HarmonyOS | Stack overflow risk when vector images are parsed during file preview Impact: Successful exploitation of this vulnerability may affect the file preview function. | 2025-07-07 | 4 | CVE-2025-53171 |
| Huawei--HarmonyOS | Stack overflow risk when vector images are parsed during file preview Impact: Successful exploitation of this vulnerability may affect the file preview function. | 2025-07-07 | 4 | CVE-2025-53172 |
| Huawei--HarmonyOS | Stack overflow risk when vector images are parsed during file preview Impact: Successful exploitation of this vulnerability may affect the file preview function. | 2025-07-07 | 4 | CVE-2025-53174 |
| Huawei--HarmonyOS | Stack overflow risk when vector images are parsed during file preview Impact: Successful exploitation of this vulnerability may affect the file preview function. | 2025-07-07 | 4 | CVE-2025-53175 |
| Huawei--HarmonyOS | Permission bypass vulnerability in the calendar storage module Impact: Successful exploitation of this vulnerability may affect the schedule reminder function of head units. | 2025-07-07 | 4.8 | CVE-2025-53178 |
| kestra-io--kestra | Kestra is an event-driven orchestration platform. The error message in execution "Overview" tab is vulnerable to stored XSS due to improper handling of HTTP response received. This vulnerability is fixed in 0.22.0. | 2025-07-07 | 4.2 | CVE-2025-53543 |
| meshtastic--firmware | Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part, user-controlled input is interpolated unsafely into the code. If this were to be exploited, attackers could inject unauthorized code into the repository. This vulnerability is fixed in 2.6.6. | 2025-07-10 | 4.1 | CVE-2025-53637 |
| haxtheweb--issues | haxcms-nodejs and haxcms-php are backends for HAXcms. The logout function within the application does not terminate a user's session or clear their cookies. Additionally, the application issues a refresh token when logging out. This vulnerability is fixed in 11.0.6. | 2025-07-11 | 4.8 | CVE-2025-53642 |
| Ivanti--Connect Secure | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to trigger a denial of service. | 2025-07-08 | 4.9 | CVE-2025-5451 |
| MongoDB Inc--MongoDB Server | An issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in server logs when certain error conditions are encountered. This issue affects MongoDB Server v8.0 versions prior to 8.0.5, MongoDB Server v7.0 versions prior to 7.0.18 and MongoDB Server v6.0 versions prior to 6.0.21. | 2025-07-07 | 4.4 | CVE-2025-6711 |
| apos37--Broken Link Notifier | The Broken Link Notifier plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.3.0 via broken links that are later exported. This makes it possible for authenticated attackers, with Contributor-level access and above, to embed untrusted input into exported CSV files, which can result in code execution when these files are downloaded and opened on a local system with a vulnerable configuration. | 2025-07-11 | 4.1 | CVE-2025-6838 |
| Campcodes--Complaint Management System | A vulnerability was found in Campcodes Complaint Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /admin/complaint-details.php. The manipulation of the argument cid/uid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 4.7 | CVE-2025-7123 |
| itsourcecode--Employee Management System | A vulnerability, which was classified as critical, was found in itsourcecode Employee Management System up to 1.0. This affects an unknown part of the file /admin/changepassword.php. The manipulation of the argument currentpassword leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 4.7 | CVE-2025-7127 |
| CodeAstro--Online Movie Ticket Booking System | A vulnerability classified as problematic has been found in CodeAstro Online Movie Ticket Booking System 1.0. This affects an unknown part. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 4.3 | CVE-2025-7133 |
| PHPGurukul--Car Washing Management System | A vulnerability was found in PHPGurukul Car Washing Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/editcar-washpoint.php. The manipulation of the argument wpid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 4.7 | CVE-2025-7177 |
| itsourcecode--Student Transcript Processing System | A vulnerability has been found in itsourcecode Student Transcript Processing System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/modules/subject/edit.php. The manipulation of the argument pre leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 4.3 | CVE-2025-7182 |
| Artifex--GhostPDL | A vulnerability was found in Artifex GhostPDL up to 3989415a5b8e99b9d1b87cc9902bde9b7cdea145. It has been classified as problematic. This affects the function pdf_ferror of the file devices/vector/gdevpdf.c of the component New Output File Open Error Handler. The manipulation leads to null pointer dereference. It is possible to initiate the attack remotely. The identifier of the patch is 619a106ba4c4abed95110f84d5efcd7aee38c7cb. It is recommended to apply a patch to fix this issue. | 2025-07-12 | 4.3 | CVE-2025-7462 |
| code-projects--Simple Car Rental System | A vulnerability, which was classified as critical, has been found in code-projects Simple Car Rental System 1.0. This issue affects some unknown processing of the file /admin/add_cars.php. The manipulation of the argument image leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-12 | 4.7 | CVE-2025-7477 |
| JoeyBling--SpringBoot_MyBatisPlus | A vulnerability has been found in JoeyBling SpringBoot_MyBatisPlus up to a6a825513bd688f717dbae3a196bc9c9622fea26 and classified as critical. This vulnerability affects the function Download of the file /file/download. The manipulation of the argument Name leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | 2025-07-12 | 4.3 | CVE-2025-7488 |
| rsjoomla--RSFirewall! | The RSFirewall! plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.1.42 via the get_local_filename() function. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2025-07-12 | 4.9 | CVE-2025-7518 |
| D-Link--DIR-818LW | A vulnerability classified as critical has been found in D-Link DIR-818LW up to 20191215. This affects an unknown part of the component System Time Page. The manipulation of the argument NTP Server leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-07-13 | 4.7 | CVE-2025-7553 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| dradisframework--Dradis | In Dradis before 4.11.0, the Output Console shows a job queue that may contain information about other users' jobs. | 2025-07-10 | 3.5 | CVE-2023-50458 |
| AMD--AMD EPYC 7002 Series Processors | A transient execution vulnerability in some AMD processors may allow a user process to infer the control registers speculatively even if UMIP feature is enabled, potentially resulting in information leakage. | 2025-07-08 | 3.8 | CVE-2024-36348 |
| AMD--AMD EPYC 7002 Series Processors | A transient execution vulnerability in some AMD processors may allow a user process to infer TSC_AUX even when such a read is disabled, potentially resulting in information leakage. | 2025-07-08 | 3.8 | CVE-2024-36349 |
| PHP Group--PHP | In PHP versions:8.1.* before 8.1.33, 8.2.* before 8.2.29, 8.3.* before 8.3.23, 8.4.* before 8.4.10 some functions like fsockopen() lack validation that the hostname supplied does not contain null characters. This may lead to other functions like parse_url() treat the hostname in different way, thus opening way to security problems if the user code implements access checks before access using such functions. | 2025-07-13 | 3.7 | CVE-2025-1220 |
| Splunk--Splunk Enterprise | In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.113, and 9.2.2406.119, the software potentially exposes the search head cluster [splunk.secret](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) key. This exposure could happen if you have a Search Head cluster and you configure the Splunk Enterprise `SHCConfig` log channel at the DEBUG logging level in the clustered deployment. <br><br>The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. <br><br>See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities), [Deploy a search head cluster](https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.4/deploy-search-head-clustering/deploy-a-search-head-cluster), [Deploy secure passwords across multiple servers](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) and [Set a security key for the search head cluster](https://help.splunk.com/splunk-enterprise/administer/distributed-search/9.4/configure-search-head-clustering/set-a-security-key-for-the-search-head-cluster#id_2c54937a_736c_47b5_9485_67e9e390acfa__Set_a_security_key_for_the_search_head_cluster) for more information. | 2025-07-07 | 3.1 | CVE-2025-20325 |
| j6t--gitk | Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files for which the user has write permission can be created and truncated. The option Support per-file encoding must have been enabled before in Gitk's Preferences. This option is disabled by default. The same happens when Show origin of this line is used in the main window (regardless of whether Support per-file encoding is enabled or not). This vulnerability is fixed in 2.43.7, 2.44.4, 2.45.4, 2.46.4, 2.47.3, 2.48.2, 2.49.1, and 2.50.1. | 2025-07-10 | 3.6 | CVE-2025-27613 |
| wftpserver--Wing FTP Server | Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted link, this discloses a cleartext password to the attacker. | 2025-07-10 | 3.4 | CVE-2025-27889 |
| SAP_SE--SAP NetWeaver Application Server Java | The widely used component that establishes outbound TLS connections in SAP NetWeaver Application Server Java does not reliably match the hostname that is used for the connection against the wildcard hostname defined in the received certificate of remote TLS server. This might lead to the outbound connection being established to a possibly malicious remote TLS server and hence disclose information. Integrity and Availability are not impacted. | 2025-07-08 | 3.5 | CVE-2025-42978 |
| Zoom Communications Inc.--Zoom Clients | Cross-site scripting in certain Zoom Clients before version 6.4.5 may allow an authenticated user to conduct a disclosure of information via network access. | 2025-07-10 | 3.5 | CVE-2025-49462 |
| Microsoft--Microsoft Teams for Android | Improper handling of insufficient permissions or privileges in Microsoft Teams allows an authorized attacker to elevate privileges over a network. | 2025-07-08 | 3.1 | CVE-2025-49731 |
| Microsoft--Microsoft 365 Apps for Enterprise | Use of a broken or risky cryptographic algorithm in Office Developer Platform allows an authorized attacker to bypass a security feature locally. | 2025-07-08 | 3.3 | CVE-2025-49756 |
| Microsoft--Windows 10 Version 1809 | External control of file name or path in Windows Storage allows an authorized attacker to perform spoofing over a network. | 2025-07-08 | 3.5 | CVE-2025-49760 |
| Huawei--HarmonyOS | Stack overflow risk when vector images are parsed during file preview Impact: Successful exploitation of this vulnerability may affect the file preview function. | 2025-07-07 | 3.3 | CVE-2025-53176 |
| Huawei--HarmonyOS | Permission bypass vulnerability in the calendar storage module Impact: Successful exploitation of this vulnerability may affect the schedule syncing function of watches. | 2025-07-07 | 3.9 | CVE-2025-53177 |
| Red Hat--Red Hat Ansible Automation Platform 2 | A flaw was found in Ansible. Sensitive cookies without security flags over non-encrypted channels can lead to Man-in-the-Middle (MitM) and Cross-site scripting (XSS) attacks allowing attackers to read transmitted data. | 2025-07-11 | 3.1 | CVE-2025-53861 |
| Red Hat--Red Hat Ansible Automation Platform 2 | A flaw was found in Ansible. Three API endpoints are accessible and return verbose, unauthenticated responses. This flaw allows a malicious user to access data that may contain important information. | 2025-07-11 | 3.5 | CVE-2025-53862 |
| Portabilis--i-Educar | A vulnerability, which was classified as problematic, has been found in Portabilis i-Educar 2.9.0. Affected by this issue is some unknown functionality of the file /intranet/educar_aluno_beneficio_lst.php of the component Student Benefits Registration. The manipulation of the argument Benefício leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-07 | 3.5 | CVE-2025-7109 |
| Portabilis--i-Educar | A vulnerability, which was classified as problematic, was found in Portabilis i-Educar 2.9.0. This affects an unknown part of the file /intranet/educar_escola_lst.php of the component School Module. The manipulation of the argument Escola leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-07 | 3.5 | CVE-2025-7110 |
| Portabilis--i-Educar | A vulnerability has been found in Portabilis i-Educar 2.9.0 and classified as problematic. This vulnerability affects unknown code of the file /intranet/educar_curso_det.php?cod_curso=ID of the component Course Module. The manipulation of the argument Curso leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-07 | 3.5 | CVE-2025-7111 |
| Portabilis--i-Educar | A vulnerability was found in Portabilis i-Educar 2.9.0 and classified as problematic. This issue affects some unknown processing of the file /intranet/educar_funcao_det.php?cod_funcao=COD&ref_cod_instituicao=COD of the component Function Management Module. The manipulation of the argument Função leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-07 | 3.5 | CVE-2025-7112 |
| Portabilis--i-Educar | A vulnerability was found in Portabilis i-Educar 2.9.0. It has been classified as problematic. Affected is an unknown function of the file /module/ComponenteCurricular/edit?id=ID of the component Curricular Components Module. The manipulation of the argument Nome leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-07 | 3.5 | CVE-2025-7113 |
| CodeAstro--Simple Hospital Management System | A vulnerability was found in CodeAstro Simple Hospital Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /patient.html of the component POST Parameter Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Multiple parameters might be affected. | 2025-07-07 | 3.5 | CVE-2025-7148 |
| CodeAstro--Simple Hospital Management System | A vulnerability classified as problematic was found in CodeAstro Simple Hospital Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /doctor.html of the component POST Parameter Handler. The manipulation of the argument First Name/Last name/Address leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-08 | 3.5 | CVE-2025-7153 |
| n/a--mruby | A vulnerability, which was classified as problematic, was found in mruby up to 3.4.0-rc2. Affected is the function scope_new of the file mrbgems/mruby-compiler/core/codegen.c of the component nregs Handler. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The name of the patch is 1fdd96104180cc0fb5d3cb086b05ab6458911bb9. It is recommended to apply a patch to fix this issue. | 2025-07-09 | 3.3 | CVE-2025-7207 |
| 9fans--plan9port | A vulnerability has been found in 9fans plan9port up to 9da5b44 and classified as problematic. Affected by this vulnerability is the function value_decode in the library src/libsec/port/x509.c. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The identifier of the patch is deae8939583d83fd798fca97665e0e94656c3ee8. It is recommended to apply a patch to fix this issue. | 2025-07-09 | 3.3 | CVE-2025-7209 |
| SourceCodester--Zoo Management System | A vulnerability has been found in SourceCodester Zoo Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /admin/templates/animal_form_template.php. The manipulation of the argument msg leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-10 | 3.5 | CVE-2025-7408 |
| LiveHelperChat--lhc-php-resque Extension | A vulnerability was found in LiveHelperChat lhc-php-resque Extension up to ee1270b35625f552425e32a6a3061cd54b5085c4. It has been classified as problematic. This affects an unknown part of the file /site_admin/lhcphpresque/list/ of the component List Handler. The manipulation of the argument queue name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The identifier of the patch is 542aa8449b5aa889b3a54f419e794afe19f56d5d/0ce7b4f1193c0ed6c6e31a960fafededf979eef2. It is recommended to apply a patch to fix this issue. | 2025-07-11 | 3.5 | CVE-2025-7435 |
| saltbo--zpan | A vulnerability was found in saltbo zpan up to 1.6.5/1.7.0-beta2. It has been rated as problematic. This issue affects the function NewToken of the file zpan/internal/app/service/token.go of the component JSON Web Token Handler. The manipulation with the input 123 leads to use of hard-coded password. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | 2025-07-11 | 3.7 | CVE-2025-7453 |
| osrg--GoBGP | A vulnerability classified as problematic has been found in osrg GoBGP up to 3.37.0. Affected is the function SplitRTR of the file pkg/packet/rtr/rtr.go. The manipulation leads to out-of-bounds read. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The name of the patch is e748f43496d74946d14fed85c776452e47b99d64. It is recommended to apply a patch to fix this issue. | 2025-07-12 | 3.7 | CVE-2025-7464 |
| n/a--Open5GS | A vulnerability classified as problematic was found in Open5GS up to 2.7.3. Affected by this vulnerability is the function ngap_recv_handler/s1ap_recv_handler/recv_handler of the component SCTP Partial Message Handler. The manipulation leads to reachable assertion. The attack needs to be approached locally. The patch is named cfa44575020f3fb045fd971358442053c8684d3d. It is recommended to apply a patch to fix this issue. | 2025-07-12 | 3.3 | CVE-2025-7485 |
| Fortinet--FortiManager | An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; FortiManager Cloud 7.4.1 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; FortiAnalyzer 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; and FortiAnalyzer Cloud 7.4.1 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions may allow an authenticated attacker with high privilege to extract database information via crafted requests. | 2025-07-08 | 2.6 | CVE-2025-24474 |
| SAP_SE--SAP NetWeaver Business Warehouse (CCAW application) | SAP NetWeaver Business Warehouse CCAW application allows a privileged attacker to cause a high CPU load by executing a RFC enabled function modules without any input parameters, which results in reduced performance or interrupted operation of the affected resource. This leads to low impact on availability of the application, there is no impact on confidentiality and integrity. | 2025-07-08 | 2.7 | CVE-2025-42954 |
| Adobe--ColdFusion | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Access Control vulnerability that could lead to application denial-of-service. A high-privileged attacker could exploit this vulnerability to disrupt the availability of the application. Exploitation of this issue does not require user interaction and scope is unchanged. The vulnerable component is restricted to internal IP addresses. | 2025-07-08 | 2.4 | CVE-2025-49546 |
| GitLab--GitLab | An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated users with invitation privileges to bypass group-level user invitation restrictions by manipulating group invitation functionality. | 2025-07-10 | 2.7 | CVE-2025-4972 |
| GitLab--GitLab | An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated maintainers to bypass group-level user invitation restrictions by sending crafted API requests. | 2025-07-10 | 2.7 | CVE-2025-6168 |
| SourceCodester--Best Salon Management System | A vulnerability was found in SourceCodester Best Salon Management System 1.0. It has been rated as problematic. This issue affects some unknown processing of the file /panel/edit-customer-detailed.php of the component Update Customer Details Page. The manipulation of the argument Name leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 2.4 | CVE-2025-7139 |
| SourceCodester--Best Salon Management System | A vulnerability classified as problematic has been found in SourceCodester Best Salon Management System 1.0. Affected is an unknown function of the file /panel/edit-staff.php of the component Update Staff Page. The manipulation of the argument Staff Name leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 2.4 | CVE-2025-7140 |
| SourceCodester--Best Salon Management System | A vulnerability classified as problematic was found in SourceCodester Best Salon Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /panel/edit_plan.php of the component Update Staff Page. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 2.4 | CVE-2025-7141 |
| SourceCodester--Best Salon Management System | A vulnerability, which was classified as problematic, has been found in SourceCodester Best Salon Management System 1.0. Affected by this issue is some unknown functionality of the file /panel/search-appointment.php. The manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 2.4 | CVE-2025-7142 |
| SourceCodester--Best Salon Management System | A vulnerability, which was classified as problematic, was found in SourceCodester Best Salon Management System 1.0. This affects an unknown part of the file /panel/edit-tax.php of the component Update Tax Page. The manipulation of the argument Tax Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 2.4 | CVE-2025-7143 |
| SourceCodester--Best Salon Management System | A vulnerability has been found in SourceCodester Best Salon Management System 1.0 and classified as problematic. This vulnerability affects unknown code of the file /panel/admin-profile.php of the component Admin Profile Page. The manipulation of the argument Admin Name leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-07 | 2.4 | CVE-2025-7144 |
| FNKvision--FNK-GU2 | A vulnerability classified as problematic was found in FNKvision FNK-GU2 up to 40.1.7. Affected by this vulnerability is an unknown functionality of the file /etc/shadow of the component MD5. The manipulation leads to risky cryptographic algorithm. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | 2025-07-09 | 1.6 | CVE-2025-7214 |
| FNKvision--FNK-GU2 | A vulnerability, which was classified as problematic, has been found in FNKvision FNK-GU2 up to 40.1.7. Affected by this issue is some unknown functionality of the file /rom/wpa_supplicant.conf. The manipulation leads to cleartext storage of sensitive information. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | 2025-07-09 | 1.6 | CVE-2025-7215 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| EvaSys--EvaSys | evesys 7.1 (2152) through 8.0 (2202) allows Reflected XSS via the indexeva.php action parameter. | 2025-07-09 | not yet calculated | CVE-2021-27961 |
| Ivanti--Avalanche | A security vulnerability within Ivanti Avalanche Manager before version 6.4.1 may allow an unauthenticated attacker to create a buffer overflow that could result in service disruption or arbitrary code execution. | 2025-07-12 | not yet calculated | CVE-2023-38036 |
| TIM Group--eGroupWare | An issue was discovered in eGroupWare 17.1.20190111. A User Enumeration vulnerability exists under calendar/freebusy.php, which allows unauthenticated remote attackers to enumerate the users of web applications based on server response. | 2025-07-11 | not yet calculated | CVE-2023-38327 |
| TIM Group--eGroupWare | An issue was discovered in eGroupWare 17.1.20190111. A cross-site scripting Reflected (XSS) vulnerability exists in calendar/freebusy.php, which allows unauthenticated remote attackers to inject arbitrary web script or HTML into the "user" HTTP/GET parameter, which reflects its input without sanitization. | 2025-07-11 | not yet calculated | CVE-2023-38329 |
| Ivanti--Sentry | Enables an authenticated user (enrolled device) to access a service protected by Sentry even if they are not authorized according to the sentry policy to access that service. It does not enable the user to authenticate to or use the service, it just provides the tunnel access. | 2025-07-12 | not yet calculated | CVE-2023-39338 |
| Ivanti--Policy Secure | A vulnerability exists on all versions of Ivanti Policy Secure below 22.6R1 where an authenticated administrator can perform an arbitrary file read via a maliciously crafted web request. | 2025-07-12 | not yet calculated | CVE-2023-39339 |
| n/a--Dagster | Directory Traversal vulnerability in dagster-webserver Dagster thru 1.5.11 allows remote attackers to obtain sensitive information via crafted request to the /logs endpoint. This may be restricted to certain file names that start with a dot ('.'). | 2025-07-07 | not yet calculated | CVE-2023-51232 |
| n/a--LuaJIT | LuaJIT through 2.1 has a stack-buffer-overflow in lj_strfmt_wfnum in lj_strfmt_num.c. | 2025-07-07 | not yet calculated | CVE-2024-25176 |
| n/a--LuaJIT | LuaJIT through 2.1 has an unsinking of IR_FSTORE for NULL metatable, which leads to Denial of Service (DoS). | 2025-07-07 | not yet calculated | CVE-2024-25177 |
| n/a--LuaJIT | LuaJIT through 2.1 has an out-of-bounds read in the stack-overflow handler in lj_state.c | 2025-07-07 | not yet calculated | CVE-2024-25178 |
| Allworx--Allworx System Software | A cross-site scripting (XSS) vulnerability in the Admin Login page of Allworx System Software v9.1.9.12 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the SessionID parameter at query.asp. | 2025-07-10 | not yet calculated | CVE-2024-36697 |
| n/a--gnuboard5 | An open redirect vulnerability in gnuboard5 v.5.5.16 allows a remote attacker to obtain sensitive information via the insufficient URL parameter verification in bbs/logout.php. | 2025-07-07 | not yet calculated | CVE-2024-37656 |
| n/a--gnuboard5 | An open redirect vulnerability in gnuboard5 v.5.5.16 allows a remote attacker to obtain sensitive information via thebbs/login.php component. | 2025-07-07 | not yet calculated | CVE-2024-37657 |
| n/a--gnuboard5 | An open redirect vulnerability in gnuboard5 v.5.5.16 allows a remote attacker to obtain sensitive information via the bbs/member_confirm.php. | 2025-07-07 | not yet calculated | CVE-2024-37658 |
| Ivanti--DSM | A hardcoded secret in Ivanti DSM before 2024.2 allows an authenticated attacker on an adjacent network to decrypt sensitive data including user credentials. | 2025-07-12 | not yet calculated | CVE-2024-38648 |
| Apache Software Foundation--Apache Zeppelin | The attacker can use the raft server protocol in an unauthenticated way. The attacker can see the server's resources, including directories and files. This issue affects Apache Zeppelin: from 0.10.1 up to 0.12.0. Users are recommended to upgrade to version 0.12.0, which fixes the issue by removing the Cluster Interpreter. | 2025-07-12 | not yet calculated | CVE-2024-41169 |
| Apache Software Foundation--Apache HTTP Server | HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. This vulnerability was described as CVE-2023-38709 but the patch included in Apache HTTP Server 2.4.59 did not address the issue. Users are recommended to upgrade to version 2.4.64, which fixes this issue. | 2025-07-10 | not yet calculated | CVE-2024-42516 |
| Apache Software Foundation--Apache HTTP Server | SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request or response header with a value provided in the HTTP request. Users are recommended to upgrade to version 2.4.64 which fixes this issue. | 2025-07-10 | not yet calculated | CVE-2024-43204 |
| Apache Software Foundation--Apache HTTP Server | Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via mod_rewrite or apache expressions that pass unvalidated request input. This issue affects Apache HTTP Server: from 2.4.0 through 2.4.63. Note: The Apache HTTP Server Project will be setting a higher bar for accepting vulnerability reports regarding SSRF via UNC paths. The server offers limited protection against administrators directing the server to open UNC paths. Windows servers should limit the hosts they will connect over via SMB based on the nature of NTLM authentication. | 2025-07-10 | not yet calculated | CVE-2024-43394 |
| meshtastic--firmware | Meshtastic is an open source mesh networking solution. Prior to 2.5.1, traceroute responses from the remote node are not rate limited. Given that there are SNR measurements attributed to each received transmission, this is a guaranteed way to get a remote station to reliably and continuously respond. You could easily get 100 samples in a short amount of time (estimated 2 minutes), whereas passively doing the same could take hours or days. There are secondary effects that non-ratelimited traceroute does also allow a 2:1 reflected DoS of the network as well, but these concerns are less than the problem with positional confidentiality (other DoS routes exist). This vulnerability is fixed in 2.5.1. | 2025-07-11 | not yet calculated | CVE-2024-47065 |
| Apache Software Foundation--Apache HTTP Server | Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. In a logging configuration where CustomLog is used with "%{varname}x" or "%{varname}c" to log variables provided by mod_ssl such as SSL_TLS_SNI, no escaping is performed by either mod_log_config or mod_ssl and unsanitized data provided by the client may appear in log files. | 2025-07-10 | not yet calculated | CVE-2024-47252 |
| OpenText--Directory Services | Improper Control of Generation of Code ('Code Injection') vulnerability in OpenText™ Directory Services allows Remote Code Inclusion. The vulnerability could allow access to the system via script injection.This issue affects Directory Services: 23.4. | 2025-07-10 | not yet calculated | CVE-2024-7650 |
| Palo Alto Networks--Autonomous Digital Experience Manager | An incorrect privilege assignment vulnerability in Palo Alto Networks Autonomous Digital Experience Manager allows a locally authenticated low privileged user on macOS endpoints to escalate their privileges to root. | 2025-07-09 | not yet calculated | CVE-2025-0139 |
| Palo Alto Networks--GlobalProtect App | An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtect™ App on macOS and Linux devices enables a locally authenticated non administrative user to disable the app even if the GlobalProtect app configuration would not normally permit them to do so. The GlobalProtect app on Windows, iOS, Android, Chrome OS and GlobalProtect UWP app are not affected. | 2025-07-09 | not yet calculated | CVE-2025-0140 |
| Palo Alto Networks--GlobalProtect App | An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtect™ App on enables a locally authenticated non administrative user to escalate their privileges to root on macOS and Linux or NT AUTHORITY\SYSTEM on Windows. The GlobalProtect app on iOS, Android, Chrome OS and GlobalProtect UWP app are not affected. | 2025-07-09 | not yet calculated | CVE-2025-0141 |
| MediaTek, Inc.--MT7902, MT7920, MT7921, MT7922, MT7925, MT7927 | In Bluetooth driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00418044; Issue ID: MSV-3482. | 2025-07-08 | not yet calculated | CVE-2025-20680 |
| MediaTek, Inc.--MT6890, MT7615, MT7622, MT7663, MT7915 | In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00416936; Issue ID: MSV-3446. | 2025-07-08 | not yet calculated | CVE-2025-20681 |
| MediaTek, Inc.--MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986 | In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00416937; Issue ID: MSV-3445. | 2025-07-08 | not yet calculated | CVE-2025-20682 |
| MediaTek, Inc.--MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986 | In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00416938; Issue ID: MSV-3444. | 2025-07-08 | not yet calculated | CVE-2025-20683 |
| MediaTek, Inc.--MT7615, MT7622, MT7663 | In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00416939; Issue ID: MSV-3422. | 2025-07-08 | not yet calculated | CVE-2025-20684 |
| MediaTek, Inc.--MT6890, MT7915, MT7916, MT7981, MT7986 | In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00416226; Issue ID: MSV-3409. | 2025-07-08 | not yet calculated | CVE-2025-20685 |
| MediaTek, Inc.--MT6890, MT7915, MT7916, MT7981, MT7986 | In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00415570; Issue ID: MSV-3404. | 2025-07-08 | not yet calculated | CVE-2025-20686 |
| MediaTek, Inc.--MT7902, MT7920, MT7921, MT7922, MT7925, MT7927 | In Bluetooth driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local denial of service with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00418045; Issue ID: MSV-3481. | 2025-07-08 | not yet calculated | CVE-2025-20687 |
| MediaTek, Inc.--MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986 | In wlan AP driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00418047; Issue ID: MSV-3480. | 2025-07-08 | not yet calculated | CVE-2025-20688 |
| MediaTek, Inc.--MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986 | In wlan AP driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00418048; Issue ID: MSV-3479. | 2025-07-08 | not yet calculated | CVE-2025-20689 |
| MediaTek, Inc.--MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986 | In wlan AP driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00418038; Issue ID: MSV-3478. | 2025-07-08 | not yet calculated | CVE-2025-20690 |
| MediaTek, Inc.--MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986 | In wlan AP driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00418039; Issue ID: MSV-3477. | 2025-07-08 | not yet calculated | CVE-2025-20691 |
| MediaTek, Inc.--MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, MT7986 | In wlan AP driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00418040; Issue ID: MSV-3476. | 2025-07-08 | not yet calculated | CVE-2025-20692 |
| MediaTek, Inc.--MT2737, MT6835, MT6878, MT6886, MT6897, MT6899, MT6985, MT6989, MT6990, MT6991, MT7902, MT7920, MT7921, MT7922, MT7923, MT7925, MT7927, MT7932, MT8196, MT8678, MT8796, MT8893 | In wlan STA driver, there is a possible out of bounds read due to an incorrect bounds check. This could lead to remote (proximal/adjacent) information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09812521; Issue ID: MSV-3421. | 2025-07-08 | not yet calculated | CVE-2025-20693 |
| MediaTek, Inc.--MT2718, MT6639, MT6653, MT6985, MT6989, MT6990, MT6991, MT7925, MT7927, MT8113, MT8115, MT8127, MT8163, MT8168, MT8169, MT8173, MT8183, MT8186, MT8188, MT8195, MT8196, MT8370, MT8390, MT8391, MT8395, MT8512, MT8516, MT8519, MT8676, MT8678, MT8695, MT8696, MT8698, MT8786, MT8792, MT8796, MT8893 | In Bluetooth FW, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09752821; Issue ID: MSV-3342. | 2025-07-08 | not yet calculated | CVE-2025-20694 |
| MediaTek, Inc.--MT6639, MT6653, MT6985, MT6989, MT6990, MT6991, MT7925, MT7927, MT8196, MT8678, MT8796 | In Bluetooth FW, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09741871; Issue ID: MSV-3317. | 2025-07-08 | not yet calculated | CVE-2025-20695 |
| Apache Software Foundation--Apache HTTP Server | In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. Configurations are affected when mod_ssl is configured for multiple virtual hosts, with each restricted to a different set of trusted client certificates (for example with a different SSLCACertificateFile/Path setting). In such a case, a client trusted to access one virtual host may be able to access another virtual host, if SSLStrictSNIVHostCheck is not enabled in either virtual host. | 2025-07-10 | not yet calculated | CVE-2025-23048 |
| Ruby--resolv | The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the resolv library parses such a packet, the name decompression process consumes a large amount of CPU resources, as the library does not limit the resulting length of the name. This resource consumption can cause the application thread to become unresponsive, resulting in a Denial of Service condition. | 2025-07-12 | not yet calculated | CVE-2025-24294 |
| Samsung--Exynos 2400, Modem 5400 | An issue was discovered in L2 in Samsung Mobile Processor and Modem Exynos 2400 and Modem 5400. The lack of a length check leads to a Denial of Service via a malformed PDCP packet. | 2025-07-07 | not yet calculated | CVE-2025-26780 |
| Alteryx--Alteryx Server | An issue in Alteryx Server v.2023.1.1.460 allows HTML injection via a crafted script to the pages component. | 2025-07-10 | not yet calculated | CVE-2025-28243 |
| Alteryx--Alteryx Server | Insecure Permissions vulnerability in the Local Storage in Alteryx Server 2023.1.1.460 allows remote attackers to obtain valid user session tokens from localStorage, leading to account takeover | 2025-07-10 | not yet calculated | CVE-2025-28244 |
| Alteryx--Alteryx Server | Cross-site scripting (XSS) vulnerability in Alteryx Server 2023.1.1.460 allows remote attackers to inject arbitrary web script or HTML via the notification body. | 2025-07-10 | not yet calculated | CVE-2025-28245 |
| Abis, Inc.--Adjutant Core Accounting (ERP) | SQL Injection vulnerability in Abis, Inc Adjutant Core Accounting ERP build v.PreBeta250F allows a remote attacker to obtain a sensitive information via the cid parameter in the GET request. | 2025-07-08 | not yet calculated | CVE-2025-29267 |
| Unknown--Order Delivery Date | The Order Delivery Date WordPress plugin before 12.6.0 discloses arbitrary post title (such as from draft and private posts) via an unauthenticated AJAX action, allowing attackers to retrieve such information | 2025-07-11 | not yet calculated | CVE-2025-2942 |
| Axis Communications AB--AXIS Device Manager | The communication protocol used between the server process and the service control had a flaw that could lead to a local privilege escalation. | 2025-07-11 | not yet calculated | CVE-2025-30025 |
| Axis Communications AB--AXIS Camera Station Pro | The AXIS Camera Station Server had a flaw that allowed to bypass authentication that is normally required. | 2025-07-11 | not yet calculated | CVE-2025-30026 |
| Meta Platforms, Inc--ExecuTorch | A heap-buffer-overflow vulnerability in the loading of ExecuTorch methods can cause the runtime to crash and potentially result in code execution or other undesirable effects. This issue affects ExecuTorch prior to commit 93b1a0c15f7eda49b2bc46b5b4c49557b4e9810f | 2025-07-11 | not yet calculated | CVE-2025-30402 |
| Facebook--mvfst | A heap-buffer-overflow vulnerability is possible in mvfst via a specially crafted message during a QUIC session. This issue affects mvfst versions prior to v2025.07.07.00. | 2025-07-11 | not yet calculated | CVE-2025-30403 |
| run-llama--run-llama/llama_index | A vulnerability in the ArxivReader class of the run-llama/llama_index repository, versions up to v0.12.22.post1, allows for MD5 hash collisions when generating filenames for downloaded papers. This can lead to data loss as papers with identical titles but different contents may overwrite each other, preventing some papers from being processed for AI model training. The issue is resolved in version 0.12.28. | 2025-07-07 | not yet calculated | CVE-2025-3044 |
| run-llama--run-llama/llama_index | A vulnerability in the `ObsidianReader` class of the run-llama/llama_index repository, versions 0.12.23 to 0.12.28, allows for arbitrary file read through symbolic links. The `ObsidianReader` fails to resolve symlinks to their real paths and does not validate whether the resolved paths lie within the intended directory. This flaw enables attackers to place symlinks pointing to files outside the vault directory, which are then processed as valid Markdown files, potentially exposing sensitive information. | 2025-07-07 | not yet calculated | CVE-2025-3046 |
| Apple--App Store Connect | An authentication issue was addressed with improved state management. This issue is fixed in App Store Connect 3.0. An attacker with physical access to an unlocked device may be able to view sensitive user information. | 2025-07-10 | not yet calculated | CVE-2025-31267 |
| run-llama--run-llama/llama_index | An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting version v0.12.21. This vulnerability allows an attacker to supply a malicious Sitemap XML, leading to a Denial of Service (DoS) by exhausting system memory and potentially causing a system crash. The issue is resolved in version v0.12.29. | 2025-07-07 | not yet calculated | CVE-2025-3225 |
| huggingface--huggingface/transformers | A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.49.0. The vulnerability is due to inefficient regular expression complexity in the `SETTING_RE` variable within the `transformers/commands/chat.py` file. The regex contains repetition groups and non-optimized quantifiers, leading to exponential backtracking when processing 'almost matching' payloads. This can degrade application performance and potentially result in a denial-of-service (DoS) when handling specially crafted input strings. The issue is fixed in version 4.51.0. | 2025-07-07 | not yet calculated | CVE-2025-3262 |
| huggingface--huggingface/transformers | A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_configuration_file()` function within the `transformers.configuration_utils` module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regular expression pattern `config\.(.*)\.json` that can be exploited to cause excessive CPU consumption through crafted input strings, leading to catastrophic backtracking. This can result in model serving disruption, resource exhaustion, and increased latency in applications using the library. | 2025-07-07 | not yet calculated | CVE-2025-3263 |
| huggingface--huggingface/transformers | A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_imports()` function within `dynamic_module_utils.py`. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern `\s*try\s*:.*?except.*?:` used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption. | 2025-07-07 | not yet calculated | CVE-2025-3264 |
| Genetech Solutions--WordPress Pie Register Plugin | An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary users by submitting a crafted POST request to the login endpoint. By setting social_site=true and manipulating the user_id_social_site parameter, an attacker can generate a valid WordPress session cookie for any user ID, including administrators. Once authenticated, the attacker may exploit plugin upload functionality to install a malicious plugin containing arbitrary PHP code, resulting in remote code execution on the underlying server. | 2025-07-09 | not yet calculated | CVE-2025-34077 |
| AitThemes--AIT CSV Import/Export WordPress Plugin | An unrestricted file upload vulnerability exists in the WordPress AIT CSV Import/Export plugin ≤ 3.0.3. The plugin exposes an upload handler at upload-handler.php that allows arbitrary file upload via a multipart/form-data POST request. This endpoint does not enforce authentication or content-type validation, enabling attackers to upload malicious PHP code directly to the server. Although the upload may produce an error related to CSV parsing, the malicious file is still saved under wp-content/uploads/ and remains executable. Notably, the plugin does not need to be active for exploitation to succeed. | 2025-07-09 | not yet calculated | CVE-2025-34083 |
| BoldGrid--Total Upkeep (BoldGrid Backup) WordPress Plugin | An unauthenticated information disclosure vulnerability exists in the WordPress Total Upkeep plugin (also known as BoldGrid Backup) prior to version 1.14.10. The plugin exposes multiple endpoints that allow unauthenticated users to retrieve detailed server configuration (env-info.php) and discover backup metadata (restore-info.json). These backups, which may include full SQL database dumps, are accessible without authentication if their paths are known or guessed. The restore-info.json endpoint discloses the absolute filesystem path of the latest backup, which attackers can convert into a web-accessible URL under wp-content/uploads/ and download. Extracting the database archive may yield credential hashes from the wp_users table, facilitating offline password cracking or credential stuffing attacks. | 2025-07-09 | not yet calculated | CVE-2025-34084 |
| Element Engage LLC--Simple File List WordPress Plugin | An unrestricted file upload vulnerability in the WordPress Simple File List plugin prior to version 4.2.3 allows unauthenticated remote attackers to achieve remote code execution. The plugin's upload endpoint (ee-upload-engine.php) restricts file uploads based on extension, but lacks proper validation after file renaming. An attacker can first upload a PHP payload disguised as a .png file, then use the plugin's ee-file-engine.php rename functionality to change the extension to .php. This bypasses upload restrictions and results in the uploaded payload being executable on the server. | 2025-07-09 | not yet calculated | CVE-2025-34085 |
| Polycom--HDX Series | An authenticated command injection vulnerability exists in the Polycom HDX Series command shell interface accessible over Telnet. The lan traceroute command in the devcmds console accepts unsanitized input, allowing attackers to execute arbitrary system commands. By injecting shell metacharacters through the traceroute interface, an attacker can achieve remote code execution under the context of the root user. This flaw affects systems where Telnet access is enabled and either unauthenticated access is allowed or credentials are known. | 2025-07-10 | not yet calculated | CVE-2025-34093 |
| Real Time Logic--Mako Server | An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp endpoint. An unauthenticated attacker can send a crafted PUT request containing arbitrary Lua os.execute() code, which is then persisted on disk and triggered via a subsequent GET request to examples/manage.lsp. This allows remote command execution on the underlying operating system, impacting both Windows and Unix-based deployments. | 2025-07-10 | not yet calculated | CVE-2025-34095 |
| EFS Software Inc.--Easy File Sharing HTTP Server | A stack-based buffer overflow vulnerability exists in Easy File Sharing HTTP Server version 7.2. The flaw is triggered when a crafted POST request is sent to the /sendemail.ghp endpoint containing an overly long Email parameter. The application fails to properly validate the length of this field, resulting in a memory corruption condition. An unauthenticated remote attacker can exploit this to execute arbitrary code with the privileges of the server process. | 2025-07-10 | not yet calculated | CVE-2025-34096 |
| ProcessMaker Inc.--ProcessMaker | An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. An attacker with administrative privileges can upload a malicious .tar plugin file containing arbitrary PHP code. Upon installation, the plugin's install() method is invoked, resulting in execution of attacker-supplied PHP code on the server with the privileges of the web server user. This vulnerability can be chained with CVE-2022-38577 - a privilege escalation flaw in the user profile page - to achieve full remote code execution from a low-privileged account. | 2025-07-10 | not yet calculated | CVE-2025-34097 |
| Riverbed Technology--SteelHead VCX | A path traversal vulnerability exists in Riverbed SteelHead VCX appliances (confirmed in VCX255U 9.6.0a) due to improper input validation in the log filtering functionality exposed via the management web interface. An authenticated attacker can exploit this flaw by submitting crafted filter expressions to the log_filter endpoint using the filterStr parameter. This input is processed by a backend parser that permits execution of file expansion syntax, allowing the attacker to retrieve arbitrary system files via the log viewing interface. | 2025-07-10 | not yet calculated | CVE-2025-34098 |
| VICIdial Group--VICIdial | An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). The application improperly passes the HTTP Basic Authentication password directly to a call to exec() without adequate sanitation. This allows remote attackers to inject and execute arbitrary operating system commands as the web server user. | 2025-07-10 | not yet calculated | CVE-2025-34099 |
| BuilderEngine--CMS | An unrestricted file upload vulnerability exists in BuilderEngine 3.5.0 via the integration of the elFinder 2.0 file manager and its use of the jQuery File Upload plugin. The plugin fails to properly validate or restrict file types or locations during upload operations, allowing an attacker to upload a malicious .php file and subsequently execute arbitrary PHP code on the server under the context of the web server process. While the root vulnerability lies within the jQuery File Upload component, BuilderEngine's improper integration and lack of access controls expose this functionality to unauthenticated users, resulting in full remote code execution. | 2025-07-10 | not yet calculated | CVE-2025-34100 |
| Serviio--Media Server | An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). The checkStreamUrl method accepts a VIDEO parameter that is passed unsanitized to a call to cmd.exe, enabling arbitrary command execution under the privileges of the web server. No authentication is required to exploit this issue, as the REST API is exposed by default and lacks access controls. | 2025-07-10 | not yet calculated | CVE-2025-34101 |
| Crypttech--CryptoLog | A remote code execution vulnerability exists in CryptoLog (PHP version, discontinued since 2009) due to a chained exploitation of SQL injection and command injection vulnerabilities. An unauthenticated attacker can gain shell access as the web server user by first exploiting a SQL injection flaw in login.php to bypass authentication, followed by command injection in logshares_ajax.php to execute arbitrary operating system commands. The login bypass is achieved by submitting crafted SQL via the user POST parameter. Once authenticated, the attacker can abuse the lsid POST parameter in the logshares_ajax.php endpoint to inject and execute a command using $(...) syntax, resulting in code execution under the web context. This exploitation path does not exist in the ASP.NET version of CryptoLog released since 2009. | 2025-07-10 | not yet calculated | CVE-2025-34102 |
| langgenius--langgenius/dify | langgenius/dify versions 1.1.0 to 1.1.2 are vulnerable to unsanitized input in the code node, allowing execution of arbitrary code with full root permissions. The vulnerability arises from the ability to override global functions in JavaScript, such as parseInt, before sandbox security restrictions are imposed. This can lead to unauthorized access to secret keys, internal network servers, and lateral movement within dify.ai. The issue is resolved in version 1.1.3. | 2025-07-07 | not yet calculated | CVE-2025-3466 |
| langgenius--langgenius/dify | An XSS vulnerability exists in langgenius/dify versions prior to 1.1.3, specifically affecting Firefox browsers. This vulnerability allows an attacker to obtain the administrator's token by sending a payload in the published chat. When the administrator views the conversation content through the monitoring/log function using Firefox, the XSS vulnerability is triggered, potentially exposing sensitive token information to the attacker. | 2025-07-07 | not yet calculated | CVE-2025-3467 |
| ServiceNow--Now Platform | A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization. Under certain conditional access control list (ACL) configurations, this vulnerability could enable unauthenticated and authenticated users to use range query requests to infer instance data that is not intended to be accessible to them. To assist customers in enhancing access controls, ServiceNow has introduced additional access control frameworks in Xanadu and Yokohama, such as Query ACLs, Security Data Filters and Deny-Unless ACLs. Additionally, in May 2025, ServiceNow delivered to customers a security update that is designed to enhance customer ACL configurations. Customers, please review the KB Articles in the References section. | 2025-07-08 | not yet calculated | CVE-2025-3648 |
| huggingface--huggingface/transformers | Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the `startswith()` method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve to malicious domains, potentially leading to phishing attacks, malware distribution, or data exfiltration. The issue is fixed in version 4.52.1. | 2025-07-07 | not yet calculated | CVE-2025-3777 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: af_unix: Don't leave consecutive consumed OOB skbs. Jann Horn reported a use-after-free in unix_stream_read_generic(). The following sequences reproduce the issue: $ python3 from socket import * s1, s2 = socketpair(AF_UNIX, SOCK_STREAM) s1.send(b'x', MSG_OOB) s2.recv(1, MSG_OOB) # leave a consumed OOB skb s1.send(b'y', MSG_OOB) s2.recv(1, MSG_OOB) # leave a consumed OOB skb s1.send(b'z', MSG_OOB) s2.recv(1) # recv 'z' illegally s2.recv(1, MSG_OOB) # access 'z' skb (use-after-free) Even though a user reads OOB data, the skb holding the data stays on the recv queue to mark the OOB boundary and break the next recv(). After the last send() in the scenario above, the sk2's recv queue has 2 leading consumed OOB skbs and 1 real OOB skb. Then, the following happens during the next recv() without MSG_OOB 1. unix_stream_read_generic() peeks the first consumed OOB skb 2. manage_oob() returns the next consumed OOB skb 3. unix_stream_read_generic() fetches the next not-yet-consumed OOB skb 4. unix_stream_read_generic() reads and frees the OOB skb , and the last recv(MSG_OOB) triggers KASAN splat. The 3. above occurs because of the SO_PEEK_OFF code, which does not expect unix_skb_len(skb) to be 0, but this is true for such consumed OOB skbs. while (skip >= unix_skb_len(skb)) { skip -= unix_skb_len(skb); skb = skb_peek_next(skb, &sk->sk_receive_queue); ... } In addition to this use-after-free, there is another issue that ioctl(SIOCATMARK) does not function properly with consecutive consumed OOB skbs. So, nothing good comes out of such a situation. Instead of complicating manage_oob(), ioctl() handling, and the next ECONNRESET fix by introducing a loop for consecutive consumed OOB skbs, let's not leave such consecutive OOB unnecessarily. Now, while receiving an OOB skb in unix_stream_recv_urg(), if its previous skb is a consumed OOB skb, it is freed. [0]: BUG: KASAN: slab-use-after-free in unix_stream_read_actor (net/unix/af_unix.c:3027) Read of size 4 at addr ffff888106ef2904 by task python3/315 CPU: 2 UID: 0 PID: 315 Comm: python3 Not tainted 6.16.0-rc1-00407-gec315832f6f9 #8 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-4.fc42 04/01/2014 Call Trace: <TASK> dump_stack_lvl (lib/dump_stack.c:122) print_report (mm/kasan/report.c:409 mm/kasan/report.c:521) kasan_report (mm/kasan/report.c:636) unix_stream_read_actor (net/unix/af_unix.c:3027) unix_stream_read_generic (net/unix/af_unix.c:2708 net/unix/af_unix.c:2847) unix_stream_recvmsg (net/unix/af_unix.c:3048) sock_recvmsg (net/socket.c:1063 (discriminator 20) net/socket.c:1085 (discriminator 20)) __sys_recvfrom (net/socket.c:2278) __x64_sys_recvfrom (net/socket.c:2291 (discriminator 1) net/socket.c:2287 (discriminator 1) net/socket.c:2287 (discriminator 1)) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f8911fcea06 Code: 5d e8 41 8b 93 08 03 00 00 59 5e 48 83 f8 fc 75 19 83 e2 39 83 fa 08 75 11 e8 26 ff ff ff 66 0f 1f 44 00 00 48 8b 45 10 0f 05 <48> 8b 5d f8 c9 c3 0f 1f 40 00 f3 0f 1e fa 55 48 89 e5 48 83 ec 08 RSP: 002b:00007fffdb0dccb0 EFLAGS: 00000202 ORIG_RAX: 000000000000002d RAX: ffffffffffffffda RBX: 00007fffdb0dcdc8 RCX: 00007f8911fcea06 RDX: 0000000000000001 RSI: 00007f8911a5e060 RDI: 0000000000000006 RBP: 00007fffdb0dccd0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000202 R12: 00007f89119a7d20 R13: ffffffffc4653600 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 315: kasan_save_stack (mm/kasan/common.c:48) kasan_save_track (mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1)) __kasan_slab_alloc (mm/kasan/common.c:348) kmem_cache_alloc_ ---truncated--- | 2025-07-08 | not yet calculated | CVE-2025-38236 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: platform: exynos4-is: Add hardware sync wait to fimc_is_hw_change_mode() In fimc_is_hw_change_mode(), the function changes camera modes without waiting for hardware completion, risking corrupted data or system hangs if subsequent operations proceed before the hardware is ready. Add fimc_is_hw_wait_intmsr0_intmsd0() after mode configuration, ensuring hardware state synchronization and stable interrupt handling. | 2025-07-08 | not yet calculated | CVE-2025-38237 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: fnic: Fix crash in fnic_wq_cmpl_handler when FDMI times out When both the RHBA and RPA FDMI requests time out, fnic reuses a frame to send ABTS for each of them. On send completion, this causes an attempt to free the same frame twice that leads to a crash. Fix crash by allocating separate frames for RHBA and RPA, and modify ABTS logic accordingly. Tested by checking MDS for FDMI information. Tested by using instrumented driver to: - Drop PLOGI response - Drop RHBA response - Drop RPA response - Drop RHBA and RPA response - Drop PLOGI response + ABTS response - Drop RHBA response + ABTS response - Drop RPA response + ABTS response - Drop RHBA and RPA response + ABTS response for both of them | 2025-07-09 | not yet calculated | CVE-2025-38238 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: megaraid_sas: Fix invalid node index On a system with DRAM interleave enabled, out-of-bound access is detected: megaraid_sas 0000:3f:00.0: requested/available msix 128/128 poll_queue 0 ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in ./arch/x86/include/asm/topology.h:72:28 index -1 is out of range for type 'cpumask *[1024]' dump_stack_lvl+0x5d/0x80 ubsan_epilogue+0x5/0x2b __ubsan_handle_out_of_bounds.cold+0x46/0x4b megasas_alloc_irq_vectors+0x149/0x190 [megaraid_sas] megasas_probe_one.cold+0xa4d/0x189c [megaraid_sas] local_pci_probe+0x42/0x90 pci_device_probe+0xdc/0x290 really_probe+0xdb/0x340 __driver_probe_device+0x78/0x110 driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0 bus_for_each_dev+0x8b/0xe0 bus_add_driver+0x142/0x220 driver_register+0x72/0xd0 megasas_init+0xdf/0xff0 [megaraid_sas] do_one_initcall+0x57/0x310 do_init_module+0x90/0x250 init_module_from_file+0x85/0xc0 idempotent_init_module+0x114/0x310 __x64_sys_finit_module+0x65/0xc0 do_syscall_64+0x82/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fix it accordingly. | 2025-07-09 | not yet calculated | CVE-2025-38239 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/shmem, swap: fix softlockup with mTHP swapin Following softlockup can be easily reproduced on my test machine with: echo always > /sys/kernel/mm/transparent_hugepage/hugepages-64kB/enabled swapon /dev/zram0 # zram0 is a 48G swap device mkdir -p /sys/fs/cgroup/memory/test echo 1G > /sys/fs/cgroup/test/memory.max echo $BASHPID > /sys/fs/cgroup/test/cgroup.procs while true; do dd if=/dev/zero of=/tmp/test.img bs=1M count=5120 cat /tmp/test.img > /dev/null rm /tmp/test.img done Then after a while: watchdog: BUG: soft lockup - CPU#0 stuck for 763s! [cat:5787] Modules linked in: zram virtiofs CPU: 0 UID: 0 PID: 5787 Comm: cat Kdump: loaded Tainted: G L 6.15.0.orig-gf3021d9246bc-dirty #118 PREEMPT(voluntary)· Tainted: [L]=SOFTLOCKUP Hardware name: Red Hat KVM/RHEL-AV, BIOS 0.0.0 02/06/2015 RIP: 0010:mpol_shared_policy_lookup+0xd/0x70 Code: e9 b8 b4 ff ff 31 c0 c3 cc cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 66 0f 1f 00 0f 1f 44 00 00 41 54 55 53 <48> 8b 1f 48 85 db 74 41 4c 8d 67 08 48 89 fb 48 89 f5 4c 89 e7 e8 RSP: 0018:ffffc90002b1fc28 EFLAGS: 00000202 RAX: 00000000001c20ca RBX: 0000000000724e1e RCX: 0000000000000001 RDX: ffff888118e214c8 RSI: 0000000000057d42 RDI: ffff888118e21518 RBP: 000000000002bec8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000bf4 R11: 0000000000000000 R12: 0000000000000001 R13: 00000000001c20ca R14: 00000000001c20ca R15: 0000000000000000 FS: 00007f03f995c740(0000) GS:ffff88a07ad9a000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f03f98f1000 CR3: 0000000144626004 CR4: 0000000000770eb0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> shmem_alloc_folio+0x31/0xc0 shmem_swapin_folio+0x309/0xcf0 ? filemap_get_entry+0x117/0x1e0 ? xas_load+0xd/0xb0 ? filemap_get_entry+0x101/0x1e0 shmem_get_folio_gfp+0x2ed/0x5b0 shmem_file_read_iter+0x7f/0x2e0 vfs_read+0x252/0x330 ksys_read+0x68/0xf0 do_syscall_64+0x4c/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f03f9a46991 Code: 00 48 8b 15 81 14 10 00 f7 d8 64 89 02 b8 ff ff ff ff eb bd e8 20 ad 01 00 f3 0f 1e fa 80 3d 35 97 10 00 00 74 13 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 4f c3 66 0f 1f 44 00 00 55 48 89 e5 48 83 ec RSP: 002b:00007fff3c52bd28 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000040000 RCX: 00007f03f9a46991 RDX: 0000000000040000 RSI: 00007f03f98ba000 RDI: 0000000000000003 RBP: 00007fff3c52bd50 R08: 0000000000000000 R09: 00007f03f9b9a380 R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000040000 R13: 00007f03f98ba000 R14: 0000000000000003 R15: 0000000000000000 </TASK> The reason is simple, readahead brought some order 0 folio in swap cache, and the swapin mTHP folio being allocated is in conflict with it, so swapcache_prepare fails and causes shmem_swap_alloc_folio to return -EEXIST, and shmem simply retries again and again causing this loop. Fix it by applying a similar fix for anon mTHP swapin. The performance change is very slight, time of swapin 10g zero folios with shmem (test for 12 times): Before: 2.47s After: 2.48s [kasong@tencent.com: add comment] | 2025-07-09 | not yet calculated | CVE-2025-38241 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm: userfaultfd: fix race of userfaultfd_move and swap cache This commit fixes two kinds of races, they may have different results: Barry reported a BUG_ON in commit c50f8e6053b0, we may see the same BUG_ON if the filemap lookup returned NULL and folio is added to swap cache after that. If another kind of race is triggered (folio changed after lookup) we may see RSS counter is corrupted: [ 406.893936] BUG: Bad rss-counter state mm:ffff0000c5a9ddc0 type:MM_ANONPAGES val:-1 [ 406.894071] BUG: Bad rss-counter state mm:ffff0000c5a9ddc0 type:MM_SHMEMPAGES val:1 Because the folio is being accounted to the wrong VMA. I'm not sure if there will be any data corruption though, seems no. The issues above are critical already. On seeing a swap entry PTE, userfaultfd_move does a lockless swap cache lookup, and tries to move the found folio to the faulting vma. Currently, it relies on checking the PTE value to ensure that the moved folio still belongs to the src swap entry and that no new folio has been added to the swap cache, which turns out to be unreliable. While working and reviewing the swap table series with Barry, following existing races are observed and reproduced [1]: In the example below, move_pages_pte is moving src_pte to dst_pte, where src_pte is a swap entry PTE holding swap entry S1, and S1 is not in the swap cache: CPU1 CPU2 userfaultfd_move move_pages_pte() entry = pte_to_swp_entry(orig_src_pte); // Here it got entry = S1 ... < interrupted> ... <swapin src_pte, alloc and use folio A> // folio A is a new allocated folio // and get installed into src_pte <frees swap entry S1> // src_pte now points to folio A, S1 // has swap count == 0, it can be freed // by folio_swap_swap or swap // allocator's reclaim. <try to swap out another folio B> // folio B is a folio in another VMA. <put folio B to swap cache using S1 > // S1 is freed, folio B can use it // for swap out with no problem. ... folio = filemap_get_folio(S1) // Got folio B here !!! ... < interrupted again> ... <swapin folio B and free S1> // Now S1 is free to be used again. <swapout src_pte & folio A using S1> // Now src_pte is a swap entry PTE // holding S1 again. folio_trylock(folio) move_swap_pte double_pt_lock is_pte_pages_stable // Check passed because src_pte == S1 folio_move_anon_rmap(...) // Moved invalid folio B here !!! The race window is very short and requires multiple collisions of multiple rare events, so it's very unlikely to happen, but with a deliberately constructed reproducer and increased time window, it can be reproduced easily. This can be fixed by checking if the folio returned by filemap is the valid swap cache folio after acquiring the folio lock. Another similar race is possible: filemap_get_folio may return NULL, but folio (A) could be swapped in and then swapped out again using the same swap entry after the lookup. In such a case, folio (A) may remain in the swap cache, so it must be moved too: CPU1 CPU2 userfaultfd_move move_pages_pte() entry = pte_to_swp_entry(orig_src_pte); // Here it got entry = S1, and S1 is not in swap cache folio = filemap_get ---truncated--- | 2025-07-09 | not yet calculated | CVE-2025-38242 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix invalid inode pointer dereferences during log replay In a few places where we call read_one_inode(), if we get a NULL pointer we end up jumping into an error path, or fallthrough in case of __add_inode_ref(), where we then do something like this: iput(&inode->vfs_inode); which results in an invalid inode pointer that triggers an invalid memory access, resulting in a crash. Fix this by making sure we don't do such dereferences. | 2025-07-09 | not yet calculated | CVE-2025-38243 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential deadlock when reconnecting channels Fix cifs_signal_cifsd_for_reconnect() to take the correct lock order and prevent the following deadlock from happening ====================================================== WARNING: possible circular locking dependency detected 6.16.0-rc3-build2+ #1301 Tainted: G S W ------------------------------------------------------ cifsd/6055 is trying to acquire lock: ffff88810ad56038 (&tcp_ses->srv_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x134/0x200 but task is already holding lock: ffff888119c64330 (&ret_buf->chan_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0xcf/0x200 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&ret_buf->chan_lock){+.+.}-{3:3}: validate_chain+0x1cf/0x270 __lock_acquire+0x60e/0x780 lock_acquire.part.0+0xb4/0x1f0 _raw_spin_lock+0x2f/0x40 cifs_setup_session+0x81/0x4b0 cifs_get_smb_ses+0x771/0x900 cifs_mount_get_session+0x7e/0x170 cifs_mount+0x92/0x2d0 cifs_smb3_do_mount+0x161/0x460 smb3_get_tree+0x55/0x90 vfs_get_tree+0x46/0x180 do_new_mount+0x1b0/0x2e0 path_mount+0x6ee/0x740 do_mount+0x98/0xe0 __do_sys_mount+0x148/0x180 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #1 (&ret_buf->ses_lock){+.+.}-{3:3}: validate_chain+0x1cf/0x270 __lock_acquire+0x60e/0x780 lock_acquire.part.0+0xb4/0x1f0 _raw_spin_lock+0x2f/0x40 cifs_match_super+0x101/0x320 sget+0xab/0x270 cifs_smb3_do_mount+0x1e0/0x460 smb3_get_tree+0x55/0x90 vfs_get_tree+0x46/0x180 do_new_mount+0x1b0/0x2e0 path_mount+0x6ee/0x740 do_mount+0x98/0xe0 __do_sys_mount+0x148/0x180 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x76/0x7e -> #0 (&tcp_ses->srv_lock){+.+.}-{3:3}: check_noncircular+0x95/0xc0 check_prev_add+0x115/0x2f0 validate_chain+0x1cf/0x270 __lock_acquire+0x60e/0x780 lock_acquire.part.0+0xb4/0x1f0 _raw_spin_lock+0x2f/0x40 cifs_signal_cifsd_for_reconnect+0x134/0x200 __cifs_reconnect+0x8f/0x500 cifs_handle_standard+0x112/0x280 cifs_demultiplex_thread+0x64d/0xbc0 kthread+0x2f7/0x310 ret_from_fork+0x2a/0x230 ret_from_fork_asm+0x1a/0x30 other info that might help us debug this: Chain exists of: &tcp_ses->srv_lock --> &ret_buf->ses_lock --> &ret_buf->chan_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&ret_buf->chan_lock); lock(&ret_buf->ses_lock); lock(&ret_buf->chan_lock); lock(&tcp_ses->srv_lock); *** DEADLOCK *** 3 locks held by cifsd/6055: #0: ffffffff857de398 (&cifs_tcp_ses_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x7b/0x200 #1: ffff888119c64060 (&ret_buf->ses_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0x9c/0x200 #2: ffff888119c64330 (&ret_buf->chan_lock){+.+.}-{3:3}, at: cifs_signal_cifsd_for_reconnect+0xcf/0x200 | 2025-07-09 | not yet calculated | CVE-2025-38244 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). syzbot reported a warning below during atm_dev_register(). [0] Before creating a new device and procfs/sysfs for it, atm_dev_register() looks up a duplicated device by __atm_dev_lookup(). These operations are done under atm_dev_mutex. However, when removing a device in atm_dev_deregister(), it releases the mutex just after removing the device from the list that __atm_dev_lookup() iterates over. So, there will be a small race window where the device does not exist on the device list but procfs/sysfs are still not removed, triggering the splat. Let's hold the mutex until procfs/sysfs are removed in atm_dev_deregister(). [0]: proc_dir_entry 'atm/atmtcp:0' already registered WARNING: CPU: 0 PID: 5919 at fs/proc/generic.c:377 proc_register+0x455/0x5f0 fs/proc/generic.c:377 Modules linked in: CPU: 0 UID: 0 PID: 5919 Comm: syz-executor284 Not tainted 6.16.0-rc2-syzkaller-00047-g52da431bf03b #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 RIP: 0010:proc_register+0x455/0x5f0 fs/proc/generic.c:377 Code: 48 89 f9 48 c1 e9 03 80 3c 01 00 0f 85 a2 01 00 00 48 8b 44 24 10 48 c7 c7 20 c0 c2 8b 48 8b b0 d8 00 00 00 e8 0c 02 1c ff 90 <0f> 0b 90 90 48 c7 c7 80 f2 82 8e e8 0b de 23 09 48 8b 4c 24 28 48 RSP: 0018:ffffc9000466fa30 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff817ae248 RDX: ffff888026280000 RSI: ffffffff817ae255 RDI: 0000000000000001 RBP: ffff8880232bed48 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffff888076ed2140 R13: dffffc0000000000 R14: ffff888078a61340 R15: ffffed100edda444 FS: 00007f38b3b0c6c0(0000) GS:ffff888124753000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f38b3bdf953 CR3: 0000000076d58000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> proc_create_data+0xbe/0x110 fs/proc/generic.c:585 atm_proc_dev_register+0x112/0x1e0 net/atm/proc.c:361 atm_dev_register+0x46d/0x890 net/atm/resources.c:113 atmtcp_create+0x77/0x210 drivers/atm/atmtcp.c:369 atmtcp_attach drivers/atm/atmtcp.c:403 [inline] atmtcp_ioctl+0x2f9/0xd60 drivers/atm/atmtcp.c:464 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x115/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18b/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f38b3b74459 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f38b3b0c198 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f38b3bfe318 RCX: 00007f38b3b74459 RDX: 0000000000000000 RSI: 0000000000006180 RDI: 0000000000000005 RBP: 00007f38b3bfe310 R08: 65732f636f72702f R09: 65732f636f72702f R10: 65732f636f72702f R11: 0000000000000246 R12: 00007f38b3bcb0ac R13: 00007f38b3b0c1a0 R14: 0000200000000200 R15: 00007f38b3bcb03b </TASK> | 2025-07-09 | not yet calculated | CVE-2025-38245 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bnxt: properly flush XDP redirect lists We encountered following crash when testing a XDP_REDIRECT feature in production: [56251.579676] list_add corruption. next->prev should be prev (ffff93120dd40f30), but was ffffb301ef3a6740. (next=ffff93120dd 40f30). [56251.601413] ------------[ cut here ]------------ [56251.611357] kernel BUG at lib/list_debug.c:29! [56251.621082] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [56251.632073] CPU: 111 UID: 0 PID: 0 Comm: swapper/111 Kdump: loaded Tainted: P O 6.12.33-cloudflare-2025.6. 3 #1 [56251.653155] Tainted: [P]=PROPRIETARY_MODULE, [O]=OOT_MODULE [56251.663877] Hardware name: MiTAC GC68B-B8032-G11P6-GPU/S8032GM-HE-CFR, BIOS V7.020.B10-sig 01/22/2025 [56251.682626] RIP: 0010:__list_add_valid_or_report+0x4b/0xa0 [56251.693203] Code: 0e 48 c7 c7 68 e7 d9 97 e8 42 16 fe ff 0f 0b 48 8b 52 08 48 39 c2 74 14 48 89 f1 48 c7 c7 90 e7 d9 97 48 89 c6 e8 25 16 fe ff <0f> 0b 4c 8b 02 49 39 f0 74 14 48 89 d1 48 c7 c7 e8 e7 d9 97 4c 89 [56251.725811] RSP: 0018:ffff93120dd40b80 EFLAGS: 00010246 [56251.736094] RAX: 0000000000000075 RBX: ffffb301e6bba9d8 RCX: 0000000000000000 [56251.748260] RDX: 0000000000000000 RSI: ffff9149afda0b80 RDI: ffff9149afda0b80 [56251.760349] RBP: ffff9131e49c8000 R08: 0000000000000000 R09: ffff93120dd40a18 [56251.772382] R10: ffff9159cf2ce1a8 R11: 0000000000000003 R12: ffff911a80850000 [56251.784364] R13: ffff93120fbc7000 R14: 0000000000000010 R15: ffff9139e7510e40 [56251.796278] FS: 0000000000000000(0000) GS:ffff9149afd80000(0000) knlGS:0000000000000000 [56251.809133] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [56251.819561] CR2: 00007f5e85e6f300 CR3: 00000038b85e2006 CR4: 0000000000770ef0 [56251.831365] PKRU: 55555554 [56251.838653] Call Trace: [56251.845560] <IRQ> [56251.851943] cpu_map_enqueue.cold+0x5/0xa [56251.860243] xdp_do_redirect+0x2d9/0x480 [56251.868388] bnxt_rx_xdp+0x1d8/0x4c0 [bnxt_en] [56251.877028] bnxt_rx_pkt+0x5f7/0x19b0 [bnxt_en] [56251.885665] ? cpu_max_write+0x1e/0x100 [56251.893510] ? srso_alias_return_thunk+0x5/0xfbef5 [56251.902276] __bnxt_poll_work+0x190/0x340 [bnxt_en] [56251.911058] bnxt_poll+0xab/0x1b0 [bnxt_en] [56251.919041] ? srso_alias_return_thunk+0x5/0xfbef5 [56251.927568] ? srso_alias_return_thunk+0x5/0xfbef5 [56251.935958] ? srso_alias_return_thunk+0x5/0xfbef5 [56251.944250] __napi_poll+0x2b/0x160 [56251.951155] bpf_trampoline_6442548651+0x79/0x123 [56251.959262] __napi_poll+0x5/0x160 [56251.966037] net_rx_action+0x3d2/0x880 [56251.973133] ? srso_alias_return_thunk+0x5/0xfbef5 [56251.981265] ? srso_alias_return_thunk+0x5/0xfbef5 [56251.989262] ? __hrtimer_run_queues+0x162/0x2a0 [56251.996967] ? srso_alias_return_thunk+0x5/0xfbef5 [56252.004875] ? srso_alias_return_thunk+0x5/0xfbef5 [56252.012673] ? bnxt_msix+0x62/0x70 [bnxt_en] [56252.019903] handle_softirqs+0xcf/0x270 [56252.026650] irq_exit_rcu+0x67/0x90 [56252.032933] common_interrupt+0x85/0xa0 [56252.039498] </IRQ> [56252.044246] <TASK> [56252.048935] asm_common_interrupt+0x26/0x40 [56252.055727] RIP: 0010:cpuidle_enter_state+0xb8/0x420 [56252.063305] Code: dc 01 00 00 e8 f9 79 3b ff e8 64 f7 ff ff 49 89 c5 0f 1f 44 00 00 31 ff e8 a5 32 3a ff 45 84 ff 0f 85 ae 01 00 00 fb 45 85 f6 <0f> 88 88 01 00 00 48 8b 04 24 49 63 ce 4c 89 ea 48 6b f1 68 48 29 [56252.088911] RSP: 0018:ffff93120c97fe98 EFLAGS: 00000202 [56252.096912] RAX: ffff9149afd80000 RBX: ffff9141d3a72800 RCX: 0000000000000000 [56252.106844] RDX: 00003329176c6b98 RSI: ffffffe36db3fdc7 RDI: 0000000000000000 [56252.116733] RBP: 0000000000000002 R08: 0000000000000002 R09: 000000000000004e [56252.126652] R10: ffff9149afdb30c4 R11: 071c71c71c71c71c R12: ffffffff985ff860 [56252.136637] R13: 00003329176c6b98 R14: 0000000000000002 R15: 0000000000000000 [56252.146667] ? cpuidle_enter_state+0xab/0x420 [56252.153909] cpuidle_enter+0x2d/0x40 [56252.160360] do_idle+0x176/0x1c0 [56252.166456 ---truncated--- | 2025-07-09 | not yet calculated | CVE-2025-38246 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: userns and mnt_idmap leak in open_tree_attr(2) Once want_mount_setattr() has returned a positive, it does require finish_mount_kattr() to release ->mnt_userns. Failing do_mount_setattr() does not change that. As the result, we can end up leaking userns and possibly mnt_idmap as well. | 2025-07-09 | not yet calculated | CVE-2025-38247 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bridge: mcast: Fix use-after-free during router port configuration The bridge maintains a global list of ports behind which a multicast router resides. The list is consulted during forwarding to ensure multicast packets are forwarded to these ports even if the ports are not member in the matching MDB entry. When per-VLAN multicast snooping is enabled, the per-port multicast context is disabled on each port and the port is removed from the global router port list: # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 # ip link add name dummy1 up master br1 type dummy # ip link set dev dummy1 type bridge_slave mcast_router 2 $ bridge -d mdb show | grep router router ports on br1: dummy1 # ip link set dev br1 type bridge mcast_vlan_snooping 1 $ bridge -d mdb show | grep router However, the port can be re-added to the global list even when per-VLAN multicast snooping is enabled: # ip link set dev dummy1 type bridge_slave mcast_router 0 # ip link set dev dummy1 type bridge_slave mcast_router 2 $ bridge -d mdb show | grep router router ports on br1: dummy1 Since commit 4b30ae9adb04 ("net: bridge: mcast: re-implement br_multicast_{enable, disable}_port functions"), when per-VLAN multicast snooping is enabled, multicast disablement on a port will disable the per-{port, VLAN} multicast contexts and not the per-port one. As a result, a port will remain in the global router port list even after it is deleted. This will lead to a use-after-free [1] when the list is traversed (when adding a new port to the list, for example): # ip link del dev dummy1 # ip link add name dummy2 up master br1 type dummy # ip link set dev dummy2 type bridge_slave mcast_router 2 Similarly, stale entries can also be found in the per-VLAN router port list. When per-VLAN multicast snooping is disabled, the per-{port, VLAN} contexts are disabled on each port and the port is removed from the per-VLAN router port list: # ip link add name br1 up type bridge vlan_filtering 1 mcast_snooping 1 mcast_vlan_snooping 1 # ip link add name dummy1 up master br1 type dummy # bridge vlan add vid 2 dev dummy1 # bridge vlan global set vid 2 dev br1 mcast_snooping 1 # bridge vlan set vid 2 dev dummy1 mcast_router 2 $ bridge vlan global show dev br1 vid 2 | grep router router ports: dummy1 # ip link set dev br1 type bridge mcast_vlan_snooping 0 $ bridge vlan global show dev br1 vid 2 | grep router However, the port can be re-added to the per-VLAN list even when per-VLAN multicast snooping is disabled: # bridge vlan set vid 2 dev dummy1 mcast_router 0 # bridge vlan set vid 2 dev dummy1 mcast_router 2 $ bridge vlan global show dev br1 vid 2 | grep router router ports: dummy1 When the VLAN is deleted from the port, the per-{port, VLAN} multicast context will not be disabled since multicast snooping is not enabled on the VLAN. As a result, the port will remain in the per-VLAN router port list even after it is no longer member in the VLAN. This will lead to a use-after-free [2] when the list is traversed (when adding a new port to the list, for example): # ip link add name dummy2 up master br1 type dummy # bridge vlan add vid 2 dev dummy2 # bridge vlan del vid 2 dev dummy1 # bridge vlan set vid 2 dev dummy2 mcast_router 2 Fix these issues by removing the port from the relevant (global or per-VLAN) router port list in br_multicast_port_ctx_deinit(). The function is invoked during port deletion with the per-port multicast context and during VLAN deletion with the per-{port, VLAN} multicast context. Note that deleting the multicast router timer is not enough as it only takes care of the temporary multicast router states (1 or 3) and not the permanent one (2). [1] BUG: KASAN: slab-out-of-bounds in br_multicast_add_router.part.0+0x3f1/0x560 Write of size 8 at addr ffff888004a67328 by task ip/384 [...] Call Trace: <TASK> dump_stack ---truncated--- | 2025-07-09 | not yet calculated | CVE-2025-38248 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() In snd_usb_get_audioformat_uac3(), the length value returned from snd_usb_ctl_msg() is used directly for memory allocation without validation. This length is controlled by the USB device. The allocated buffer is cast to a uac3_cluster_header_descriptor and its fields are accessed without verifying that the buffer is large enough. If the device returns a smaller than expected length, this leads to an out-of-bounds read. Add a length check to ensure the buffer is large enough for uac3_cluster_header_descriptor. | 2025-07-09 | not yet calculated | CVE-2025-38249 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix use-after-free in vhci_flush() syzbot reported use-after-free in vhci_flush() without repro. [0] From the splat, a thread close()d a vhci file descriptor while its device was being used by iotcl() on another thread. Once the last fd refcnt is released, vhci_release() calls hci_unregister_dev(), hci_free_dev(), and kfree() for struct vhci_data, which is set to hci_dev->dev->driver_data. The problem is that there is no synchronisation after unlinking hdev from hci_dev_list in hci_unregister_dev(). There might be another thread still accessing the hdev which was fetched before the unlink operation. We can use SRCU for such synchronisation. Let's run hci_dev_reset() under SRCU and wait for its completion in hci_unregister_dev(). Another option would be to restore hci_dev->destruct(), which was removed in commit 587ae086f6e4 ("Bluetooth: Remove unused hci-destruct cb"). However, this would not be a good solution, as we should not run hci_unregister_dev() while there are in-flight ioctl() requests, which could lead to another data-race KCSAN splat. Note that other drivers seem to have the same problem, for exmaple, virtbt_remove(). [0]: BUG: KASAN: slab-use-after-free in skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline] BUG: KASAN: slab-use-after-free in skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937 Read of size 8 at addr ffff88807cb8d858 by task syz.1.219/6718 CPU: 1 UID: 0 PID: 6718 Comm: syz.1.219 Not tainted 6.16.0-rc1-syzkaller-00196-g08207f42d3ff #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 skb_queue_empty_lockless include/linux/skbuff.h:1891 [inline] skb_queue_purge_reason+0x99/0x360 net/core/skbuff.c:3937 skb_queue_purge include/linux/skbuff.h:3368 [inline] vhci_flush+0x44/0x50 drivers/bluetooth/hci_vhci.c:69 hci_dev_do_reset net/bluetooth/hci_core.c:552 [inline] hci_dev_reset+0x420/0x5c0 net/bluetooth/hci_core.c:592 sock_do_ioctl+0xd9/0x300 net/socket.c:1190 sock_ioctl+0x576/0x790 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fcf5b98e929 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fcf5c7b9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fcf5bbb6160 RCX: 00007fcf5b98e929 RDX: 0000000000000000 RSI: 00000000400448cb RDI: 0000000000000009 RBP: 00007fcf5ba10b39 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007fcf5bbb6160 R15: 00007ffd6353d528 </TASK> Allocated by task 6535: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4359 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] vhci_open+0x57/0x360 drivers/bluetooth/hci_vhci.c:635 misc_open+0x2bc/0x330 drivers/char/misc.c:161 chrdev_open+0x4c9/0x5e0 fs/char_dev.c:414 do_dentry_open+0xdf0/0x1970 fs/open.c:964 vfs_open+0x3b/0x340 fs/open.c:1094 do_open fs/namei.c:3887 [inline] path_openat+0x2ee5/0x3830 fs/name ---truncated--- | 2025-07-09 | not yet calculated | CVE-2025-38250 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: atm: clip: prevent NULL deref in clip_push() Blamed commit missed that vcc_destroy_socket() calls clip_push() with a NULL skb. If clip_devs is NULL, clip_push() then crashes when reading skb->truesize. | 2025-07-09 | not yet calculated | CVE-2025-38251 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: cxl/ras: Fix CPER handler device confusion By inspection, cxl_cper_handle_prot_err() is making a series of fragile assumptions that can lead to crashes: 1/ It assumes that endpoints identified in the record are a CXL-type-3 device, nothing guarantees that. 2/ It assumes that the device is bound to the cxl_pci driver, nothing guarantees that. 3/ Minor, it holds the device lock over the switch-port tracing for no reason as the trace is 100% generated from data in the record. Correct those by checking that the PCIe endpoint parents a cxl_memdev before assuming the format of the driver data, and move the lock to where it is required. Consequently this also makes the implementation ready for CXL accelerators that are not bound to cxl_pci. | 2025-07-09 | not yet calculated | CVE-2025-38252 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix crash in wacom_aes_battery_handler() Commit fd2a9b29dc9c ("HID: wacom: Remove AES power_supply after extended inactivity") introduced wacom_aes_battery_handler() which is scheduled as a delayed work (aes_battery_work). In wacom_remove(), aes_battery_work is not canceled. Consequently, if the device is removed while aes_battery_work is still pending, then hard crashes or "Oops: general protection fault..." are experienced when wacom_aes_battery_handler() is finally called. E.g., this happens with built-in USB devices after resume from hibernate when aes_battery_work was still pending at the time of hibernation. So, take care to cancel aes_battery_work in wacom_remove(). | 2025-07-09 | not yet calculated | CVE-2025-38253 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add sanity checks for drm_edid_raw() When EDID is retrieved via drm_edid_raw(), it doesn't guarantee to return proper EDID bytes the caller wants: it may be either NULL (that leads to an Oops) or with too long bytes over the fixed size raw_edid array (that may lead to memory corruption). The latter was reported actually when connected with a bad adapter. Add sanity checks for drm_edid_raw() to address the above corner cases, and return EDID_BAD_INPUT accordingly. (cherry picked from commit 648d3f4d209725d51900d6a3ed46b7b600140cdf) | 2025-07-09 | not yet calculated | CVE-2025-38254 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() While testing null_blk with configfs, echo 0 > poll_queues will trigger following panic: BUG: kernel NULL pointer dereference, address: 0000000000000010 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 27 UID: 0 PID: 920 Comm: bash Not tainted 6.15.0-02023-gadbdb95c8696-dirty #1238 PREEMPT(undef) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 RIP: 0010:__bitmap_or+0x48/0x70 Call Trace: <TASK> __group_cpus_evenly+0x822/0x8c0 group_cpus_evenly+0x2d9/0x490 blk_mq_map_queues+0x1e/0x110 null_map_queues+0xc9/0x170 [null_blk] blk_mq_update_queue_map+0xdb/0x160 blk_mq_update_nr_hw_queues+0x22b/0x560 nullb_update_nr_hw_queues+0x71/0xf0 [null_blk] nullb_device_poll_queues_store+0xa4/0x130 [null_blk] configfs_write_iter+0x109/0x1d0 vfs_write+0x26e/0x6f0 ksys_write+0x79/0x180 __x64_sys_write+0x1d/0x30 x64_sys_call+0x45c4/0x45f0 do_syscall_64+0xa5/0x240 entry_SYSCALL_64_after_hwframe+0x76/0x7e Root cause is that numgrps is set to 0, and ZERO_SIZE_PTR is returned from kcalloc(), and later ZERO_SIZE_PTR will be deferenced. Fix the problem by checking numgrps first in group_cpus_evenly(), and return NULL directly if numgrps is zero. [yukuai3@huawei.com: also fix the non-SMP version] | 2025-07-09 | not yet calculated | CVE-2025-38255 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: fix folio unpinning syzbot complains about an unmapping failure: [ 108.070381][ T14] kernel BUG at mm/gup.c:71! [ 108.070502][ T14] Internal error: Oops - BUG: 00000000f2000800 [#1] SMP [ 108.123672][ T14] Hardware name: QEMU KVM Virtual Machine, BIOS edk2-20250221-8.fc42 02/21/2025 [ 108.127458][ T14] Workqueue: iou_exit io_ring_exit_work [ 108.174205][ T14] Call trace: [ 108.175649][ T14] sanity_check_pinned_pages+0x7cc/0x7d0 (P) [ 108.178138][ T14] unpin_user_page+0x80/0x10c [ 108.180189][ T14] io_release_ubuf+0x84/0xf8 [ 108.182196][ T14] io_free_rsrc_node+0x250/0x57c [ 108.184345][ T14] io_rsrc_data_free+0x148/0x298 [ 108.186493][ T14] io_sqe_buffers_unregister+0x84/0xa0 [ 108.188991][ T14] io_ring_ctx_free+0x48/0x480 [ 108.191057][ T14] io_ring_exit_work+0x764/0x7d8 [ 108.193207][ T14] process_one_work+0x7e8/0x155c [ 108.195431][ T14] worker_thread+0x958/0xed8 [ 108.197561][ T14] kthread+0x5fc/0x75c [ 108.199362][ T14] ret_from_fork+0x10/0x20 We can pin a tail page of a folio, but then io_uring will try to unpin the head page of the folio. While it should be fine in terms of keeping the page actually alive, mm folks say it's wrong and triggers a debug warning. Use unpin_user_folio() instead of unpin_user_page*. [axboe: adapt to current tree, massage commit message] | 2025-07-09 | not yet calculated | CVE-2025-38256 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Prevent overflow in size calculation for memdup_user() Number of apqn target list entries contained in 'nr_apqns' variable is determined by userspace via an ioctl call so the result of the product in calculation of size passed to memdup_user() may overflow. In this case the actual size of the allocated area and the value describing it won't be in sync leading to various types of unpredictable behaviour later. Use a proper memdup_array_user() helper which returns an error if an overflow is detected. Note that it is different from when nr_apqns is initially zero - that case is considered valid and should be handled in subsequent pkey_handler implementations. Found by Linux Verification Center (linuxtesting.org). | 2025-07-09 | not yet calculated | CVE-2025-38257 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write memcg_path_store() assigns a newly allocated memory buffer to filter->memcg_path, without deallocating the previously allocated and assigned memory buffer. As a result, users can leak kernel memory by continuously writing a data to memcg_path DAMOS sysfs file. Fix the leak by deallocating the previously set memory buffer. | 2025-07-09 | not yet calculated | CVE-2025-38258 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd9335: Fix missing free of regulator supplies Driver gets and enables all regulator supplies in probe path (wcd9335_parse_dt() and wcd9335_power_on_reset()), but does not cleanup in final error paths and in unbind (missing remove() callback). This leads to leaked memory and unbalanced regulator enable count during probe errors or unbind. Fix this by converting entire code into devm_regulator_bulk_get_enable() which also greatly simplifies the code. | 2025-07-09 | not yet calculated | CVE-2025-38259 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: handle csum tree error with rescue=ibadroots correctly [BUG] There is syzbot based reproducer that can crash the kernel, with the following call trace: (With some debug output added) DEBUG: rescue=ibadroots parsed BTRFS: device fsid 14d642db-7b15-43e4-81e6-4b8fac6a25f8 devid 1 transid 8 /dev/loop0 (7:0) scanned by repro (1010) BTRFS info (device loop0): first mount of filesystem 14d642db-7b15-43e4-81e6-4b8fac6a25f8 BTRFS info (device loop0): using blake2b (blake2b-256-generic) checksum algorithm BTRFS info (device loop0): using free-space-tree BTRFS warning (device loop0): checksum verify failed on logical 5312512 mirror 1 wanted 0xb043382657aede36608fd3386d6b001692ff406164733d94e2d9a180412c6003 found 0x810ceb2bacb7f0f9eb2bf3b2b15c02af867cb35ad450898169f3b1f0bd818651 level 0 DEBUG: read tree root path failed for tree csum, ret=-5 BTRFS warning (device loop0): checksum verify failed on logical 5328896 mirror 1 wanted 0x51be4e8b303da58e6340226815b70e3a93592dac3f30dd510c7517454de8567a found 0x51be4e8b303da58e634022a315b70e3a93592dac3f30dd510c7517454de8567a level 0 BTRFS warning (device loop0): checksum verify failed on logical 5292032 mirror 1 wanted 0x1924ccd683be9efc2fa98582ef58760e3848e9043db8649ee382681e220cdee4 found 0x0cb6184f6e8799d9f8cb335dccd1d1832da1071d12290dab3b85b587ecacca6e level 0 process 'repro' launched './file2' with NULL argv: empty string added DEBUG: no csum root, idatacsums=0 ibadroots=134217728 Oops: general protection fault, probably for non-canonical address 0xdffffc0000000041: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000208-0x000000000000020f] CPU: 5 UID: 0 PID: 1010 Comm: repro Tainted: G OE 6.15.0-custom+ #249 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022 RIP: 0010:btrfs_lookup_csum+0x93/0x3d0 [btrfs] Call Trace: <TASK> btrfs_lookup_bio_sums+0x47a/0xdf0 [btrfs] btrfs_submit_bbio+0x43e/0x1a80 [btrfs] submit_one_bio+0xde/0x160 [btrfs] btrfs_readahead+0x498/0x6a0 [btrfs] read_pages+0x1c3/0xb20 page_cache_ra_order+0x4b5/0xc20 filemap_get_pages+0x2d3/0x19e0 filemap_read+0x314/0xde0 __kernel_read+0x35b/0x900 bprm_execve+0x62e/0x1140 do_execveat_common.isra.0+0x3fc/0x520 __x64_sys_execveat+0xdc/0x130 do_syscall_64+0x54/0x1d0 entry_SYSCALL_64_after_hwframe+0x76/0x7e ---[ end trace 0000000000000000 ]--- [CAUSE] Firstly the fs has a corrupted csum tree root, thus to mount the fs we have to go "ro,rescue=ibadroots" mount option. Normally with that mount option, a bad csum tree root should set BTRFS_FS_STATE_NO_DATA_CSUMS flag, so that any future data read will ignore csum search. But in this particular case, we have the following call trace that caused NULL csum root, but not setting BTRFS_FS_STATE_NO_DATA_CSUMS: load_global_roots_objectid(): ret = btrfs_search_slot(); /* Succeeded */ btrfs_item_key_to_cpu() found = true; /* We found the root item for csum tree. */ root = read_tree_root_path(); if (IS_ERR(root)) { if (!btrfs_test_opt(fs_info, IGNOREBADROOTS)) /* * Since we have rescue=ibadroots mount option, * @ret is still 0. */ break; if (!found || ret) { /* @found is true, @ret is 0, error handling for csum * tree is skipped. */ } This means we completely skipped to set BTRFS_FS_STATE_NO_DATA_CSUMS if the csum tree is corrupted, which results unexpected later csum lookup. [FIX] If read_tree_root_path() failed, always populate @ret to the error number. As at the end of the function, we need @ret to determine if we need to do the extra error handling for csum tree. | 2025-07-09 | not yet calculated | CVE-2025-38260 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: riscv: save the SR_SUM status over switches When threads/tasks are switched we need to ensure the old execution's SR_SUM state is saved and the new thread has the old SR_SUM state restored. The issue was seen under heavy load especially with the syz-stress tool running, with crashes as follows in schedule_tail: Unable to handle kernel access to user memory without uaccess routines at virtual address 000000002749f0d0 Oops [#1] Modules linked in: CPU: 1 PID: 4875 Comm: syz-executor.0 Not tainted 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 #0 Hardware name: riscv-virtio,qemu (DT) epc : schedule_tail+0x72/0xb2 kernel/sched/core.c:4264 ra : task_pid_vnr include/linux/sched.h:1421 [inline] ra : schedule_tail+0x70/0xb2 kernel/sched/core.c:4264 epc : ffffffe00008c8b0 ra : ffffffe00008c8ae sp : ffffffe025d17ec0 gp : ffffffe005d25378 tp : ffffffe00f0d0000 t0 : 0000000000000000 t1 : 0000000000000001 t2 : 00000000000f4240 s0 : ffffffe025d17ee0 s1 : 000000002749f0d0 a0 : 000000000000002a a1 : 0000000000000003 a2 : 1ffffffc0cfac500 a3 : ffffffe0000c80cc a4 : 5ae9db91c19bbe00 a5 : 0000000000000000 a6 : 0000000000f00000 a7 : ffffffe000082eba s2 : 0000000000040000 s3 : ffffffe00eef96c0 s4 : ffffffe022c77fe0 s5 : 0000000000004000 s6 : ffffffe067d74e00 s7 : ffffffe067d74850 s8 : ffffffe067d73e18 s9 : ffffffe067d74e00 s10: ffffffe00eef96e8 s11: 000000ae6cdf8368 t3 : 5ae9db91c19bbe00 t4 : ffffffc4043cafb2 t5 : ffffffc4043cafba t6 : 0000000000040000 status: 0000000000000120 badaddr: 000000002749f0d0 cause: 000000000000000f Call Trace: [<ffffffe00008c8b0>] schedule_tail+0x72/0xb2 kernel/sched/core.c:4264 [<ffffffe000005570>] ret_from_exception+0x0/0x14 Dumping ftrace buffer: (ftrace buffer empty) ---[ end trace b5f8f9231dc87dda ]--- The issue comes from the put_user() in schedule_tail (kernel/sched/core.c) doing the following: asmlinkage __visible void schedule_tail(struct task_struct *prev) { ... if (current->set_child_tid) put_user(task_pid_vnr(current), current->set_child_tid); ... } the put_user() macro causes the code sequence to come out as follows: 1: __enable_user_access() 2: reg = task_pid_vnr(current); 3: *current->set_child_tid = reg; 4: __disable_user_access() The problem is that we may have a sleeping function as argument which could clear SR_SUM causing the panic above. This was fixed by evaluating the argument of the put_user() macro outside the user-enabled section in commit 285a76bb2cf5 ("riscv: evaluate put_user() arg before enabling user access")" In order for riscv to take advantage of unsafe_get/put_XXX() macros and to avoid the same issue we had with put_user() and sleeping functions we must ensure code flow can go through switch_to() from within a region of code with SR_SUM enabled and come back with SR_SUM still enabled. This patch addresses the problem allowing future work to enable full use of unsafe_get/put_XXX() macros without needing to take a CSR bit flip cost on every access. Make switch_to() save and restore SR_SUM. | 2025-07-09 | not yet calculated | CVE-2025-38261 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tty: serial: uartlite: register uart driver in init When two instances of uart devices are probing, a concurrency race can occur. If one thread calls uart_register_driver function, which first allocates and assigns memory to 'uart_state' member of uart_driver structure, the other instance can bypass uart driver registration and call ulite_assign. This calls uart_add_one_port, which expects the uart driver to be fully initialized. This leads to a kernel panic due to a null pointer dereference: [ 8.143581] BUG: kernel NULL pointer dereference, address: 00000000000002b8 [ 8.156982] #PF: supervisor write access in kernel mode [ 8.156984] #PF: error_code(0x0002) - not-present page [ 8.156986] PGD 0 P4D 0 ... [ 8.180668] RIP: 0010:mutex_lock+0x19/0x30 [ 8.188624] Call Trace: [ 8.188629] ? __die_body.cold+0x1a/0x1f [ 8.195260] ? page_fault_oops+0x15c/0x290 [ 8.209183] ? __irq_resolve_mapping+0x47/0x80 [ 8.209187] ? exc_page_fault+0x64/0x140 [ 8.209190] ? asm_exc_page_fault+0x22/0x30 [ 8.209196] ? mutex_lock+0x19/0x30 [ 8.223116] uart_add_one_port+0x60/0x440 [ 8.223122] ? proc_tty_register_driver+0x43/0x50 [ 8.223126] ? tty_register_driver+0x1ca/0x1e0 [ 8.246250] ulite_probe+0x357/0x4b0 [uartlite] To prevent it, move uart driver registration in to init function. This will ensure that uart_driver is always registered when probe function is called. | 2025-07-09 | not yet calculated | CVE-2025-38262 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bcache: fix NULL pointer in cache_set_flush() 1. LINE#1794 - LINE#1887 is some codes about function of bch_cache_set_alloc(). 2. LINE#2078 - LINE#2142 is some codes about function of register_cache_set(). 3. register_cache_set() will call bch_cache_set_alloc() in LINE#2098. 1794 struct cache_set *bch_cache_set_alloc(struct cache_sb *sb) 1795 { ... 1860 if (!(c->devices = kcalloc(c->nr_uuids, sizeof(void *), GFP_KERNEL)) || 1861 mempool_init_slab_pool(&c->search, 32, bch_search_cache) || 1862 mempool_init_kmalloc_pool(&c->bio_meta, 2, 1863 sizeof(struct bbio) + sizeof(struct bio_vec) * 1864 bucket_pages(c)) || 1865 mempool_init_kmalloc_pool(&c->fill_iter, 1, iter_size) || 1866 bioset_init(&c->bio_split, 4, offsetof(struct bbio, bio), 1867 BIOSET_NEED_BVECS|BIOSET_NEED_RESCUER) || 1868 !(c->uuids = alloc_bucket_pages(GFP_KERNEL, c)) || 1869 !(c->moving_gc_wq = alloc_workqueue("bcache_gc", 1870 WQ_MEM_RECLAIM, 0)) || 1871 bch_journal_alloc(c) || 1872 bch_btree_cache_alloc(c) || 1873 bch_open_buckets_alloc(c) || 1874 bch_bset_sort_state_init(&c->sort, ilog2(c->btree_pages))) 1875 goto err; ^^^^^^^^ 1876 ... 1883 return c; 1884 err: 1885 bch_cache_set_unregister(c); ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 1886 return NULL; 1887 } ... 2078 static const char *register_cache_set(struct cache *ca) 2079 { ... 2098 c = bch_cache_set_alloc(&ca->sb); 2099 if (!c) 2100 return err; ^^^^^^^^^^ ... 2128 ca->set = c; 2129 ca->set->cache[ca->sb.nr_this_dev] = ca; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ... 2138 return NULL; 2139 err: 2140 bch_cache_set_unregister(c); 2141 return err; 2142 } (1) If LINE#1860 - LINE#1874 is true, then do 'goto err'(LINE#1875) and call bch_cache_set_unregister()(LINE#1885). (2) As (1) return NULL(LINE#1886), LINE#2098 - LINE#2100 would return. (3) As (2) has returned, LINE#2128 - LINE#2129 would do *not* give the value to c->cache[], it means that c->cache[] is NULL. LINE#1624 - LINE#1665 is some codes about function of cache_set_flush(). As (1), in LINE#1885 call bch_cache_set_unregister() ---> bch_cache_set_stop() ---> closure_queue() -.-> cache_set_flush() (as below LINE#1624) 1624 static void cache_set_flush(struct closure *cl) 1625 { ... 1654 for_each_cache(ca, c, i) 1655 if (ca->alloc_thread) ^^ 1656 kthread_stop(ca->alloc_thread); ... 1665 } (4) In LINE#1655 ca is NULL(see (3)) in cache_set_flush() then the kernel crash occurred as below: [ 846.712887] bcache: register_cache() error drbd6: cannot allocate memory [ 846.713242] bcache: register_bcache() error : failed to register device [ 846.713336] bcache: cache_set_free() Cache set 2f84bdc1-498a-4f2f-98a7-01946bf54287 unregistered [ 846.713768] BUG: unable to handle kernel NULL pointer dereference at 00000000000009f8 [ 846.714790] PGD 0 P4D 0 [ 846.715129] Oops: 0000 [#1] SMP PTI [ 846.715472] CPU: 19 PID: 5057 Comm: kworker/19:16 Kdump: loaded Tainted: G OE --------- - - 4.18.0-147.5.1.el8_1.5es.3.x86_64 #1 [ 846.716082] Hardware name: ESPAN GI-25212/X11DPL-i, BIOS 2.1 06/15/2018 [ 846.716451] Workqueue: events cache_set_flush [bcache] [ 846.716808] RIP: 0010:cache_set_flush+0xc9/0x1b0 [bcache] [ 846.717155] Code: 00 4c 89 a5 b0 03 00 00 48 8b 85 68 f6 ff ff a8 08 0f 84 88 00 00 00 31 db 66 83 bd 3c f7 ff ff 00 48 8b 85 48 ff ff ff 74 28 <48> 8b b8 f8 09 00 0 ---truncated--- | 2025-07-09 | not yet calculated | CVE-2025-38263 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: sanitize request list handling Validate the request in nvme_tcp_handle_r2t() to ensure it's not part of any list, otherwise a malicious R2T PDU might inject a loop in request list processing. | 2025-07-09 | not yet calculated | CVE-2025-38264 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: serial: jsm: fix NPE during jsm_uart_port_init No device was set which caused serial_base_ctrl_add to crash. BUG: kernel NULL pointer dereference, address: 0000000000000050 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 16 UID: 0 PID: 368 Comm: (udev-worker) Not tainted 6.12.25-amd64 #1 Debian 6.12.25-1 RIP: 0010:serial_base_ctrl_add+0x96/0x120 Call Trace: <TASK> serial_core_register_port+0x1a0/0x580 ? __setup_irq+0x39c/0x660 ? __kmalloc_cache_noprof+0x111/0x310 jsm_uart_port_init+0xe8/0x180 [jsm] jsm_probe_one+0x1f4/0x410 [jsm] local_pci_probe+0x42/0x90 pci_device_probe+0x22f/0x270 really_probe+0xdb/0x340 ? pm_runtime_barrier+0x54/0x90 ? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x78/0x110 driver_probe_device+0x1f/0xa0 __driver_attach+0xba/0x1c0 bus_for_each_dev+0x8c/0xe0 bus_add_driver+0x112/0x1f0 driver_register+0x72/0xd0 jsm_init_module+0x36/0xff0 [jsm] ? __pfx_jsm_init_module+0x10/0x10 [jsm] do_one_initcall+0x58/0x310 do_init_module+0x60/0x230 Tested with Digi Neo PCIe 8 port card. | 2025-07-10 | not yet calculated | CVE-2025-38265 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: mediatek: eint: Fix invalid pointer dereference for v1 platforms Commit 3ef9f710efcb ("pinctrl: mediatek: Add EINT support for multiple addresses") introduced an access to the 'soc' field of struct mtk_pinctrl in mtk_eint_do_init() and for that an include of pinctrl-mtk-common-v2.h. However, pinctrl drivers relying on the v1 common driver include pinctrl-mtk-common.h instead, which provides another definition of struct mtk_pinctrl that does not contain an 'soc' field. Since mtk_eint_do_init() can be called both by v1 and v2 drivers, it will now try to dereference an invalid pointer when called on v1 platforms. This has been observed on Genio 350 EVK (MT8365), which crashes very early in boot (the kernel trace can only be seen with earlycon). In order to fix this, since 'struct mtk_pinctrl' was only needed to get a 'struct mtk_eint_pin', make 'struct mtk_eint_pin' a parameter of mtk_eint_do_init() so that callers need to supply it, removing mtk_eint_do_init()'s dependency on any particular 'struct mtk_pinctrl'. | 2025-07-10 | not yet calculated | CVE-2025-38266 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not trigger WARN_ON() due to a commit_overrun When reading a memory mapped buffer the reader page is just swapped out with the last page written in the write buffer. If the reader page is the same as the commit buffer (the buffer that is currently being written to) it was assumed that it should never have missed events. If it does, it triggers a WARN_ON_ONCE(). But there just happens to be one scenario where this can legitimately happen. That is on a commit_overrun. A commit overrun is when an interrupt preempts an event being written to the buffer and then the interrupt adds so many new events that it fills and wraps the buffer back to the commit. Any new events would then be dropped and be reported as "missed_events". In this case, the next page to read is the commit buffer and after the swap of the reader page, the reader page will be the commit buffer, but this time there will be missed events and this triggers the following warning: ------------[ cut here ]------------ WARNING: CPU: 2 PID: 1127 at kernel/trace/ring_buffer.c:7357 ring_buffer_map_get_reader+0x49a/0x780 Modules linked in: kvm_intel kvm irqbypass CPU: 2 UID: 0 PID: 1127 Comm: trace-cmd Not tainted 6.15.0-rc7-test-00004-g478bc2824b45-dirty #564 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:ring_buffer_map_get_reader+0x49a/0x780 Code: 00 00 00 48 89 fe 48 c1 ee 03 80 3c 2e 00 0f 85 ec 01 00 00 4d 3b a6 a8 00 00 00 0f 85 8a fd ff ff 48 85 c0 0f 84 55 fe ff ff <0f> 0b e9 4e fe ff ff be 08 00 00 00 4c 89 54 24 58 48 89 54 24 50 RSP: 0018:ffff888121787dc0 EFLAGS: 00010002 RAX: 00000000000006a2 RBX: ffff888100062800 RCX: ffffffff8190cb49 RDX: ffff888126934c00 RSI: 1ffff11020200a15 RDI: ffff8881010050a8 RBP: dffffc0000000000 R08: 0000000000000000 R09: ffffed1024d26982 R10: ffff888126934c17 R11: ffff8881010050a8 R12: ffff888126934c00 R13: ffff8881010050b8 R14: ffff888101005000 R15: ffff888126930008 FS: 00007f95c8cd7540(0000) GS:ffff8882b576e000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f95c8de4dc0 CR3: 0000000128452002 CR4: 0000000000172ef0 Call Trace: <TASK> ? __pfx_ring_buffer_map_get_reader+0x10/0x10 tracing_buffers_ioctl+0x283/0x370 __x64_sys_ioctl+0x134/0x190 do_syscall_64+0x79/0x1c0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7f95c8de48db Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <89> c2 3d 00 f0 ff ff 77 1c 48 8b 44 24 18 64 48 2b 04 25 28 00 00 RSP: 002b:00007ffe037ba110 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007ffe037bb2b0 RCX: 00007f95c8de48db RDX: 0000000000000000 RSI: 0000000000005220 RDI: 0000000000000006 RBP: 00007ffe037ba180 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe037bb6f8 R14: 00007f95c9065000 R15: 00005575c7492c90 </TASK> irq event stamp: 5080 hardirqs last enabled at (5079): [<ffffffff83e0adb0>] _raw_spin_unlock_irqrestore+0x50/0x70 hardirqs last disabled at (5080): [<ffffffff83e0aa83>] _raw_spin_lock_irqsave+0x63/0x70 softirqs last enabled at (4182): [<ffffffff81516122>] handle_softirqs+0x552/0x710 softirqs last disabled at (4159): [<ffffffff815163f7>] __irq_exit_rcu+0x107/0x210 ---[ end trace 0000000000000000 ]--- The above was triggered by running on a kernel with both lockdep and KASAN as well as kmemleak enabled and executing the following command: # perf record -o perf-test.dat -a -- trace-cmd record --nosplice -e all -p function hackbench 50 With perf interjecting a lot of interrupts and trace-cmd enabling all events as well as function tracing, with lockdep, KASAN and kmemleak enabled, it could cause an interrupt preempting an event being written to add enough event ---truncated--- | 2025-07-10 | not yet calculated | CVE-2025-38267 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work A state check was previously added to tcpm_queue_vdm_unlocked to prevent a deadlock where the DisplayPort Alt Mode driver would be executing work and attempting to grab the tcpm_lock while the TCPM was holding the lock and attempting to unregister the altmode, blocking on the altmode driver's cancel_work_sync call. Because the state check isn't protected, there is a small window where the Alt Mode driver could determine that the TCPM is in a ready state and attempt to grab the lock while the TCPM grabs the lock and changes the TCPM state to one that causes the deadlock. The callstack is provided below: [110121.667392][ C7] Call trace: [110121.667396][ C7] __switch_to+0x174/0x338 [110121.667406][ C7] __schedule+0x608/0x9f0 [110121.667414][ C7] schedule+0x7c/0xe8 [110121.667423][ C7] kernfs_drain+0xb0/0x114 [110121.667431][ C7] __kernfs_remove+0x16c/0x20c [110121.667436][ C7] kernfs_remove_by_name_ns+0x74/0xe8 [110121.667442][ C7] sysfs_remove_group+0x84/0xe8 [110121.667450][ C7] sysfs_remove_groups+0x34/0x58 [110121.667458][ C7] device_remove_groups+0x10/0x20 [110121.667464][ C7] device_release_driver_internal+0x164/0x2e4 [110121.667475][ C7] device_release_driver+0x18/0x28 [110121.667484][ C7] bus_remove_device+0xec/0x118 [110121.667491][ C7] device_del+0x1e8/0x4ac [110121.667498][ C7] device_unregister+0x18/0x38 [110121.667504][ C7] typec_unregister_altmode+0x30/0x44 [110121.667515][ C7] tcpm_reset_port+0xac/0x370 [110121.667523][ C7] tcpm_snk_detach+0x84/0xb8 [110121.667529][ C7] run_state_machine+0x4c0/0x1b68 [110121.667536][ C7] tcpm_state_machine_work+0x94/0xe4 [110121.667544][ C7] kthread_worker_fn+0x10c/0x244 [110121.667552][ C7] kthread+0x104/0x1d4 [110121.667557][ C7] ret_from_fork+0x10/0x20 [110121.667689][ C7] Workqueue: events dp_altmode_work [110121.667697][ C7] Call trace: [110121.667701][ C7] __switch_to+0x174/0x338 [110121.667710][ C7] __schedule+0x608/0x9f0 [110121.667717][ C7] schedule+0x7c/0xe8 [110121.667725][ C7] schedule_preempt_disabled+0x24/0x40 [110121.667733][ C7] __mutex_lock+0x408/0xdac [110121.667741][ C7] __mutex_lock_slowpath+0x14/0x24 [110121.667748][ C7] mutex_lock+0x40/0xec [110121.667757][ C7] tcpm_altmode_enter+0x78/0xb4 [110121.667764][ C7] typec_altmode_enter+0xdc/0x10c [110121.667769][ C7] dp_altmode_work+0x68/0x164 [110121.667775][ C7] process_one_work+0x1e4/0x43c [110121.667783][ C7] worker_thread+0x25c/0x430 [110121.667789][ C7] kthread+0x104/0x1d4 [110121.667794][ C7] ret_from_fork+0x10/0x20 Change tcpm_queue_vdm_unlocked to queue for tcpm_queue_vdm_work, which can perform the state check while holding the TCPM lock while the Alt Mode lock is no longer held. This requires a new struct to hold the vdm data, altmode_vdm_event. | 2025-07-10 | not yet calculated | CVE-2025-38268 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: exit after state insertion failure at btrfs_convert_extent_bit() If insert_state() state failed it returns an error pointer and we call extent_io_tree_panic() which will trigger a BUG() call. However if CONFIG_BUG is disabled, which is an uncommon and exotic scenario, then we fallthrough and call cache_state() which will dereference the error pointer, resulting in an invalid memory access. So jump to the 'out' label after calling extent_io_tree_panic(), it also makes the code more clear besides dealing with the exotic scenario where CONFIG_BUG is disabled. | 2025-07-10 | not yet calculated | CVE-2025-38269 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: drv: netdevsim: don't napi_complete() from netpoll netdevsim supports netpoll. Make sure we don't call napi_complete() from it, since it may not be scheduled. Breno reports hitting a warning in napi_complete_done(): WARNING: CPU: 14 PID: 104 at net/core/dev.c:6592 napi_complete_done+0x2cc/0x560 __napi_poll+0x2d8/0x3a0 handle_softirqs+0x1fe/0x710 This is presumably after netpoll stole the SCHED bit prematurely. | 2025-07-10 | not yet calculated | CVE-2025-38270 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: prevent a NULL deref in rtnl_create_link() At the time rtnl_create_link() is running, dev->netdev_ops is NULL, we must not use netdev_lock_ops() or risk a NULL deref if CONFIG_NET_SHAPER is defined. Use netif_set_group() instead of dev_set_group(). RIP: 0010:netdev_need_ops_lock include/net/netdev_lock.h:33 [inline] RIP: 0010:netdev_lock_ops include/net/netdev_lock.h:41 [inline] RIP: 0010:dev_set_group+0xc0/0x230 net/core/dev_api.c:82 Call Trace: <TASK> rtnl_create_link+0x748/0xd10 net/core/rtnetlink.c:3674 rtnl_newlink_create+0x25c/0xb00 net/core/rtnetlink.c:3813 __rtnl_newlink net/core/rtnetlink.c:3940 [inline] rtnl_newlink+0x16d6/0x1c70 net/core/rtnetlink.c:4055 rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6944 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2534 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x75b/0x8d0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] | 2025-07-10 | not yet calculated | CVE-2025-38271 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: dsa: b53: do not enable EEE on bcm63xx BCM63xx internal switches do not support EEE, but provide multiple RGMII ports where external PHYs may be connected. If one of these PHYs are EEE capable, we may try to enable EEE for the MACs, which then hangs the system on access of the (non-existent) EEE registers. Fix this by checking if the switch actually supports EEE before attempting to configure it. | 2025-07-10 | not yet calculated | CVE-2025-38272 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: tipc: fix refcount warning in tipc_aead_encrypt syzbot reported a refcount warning [1] caused by calling get_net() on a network namespace that is being destroyed (refcount=0). This happens when a TIPC discovery timer fires during network namespace cleanup. The recently added get_net() call in commit e279024617134 ("net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done") attempts to hold a reference to the network namespace. However, if the namespace is already being destroyed, its refcount might be zero, leading to the use-after-free warning. Replace get_net() with maybe_get_net(), which safely checks if the refcount is non-zero before incrementing it. If the namespace is being destroyed, return -ENODEV early, after releasing the bearer reference. [1]: https://lore.kernel.org/all/68342b55.a70a0220.253bc2.0091.GAE@google.com/T/#m12019cf9ae77e1954f666914640efa36d52704a2 | 2025-07-10 | not yet calculated | CVE-2025-38273 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt() fpga_mgr_test_img_load_sgt() allocates memory for sgt using kunit_kzalloc() however it does not check if the allocation failed. It then passes sgt to sg_alloc_table(), which passes it to __sg_alloc_table(). This function calls memset() on sgt in an attempt to zero it out. If the allocation fails then sgt will be NULL and the memset will trigger a NULL pointer dereference. Fix this by checking the allocation with KUNIT_ASSERT_NOT_ERR_OR_NULL(). | 2025-07-10 | not yet calculated | CVE-2025-38274 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug The qmp_usb_iomap() helper function currently returns the raw result of devm_ioremap() for non-exclusive mappings. Since devm_ioremap() may return a NULL pointer and the caller only checks error pointers with IS_ERR(), NULL could bypass the check and lead to an invalid dereference. Fix the issue by checking if devm_ioremap() returns NULL. When it does, qmp_usb_iomap() now returns an error pointer via IOMEM_ERR_PTR(-ENOMEM), ensuring safe and consistent error handling. | 2025-07-10 | not yet calculated | CVE-2025-38275 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/dax: Fix "don't skip locked entries when scanning entries" Commit 6be3e21d25ca ("fs/dax: don't skip locked entries when scanning entries") introduced a new function, wait_entry_unlocked_exclusive(), which waits for the current entry to become unlocked without advancing the XArray iterator state. Waiting for the entry to become unlocked requires dropping the XArray lock. This requires calling xas_pause() prior to dropping the lock which leaves the xas in a suitable state for the next iteration. However this has the side-effect of advancing the xas state to the next index. Normally this isn't an issue because xas_for_each() contains code to detect this state and thus avoid advancing the index a second time on the next loop iteration. However both callers of and wait_entry_unlocked_exclusive() itself subsequently use the xas state to reload the entry. As xas_pause() updated the state to the next index this will cause the current entry which is being waited on to be skipped. This caused the following warning to fire intermittently when running xftest generic/068 on an XFS filesystem with FS DAX enabled: [ 35.067397] ------------[ cut here ]------------ [ 35.068229] WARNING: CPU: 21 PID: 1640 at mm/truncate.c:89 truncate_folio_batch_exceptionals+0xd8/0x1e0 [ 35.069717] Modules linked in: nd_pmem dax_pmem nd_btt nd_e820 libnvdimm [ 35.071006] CPU: 21 UID: 0 PID: 1640 Comm: fstest Not tainted 6.15.0-rc7+ #77 PREEMPT(voluntary) [ 35.072613] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/204 [ 35.074845] RIP: 0010:truncate_folio_batch_exceptionals+0xd8/0x1e0 [ 35.075962] Code: a1 00 00 00 f6 47 0d 20 0f 84 97 00 00 00 4c 63 e8 41 39 c4 7f 0b eb 61 49 83 c5 01 45 39 ec 7e 58 42 f68 [ 35.079522] RSP: 0018:ffffb04e426c7850 EFLAGS: 00010202 [ 35.080359] RAX: 0000000000000000 RBX: ffff9d21e3481908 RCX: ffffb04e426c77f4 [ 35.081477] RDX: ffffb04e426c79e8 RSI: ffffb04e426c79e0 RDI: ffff9d21e34816e8 [ 35.082590] RBP: ffffb04e426c79e0 R08: 0000000000000001 R09: 0000000000000003 [ 35.083733] R10: 0000000000000000 R11: 822b53c0f7a49868 R12: 000000000000001f [ 35.084850] R13: 0000000000000000 R14: ffffb04e426c78e8 R15: fffffffffffffffe [ 35.085953] FS: 00007f9134c87740(0000) GS:ffff9d22abba0000(0000) knlGS:0000000000000000 [ 35.087346] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 35.088244] CR2: 00007f9134c86000 CR3: 000000040afff000 CR4: 00000000000006f0 [ 35.089354] Call Trace: [ 35.089749] <TASK> [ 35.090168] truncate_inode_pages_range+0xfc/0x4d0 [ 35.091078] truncate_pagecache+0x47/0x60 [ 35.091735] xfs_setattr_size+0xc7/0x3e0 [ 35.092648] xfs_vn_setattr+0x1ea/0x270 [ 35.093437] notify_change+0x1f4/0x510 [ 35.094219] ? do_truncate+0x97/0xe0 [ 35.094879] do_truncate+0x97/0xe0 [ 35.095640] path_openat+0xabd/0xca0 [ 35.096278] do_filp_open+0xd7/0x190 [ 35.096860] do_sys_openat2+0x8a/0xe0 [ 35.097459] __x64_sys_openat+0x6d/0xa0 [ 35.098076] do_syscall_64+0xbb/0x1d0 [ 35.098647] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 35.099444] RIP: 0033:0x7f9134d81fc1 [ 35.100033] Code: 75 57 89 f0 25 00 00 41 00 3d 00 00 41 00 74 49 80 3d 2a 26 0e 00 00 74 6d 89 da 48 89 ee bf 9c ff ff ff5 [ 35.102993] RSP: 002b:00007ffcd41e0d10 EFLAGS: 00000202 ORIG_RAX: 0000000000000101 [ 35.104263] RAX: ffffffffffffffda RBX: 0000000000000242 RCX: 00007f9134d81fc1 [ 35.105452] RDX: 0000000000000242 RSI: 00007ffcd41e1200 RDI: 00000000ffffff9c [ 35.106663] RBP: 00007ffcd41e1200 R08: 0000000000000000 R09: 0000000000000064 [ 35.107923] R10: 00000000000001a4 R11: 0000000000000202 R12: 0000000000000066 [ 35.109112] R13: 0000000000100000 R14: 0000000000100000 R15: 0000000000000400 [ 35.110357] </TASK> [ 35.110769] irq event stamp: 8415587 [ 35.111486] hardirqs last enabled at (8415599): [<ffffffff8d74b562>] __up_console_se ---truncated--- | 2025-07-10 | not yet calculated | CVE-2025-38276 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mtd: nand: ecc-mxic: Fix use of uninitialized variable ret If ctx->steps is zero, the loop processing ECC steps is skipped, and the variable ret remains uninitialized. It is later checked and returned, which leads to undefined behavior and may cause unpredictable results in user space or kernel crashes. This scenario can be triggered in edge cases such as misconfigured geometry, ECC engine misuse, or if ctx->steps is not validated after initialization. Initialize ret to zero before the loop to ensure correct and safe behavior regardless of the ctx->steps value. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2025-07-10 | not yet calculated | CVE-2025-38277 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback This patch addresses below issues, 1. Active traffic on the leaf node must be stopped before its send queue is reassigned to the parent. This patch resolves the issue by marking the node as 'Inner'. 2. During a system reboot, the interface receives TC_HTB_LEAF_DEL and TC_HTB_LEAF_DEL_LAST callbacks to delete its HTB queues. In the case of TC_HTB_LEAF_DEL_LAST, although the same send queue is reassigned to the parent, the current logic still attempts to update the real number of queues, leadning to below warnings New queues can't be registered after device unregistration. WARNING: CPU: 0 PID: 6475 at net/core/net-sysfs.c:1714 netdev_queue_update_kobjects+0x1e4/0x200 | 2025-07-10 | not yet calculated | CVE-2025-38278 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Do not include stack ptr register in precision backtracking bookkeeping Yi Lai reported an issue ([1]) where the following warning appears in kernel dmesg: [ 60.643604] verifier backtracking bug [ 60.643635] WARNING: CPU: 10 PID: 2315 at kernel/bpf/verifier.c:4302 __mark_chain_precision+0x3a6c/0x3e10 [ 60.648428] Modules linked in: bpf_testmod(OE) [ 60.650471] CPU: 10 UID: 0 PID: 2315 Comm: test_progs Tainted: G OE 6.15.0-rc4-gef11287f8289-dirty #327 PREEMPT(full) [ 60.654385] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [ 60.656682] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [ 60.660475] RIP: 0010:__mark_chain_precision+0x3a6c/0x3e10 [ 60.662814] Code: 5a 30 84 89 ea e8 c4 d9 01 00 80 3d 3e 7d d8 04 00 0f 85 60 fa ff ff c6 05 31 7d d8 04 01 48 c7 c7 00 58 30 84 e8 c4 06 a5 ff <0f> 0b e9 46 fa ff ff 48 ... [ 60.668720] RSP: 0018:ffff888116cc7298 EFLAGS: 00010246 [ 60.671075] RAX: 54d70e82dfd31900 RBX: ffff888115b65e20 RCX: 0000000000000000 [ 60.673659] RDX: 0000000000000001 RSI: 0000000000000004 RDI: 00000000ffffffff [ 60.676241] RBP: 0000000000000400 R08: ffff8881f6f23bd3 R09: 1ffff1103ede477a [ 60.678787] R10: dffffc0000000000 R11: ffffed103ede477b R12: ffff888115b60ae8 [ 60.681420] R13: 1ffff11022b6cbc4 R14: 00000000fffffff2 R15: 0000000000000001 [ 60.684030] FS: 00007fc2aedd80c0(0000) GS:ffff88826fa8a000(0000) knlGS:0000000000000000 [ 60.686837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 60.689027] CR2: 000056325369e000 CR3: 000000011088b002 CR4: 0000000000370ef0 [ 60.691623] Call Trace: [ 60.692821] <TASK> [ 60.693960] ? __pfx_verbose+0x10/0x10 [ 60.695656] ? __pfx_disasm_kfunc_name+0x10/0x10 [ 60.697495] check_cond_jmp_op+0x16f7/0x39b0 [ 60.699237] do_check+0x58fa/0xab10 ... Further analysis shows the warning is at line 4302 as below: 4294 /* static subprog call instruction, which 4295 * means that we are exiting current subprog, 4296 * so only r1-r5 could be still requested as 4297 * precise, r0 and r6-r10 or any stack slot in 4298 * the current frame should be zero by now 4299 */ 4300 if (bt_reg_mask(bt) & ~BPF_REGMASK_ARGS) { 4301 verbose(env, "BUG regs %x\n", bt_reg_mask(bt)); 4302 WARN_ONCE(1, "verifier backtracking bug"); 4303 return -EFAULT; 4304 } With the below test (also in the next patch): __used __naked static void __bpf_jmp_r10(void) { asm volatile ( "r2 = 2314885393468386424 ll;" "goto +0;" "if r2 <= r10 goto +3;" "if r1 >= -1835016 goto +0;" "if r2 <= 8 goto +0;" "if r3 <= 0 goto +0;" "exit;" ::: __clobber_all); } SEC("?raw_tp") __naked void bpf_jmp_r10(void) { asm volatile ( "r3 = 0 ll;" "call __bpf_jmp_r10;" "r0 = 0;" "exit;" ::: __clobber_all); } The following is the verifier failure log: 0: (18) r3 = 0x0 ; R3_w=0 2: (85) call pc+2 caller: R10=fp0 callee: frame1: R1=ctx() R3_w=0 R10=fp0 5: frame1: R1=ctx() R3_w=0 R10=fp0 ; asm volatile (" \ @ verifier_precision.c:184 5: (18) r2 = 0x20202000256c6c78 ; frame1: R2_w=0x20202000256c6c78 7: (05) goto pc+0 8: (bd) if r2 <= r10 goto pc+3 ; frame1: R2_w=0x20202000256c6c78 R10=fp0 9: (35) if r1 >= 0xffe3fff8 goto pc+0 ; frame1: R1=ctx() 10: (b5) if r2 <= 0x8 goto pc+0 mark_precise: frame1: last_idx 10 first_idx 0 subseq_idx -1 mark_precise: frame1: regs=r2 stack= before 9: (35) if r1 >= 0xffe3fff8 goto pc+0 mark_precise: frame1: regs=r2 stack= before 8: (bd) if r2 <= r10 goto pc+3 mark_preci ---truncated--- | 2025-07-10 | not yet calculated | CVE-2025-38279 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Avoid __bpf_prog_ret0_warn when jit fails syzkaller reported an issue: WARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357 Modules linked in: CPU: 3 UID: 0 PID: 217 Comm: kworker/u32:6 Not tainted 6.15.0-rc4-syzkaller-00040-g8bac8898fe39 RIP: 0010:__bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/core.c:2357 Call Trace: <TASK> bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline] __bpf_prog_run include/linux/filter.h:718 [inline] bpf_prog_run include/linux/filter.h:725 [inline] cls_bpf_classify+0x74a/0x1110 net/sched/cls_bpf.c:105 ... When creating bpf program, 'fp->jit_requested' depends on bpf_jit_enable. This issue is triggered because of CONFIG_BPF_JIT_ALWAYS_ON is not set and bpf_jit_enable is set to 1, causing the arch to attempt JIT the prog, but jit failed due to FAULT_INJECTION. As a result, incorrectly treats the program as valid, when the program runs it calls `__bpf_prog_ret0_warn` and triggers the WARN_ON_ONCE(1). | 2025-07-10 | not yet calculated | CVE-2025-38280 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Add NULL check in mt7996_thermal_init devm_kasprintf() can return a NULL pointer on failure,but this returned value in mt7996_thermal_init() is not checked. Add NULL check in mt7996_thermal_init(), to handle kernel NULL pointer dereference error. | 2025-07-10 | not yet calculated | CVE-2025-38281 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: kernfs: Relax constraint in draining guard The active reference lifecycle provides the break/unbreak mechanism but the active reference is not truly active after unbreak -- callers don't use it afterwards but it's important for proper pairing of kn->active counting. Assuming this mechanism is in place, the WARN check in kernfs_should_drain_open_files() is too sensitive -- it may transiently catch those (rightful) callers between kernfs_unbreak_active_protection() and kernfs_put_active() as found out by Chen Ridong: kernfs_remove_by_name_ns kernfs_get_active // active=1 __kernfs_remove // active=0x80000002 kernfs_drain ... wait_event //waiting (active == 0x80000001) kernfs_break_active_protection // active = 0x80000001 // continue kernfs_unbreak_active_protection // active = 0x80000002 ... kernfs_should_drain_open_files // warning occurs kernfs_put_active To avoid the false positives (mind panic_on_warn) remove the check altogether. (This is meant as quick fix, I think active reference break/unbreak may be simplified with larger rework.) | 2025-07-10 | not yet calculated | CVE-2025-38282 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: bugfix live migration function without VF device driver If the VF device driver is not loaded in the Guest OS and we attempt to perform device data migration, the address of the migrated data will be NULL. The live migration recovery operation on the destination side will access a null address value, which will cause access errors. Therefore, live migration of VMs without added VF device drivers does not require device data migration. In addition, when the queue address data obtained by the destination is empty, device queue recovery processing will not be performed. | 2025-07-10 | not yet calculated | CVE-2025-38283 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: configure manual DAC mode via PCI config API only To support 36-bit DMA, configure chip proprietary bit via PCI config API or chip DBI interface. However, the PCI device mmap isn't set yet and the DBI is also inaccessible via mmap, so only if the bit can be accessible via PCI config API, chip can support 36-bit DMA. Otherwise, fallback to 32-bit DMA. With NULL mmap address, kernel throws trace: BUG: unable to handle page fault for address: 0000000000001090 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 0 P4D 0 Oops: Oops: 0002 [#1] PREEMPT SMP PTI CPU: 1 UID: 0 PID: 71 Comm: irq/26-pciehp Tainted: G OE 6.14.2-061402-generic #202504101348 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE RIP: 0010:rtw89_pci_ops_write16+0x12/0x30 [rtw89_pci] RSP: 0018:ffffb0ffc0acf9d8 EFLAGS: 00010206 RAX: ffffffffc158f9c0 RBX: ffff94865e702020 RCX: 0000000000000000 RDX: 0000000000000718 RSI: 0000000000001090 RDI: ffff94865e702020 RBP: ffffb0ffc0acf9d8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000015 R13: 0000000000000719 R14: ffffb0ffc0acfa1f R15: ffffffffc1813060 FS: 0000000000000000(0000) GS:ffff9486f3480000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000001090 CR3: 0000000090440001 CR4: 00000000000626f0 Call Trace: <TASK> rtw89_pci_read_config_byte+0x6d/0x120 [rtw89_pci] rtw89_pci_cfg_dac+0x5b/0xb0 [rtw89_pci] rtw89_pci_probe+0xa96/0xbd0 [rtw89_pci] ? __pfx___device_attach_driver+0x10/0x10 ? __pfx___device_attach_driver+0x10/0x10 local_pci_probe+0x47/0xa0 pci_call_probe+0x5d/0x190 pci_device_probe+0xa7/0x160 really_probe+0xf9/0x370 ? pm_runtime_barrier+0x55/0xa0 __driver_probe_device+0x8c/0x140 driver_probe_device+0x24/0xd0 __device_attach_driver+0xcd/0x170 bus_for_each_drv+0x99/0x100 __device_attach+0xb4/0x1d0 device_attach+0x10/0x20 pci_bus_add_device+0x59/0x90 pci_bus_add_devices+0x31/0x80 pciehp_configure_device+0xaa/0x170 pciehp_enable_slot+0xd6/0x240 pciehp_handle_presence_or_link_change+0xf1/0x180 pciehp_ist+0x162/0x1c0 irq_thread_fn+0x24/0x70 irq_thread+0xef/0x1c0 ? __pfx_irq_thread_fn+0x10/0x10 ? __pfx_irq_thread_dtor+0x10/0x10 ? __pfx_irq_thread+0x10/0x10 kthread+0xfc/0x230 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x47/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> | 2025-07-10 | not yet calculated | CVE-2025-38284 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix WARN() in get_bpf_raw_tp_regs syzkaller reported an issue: WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 Modules linked in: CPU: 3 UID: 0 PID: 5971 Comm: syz-executor205 Not tainted 6.15.0-rc5-syzkaller-00038-g707df3375124 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 RIP: 0010:get_bpf_raw_tp_regs+0xa4/0x100 kernel/trace/bpf_trace.c:1861 RSP: 0018:ffffc90003636fa8 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffff81c6bc4c RDX: ffff888032efc880 RSI: ffffffff81c6bc83 RDI: 0000000000000005 RBP: ffff88806a730860 R08: 0000000000000005 R09: 0000000000000003 R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000004 R13: 0000000000000001 R14: ffffc90003637008 R15: 0000000000000900 FS: 0000000000000000(0000) GS:ffff8880d6cdf000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7baee09130 CR3: 0000000029f5a000 CR4: 0000000000352ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1934 [inline] bpf_get_stack_raw_tp+0x24/0x160 kernel/trace/bpf_trace.c:1931 bpf_prog_ec3b2eefa702d8d3+0x43/0x47 bpf_dispatcher_nop_func include/linux/bpf.h:1316 [inline] __bpf_prog_run include/linux/filter.h:718 [inline] bpf_prog_run include/linux/filter.h:725 [inline] __bpf_trace_run kernel/trace/bpf_trace.c:2363 [inline] bpf_trace_run3+0x23f/0x5a0 kernel/trace/bpf_trace.c:2405 __bpf_trace_mmap_lock_acquire_returned+0xfc/0x140 include/trace/events/mmap_lock.h:47 __traceiter_mmap_lock_acquire_returned+0x79/0xc0 include/trace/events/mmap_lock.h:47 __do_trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline] trace_mmap_lock_acquire_returned include/trace/events/mmap_lock.h:47 [inline] __mmap_lock_do_trace_acquire_returned+0x138/0x1f0 mm/mmap_lock.c:35 __mmap_lock_trace_acquire_returned include/linux/mmap_lock.h:36 [inline] mmap_read_trylock include/linux/mmap_lock.h:204 [inline] stack_map_get_build_id_offset+0x535/0x6f0 kernel/bpf/stackmap.c:157 __bpf_get_stack+0x307/0xa10 kernel/bpf/stackmap.c:483 ____bpf_get_stack kernel/bpf/stackmap.c:499 [inline] bpf_get_stack+0x32/0x40 kernel/bpf/stackmap.c:496 ____bpf_get_stack_raw_tp kernel/trace/bpf_trace.c:1941 [inline] bpf_get_stack_raw_tp+0x124/0x160 kernel/trace/bpf_trace.c:1931 bpf_prog_ec3b2eefa702d8d3+0x43/0x47 Tracepoint like trace_mmap_lock_acquire_returned may cause nested call as the corner case show above, which will be resolved with more general method in the future. As a result, WARN_ON_ONCE will be triggered. As Alexei suggested, remove the WARN_ON_ONCE first. | 2025-07-10 | not yet calculated | CVE-2025-38285 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: pinctrl: at91: Fix possible out-of-boundary access at91_gpio_probe() doesn't check that given OF alias is not available or something went wrong when trying to get it. This might have consequences when accessing gpio_chips array with that value as an index. Note, that BUG() can be compiled out and hence won't actually perform the required checks. | 2025-07-10 | not yet calculated | CVE-2025-38286 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: IB/cm: Drop lockdep assert and WARN when freeing old msg The send completion handler can run after cm_id has advanced to another message. The cm_id lock is not needed in this case, but a recent change re-used cm_free_priv_msg(), which asserts that the lock is held and WARNs if the cm_id's currently outstanding msg is different than the one being freed. | 2025-07-10 | not yet calculated | CVE-2025-38287 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix smp_processor_id() call trace for preemptible kernels Correct kernel call trace when calling smp_processor_id() when called in preemptible kernels by using raw_smp_processor_id(). smp_processor_id() checks to see if preemption is disabled and if not, issue an error message followed by a call to dump_stack(). Brief example of call trace: kernel: check_preemption_disabled: 436 callbacks suppressed kernel: BUG: using smp_processor_id() in preemptible [00000000] code: kworker/u1025:0/2354 kernel: caller is pqi_scsi_queue_command+0x183/0x310 [smartpqi] kernel: CPU: 129 PID: 2354 Comm: kworker/u1025:0 kernel: ... kernel: Workqueue: writeback wb_workfn (flush-253:0) kernel: Call Trace: kernel: <TASK> kernel: dump_stack_lvl+0x34/0x48 kernel: check_preemption_disabled+0xdd/0xe0 kernel: pqi_scsi_queue_command+0x183/0x310 [smartpqi] kernel: ... | 2025-07-10 | not yet calculated | CVE-2025-38288 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk Smatch detected a potential use-after-free of an ndlp oject in dev_loss_tmo_callbk during driver unload or fatal error handling. Fix by reordering code to avoid potential use-after-free if initial nodelist reference has been previously removed. | 2025-07-10 | not yet calculated | CVE-2025-38289 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath12k_core_halt() only reinitializes the "arvifs" list head. This will cause the list node immediately following the list head to become an invalid list node. Because the prev of that node still points to the list head "arvifs", but the next of the list head "arvifs" no longer points to that list node. When a WLAN recovery occurs during the execution of a vif removal, and it happens before the spin_lock_bh(&ar->data_lock) in ath12k_mac_vdev_delete(), list_del() will detect the previously mentioned situation, thereby triggering a kernel panic. The fix is to remove and reinitialize all vif list nodes from the list head "arvifs" during WLAN halt. The reinitialization is to make the list nodes valid, ensuring that the list_del() in ath12k_mac_vdev_delete() can execute normally. Call trace: __list_del_entry_valid_or_report+0xd4/0x100 (P) ath12k_mac_remove_link_interface.isra.0+0xf8/0x2e4 [ath12k] ath12k_scan_vdev_clean_work+0x40/0x164 [ath12k] cfg80211_wiphy_work+0xfc/0x100 process_one_work+0x164/0x2d0 worker_thread+0x254/0x380 kthread+0xfc/0x100 ret_from_fork+0x10/0x20 The change is mostly copied from the ath11k patch: https://lore.kernel.org/all/20250320053145.3445187-1-quic_stonez@quicinc.com/ Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 | 2025-07-10 | not yet calculated | CVE-2025-38290 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash Currently, we encounter the following kernel call trace when a firmware crash occurs. This happens because the host sends WMI commands to the firmware while it is in recovery, causing the commands to fail and resulting in the kernel call trace. Set the ATH12K_FLAG_CRASH_FLUSH and ATH12K_FLAG_RECOVERY flags when the host driver receives the firmware crash notification from MHI. This prevents sending WMI commands to the firmware during recovery. Call Trace: <TASK> dump_stack_lvl+0x75/0xc0 register_lock_class+0x6be/0x7a0 ? __lock_acquire+0x644/0x19a0 __lock_acquire+0x95/0x19a0 lock_acquire+0x265/0x310 ? ath12k_ce_send+0xa2/0x210 [ath12k] ? find_held_lock+0x34/0xa0 ? ath12k_ce_send+0x56/0x210 [ath12k] _raw_spin_lock_bh+0x33/0x70 ? ath12k_ce_send+0xa2/0x210 [ath12k] ath12k_ce_send+0xa2/0x210 [ath12k] ath12k_htc_send+0x178/0x390 [ath12k] ath12k_wmi_cmd_send_nowait+0x76/0xa0 [ath12k] ath12k_wmi_cmd_send+0x62/0x190 [ath12k] ath12k_wmi_pdev_bss_chan_info_request+0x62/0xc0 [ath1 ath12k_mac_op_get_survey+0x2be/0x310 [ath12k] ieee80211_dump_survey+0x99/0x240 [mac80211] nl80211_dump_survey+0xe7/0x470 [cfg80211] ? kmalloc_reserve+0x59/0xf0 genl_dumpit+0x24/0x70 netlink_dump+0x177/0x360 __netlink_dump_start+0x206/0x280 genl_family_rcv_msg_dumpit.isra.22+0x8a/0xe0 ? genl_family_rcv_msg_attrs_parse.isra.23+0xe0/0xe0 ? genl_op_lock.part.12+0x10/0x10 ? genl_dumpit+0x70/0x70 genl_rcv_msg+0x1d0/0x290 ? nl80211_del_station+0x330/0x330 [cfg80211] ? genl_get_cmd_both+0x50/0x50 netlink_rcv_skb+0x4f/0x100 genl_rcv+0x1f/0x30 netlink_unicast+0x1b6/0x260 netlink_sendmsg+0x31a/0x450 __sock_sendmsg+0xa8/0xb0 ____sys_sendmsg+0x1e4/0x260 ___sys_sendmsg+0x89/0xe0 ? local_clock_noinstr+0xb/0xc0 ? rcu_is_watching+0xd/0x40 ? kfree+0x1de/0x370 ? __sys_sendmsg+0x7a/0xc0 Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1 | 2025-07-10 | not yet calculated | CVE-2025-38291 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix invalid access to memory In ath12k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and boolean is_continuation is part of rxcb. Currently, after freeing the skb, the rxcb->is_continuation accessed again which is wrong since the memory is already freed. This might lead use-after-free error. Hence, fix by locally defining bool is_continuation from rxcb, so that after freeing skb, is_continuation can be used. Compile tested only. | 2025-07-10 | not yet calculated | CVE-2025-38292 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath11k_core_halt() only reinitializes the "arvifs" list head. This will cause the list node immediately following the list head to become an invalid list node. Because the prev of that node still points to the list head "arvifs", but the next of the list head "arvifs" no longer points to that list node. When a WLAN recovery occurs during the execution of a vif removal, and it happens before the spin_lock_bh(&ar->data_lock) in ath11k_mac_op_remove_interface(), list_del() will detect the previously mentioned situation, thereby triggering a kernel panic. The fix is to remove and reinitialize all vif list nodes from the list head "arvifs" during WLAN halt. The reinitialization is to make the list nodes valid, ensuring that the list_del() in ath11k_mac_op_remove_interface() can execute normally. Call trace: __list_del_entry_valid_or_report+0xb8/0xd0 ath11k_mac_op_remove_interface+0xb0/0x27c [ath11k] drv_remove_interface+0x48/0x194 [mac80211] ieee80211_do_stop+0x6e0/0x844 [mac80211] ieee80211_stop+0x44/0x17c [mac80211] __dev_close_many+0xac/0x150 __dev_change_flags+0x194/0x234 dev_change_flags+0x24/0x6c devinet_ioctl+0x3a0/0x670 inet_ioctl+0x200/0x248 sock_do_ioctl+0x60/0x118 sock_ioctl+0x274/0x35c __arm64_sys_ioctl+0xac/0xf0 invoke_syscall+0x48/0x114 ... Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04591-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1 | 2025-07-10 | not yet calculated | CVE-2025-38293 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix NULL access in assign channel context handler Currently, when ath12k_mac_assign_vif_to_vdev() fails, the radio handle (ar) gets accessed from the link VIF handle (arvif) for debug logging, This is incorrect. In the fail scenario, radio handle is NULL. Fix the NULL access, avoid radio handle access by moving to the hardware debug logging helper function (ath12k_hw_warn). Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 | 2025-07-10 | not yet calculated | CVE-2025-38294 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create() The Amlogic DDR PMU driver meson_ddr_pmu_create() function incorrectly uses smp_processor_id(), which assumes disabled preemption. This leads to kernel warnings during module loading because meson_ddr_pmu_create() can be called in a preemptible context. Following kernel warning and stack trace: [ 31.745138] [ T2289] BUG: using smp_processor_id() in preemptible [00000000] code: (udev-worker)/2289 [ 31.745154] [ T2289] caller is debug_smp_processor_id+0x28/0x38 [ 31.745172] [ T2289] CPU: 4 UID: 0 PID: 2289 Comm: (udev-worker) Tainted: GW 6.14.0-0-MANJARO-ARM #1 59519addcbca6ba8de735e151fd7b9e97aac7ff0 [ 31.745181] [ T2289] Tainted: [W]=WARN [ 31.745183] [ T2289] Hardware name: Hardkernel ODROID-N2Plus (DT) [ 31.745188] [ T2289] Call trace: [ 31.745191] [ T2289] show_stack+0x28/0x40 (C) [ 31.745199] [ T2289] dump_stack_lvl+0x4c/0x198 [ 31.745205] [ T2289] dump_stack+0x20/0x50 [ 31.745209] [ T2289] check_preemption_disabled+0xec/0xf0 [ 31.745213] [ T2289] debug_smp_processor_id+0x28/0x38 [ 31.745216] [ T2289] meson_ddr_pmu_create+0x200/0x560 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd] [ 31.745237] [ T2289] g12_ddr_pmu_probe+0x20/0x38 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd] [ 31.745246] [ T2289] platform_probe+0x98/0xe0 [ 31.745254] [ T2289] really_probe+0x144/0x3f8 [ 31.745258] [ T2289] __driver_probe_device+0xb8/0x180 [ 31.745261] [ T2289] driver_probe_device+0x54/0x268 [ 31.745264] [ T2289] __driver_attach+0x11c/0x288 [ 31.745267] [ T2289] bus_for_each_dev+0xfc/0x160 [ 31.745274] [ T2289] driver_attach+0x34/0x50 [ 31.745277] [ T2289] bus_add_driver+0x160/0x2b0 [ 31.745281] [ T2289] driver_register+0x78/0x120 [ 31.745285] [ T2289] __platform_driver_register+0x30/0x48 [ 31.745288] [ T2289] init_module+0x30/0xfe0 [meson_ddr_pmu_g12 8095101c49676ad138d9961e3eddaee10acca7bd] [ 31.745298] [ T2289] do_one_initcall+0x11c/0x438 [ 31.745303] [ T2289] do_init_module+0x68/0x228 [ 31.745311] [ T2289] load_module+0x118c/0x13a8 [ 31.745315] [ T2289] __arm64_sys_finit_module+0x274/0x390 [ 31.745320] [ T2289] invoke_syscall+0x74/0x108 [ 31.745326] [ T2289] el0_svc_common+0x90/0xf8 [ 31.745330] [ T2289] do_el0_svc+0x2c/0x48 [ 31.745333] [ T2289] el0_svc+0x60/0x150 [ 31.745337] [ T2289] el0t_64_sync_handler+0x80/0x118 [ 31.745341] [ T2289] el0t_64_sync+0x1b8/0x1c0 Changes replaces smp_processor_id() with raw_smp_processor_id() to ensure safe CPU ID retrieval in preemptible contexts. | 2025-07-10 | not yet calculated | CVE-2025-38295 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ACPI: platform_profile: Avoid initializing on non-ACPI platforms The platform profile driver is loaded even on platforms that do not have ACPI enabled. The initialization of the sysfs entries was recently moved from platform_profile_register() to the module init call, and those entries need acpi_kobj to be initialized which is not the case when ACPI is disabled. This results in the following warning: WARNING: CPU: 5 PID: 1 at fs/sysfs/group.c:131 internal_create_group+0xa22/0xdd8 Modules linked in: CPU: 5 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W 6.15.0-rc7-dirty #6 PREEMPT Tainted: [W]=WARN Hardware name: riscv-virtio,qemu (DT) epc : internal_create_group+0xa22/0xdd8 ra : internal_create_group+0xa22/0xdd8 Call Trace: internal_create_group+0xa22/0xdd8 sysfs_create_group+0x22/0x2e platform_profile_init+0x74/0xb2 do_one_initcall+0x198/0xa9e kernel_init_freeable+0x6d8/0x780 kernel_init+0x28/0x24c ret_from_fork+0xe/0x18 Fix this by checking if ACPI is enabled before trying to create sysfs entries. [ rjw: Subject and changelog edits ] | 2025-07-10 | not yet calculated | CVE-2025-38296 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PM: EM: Fix potential division-by-zero error in em_compute_costs() When the device is of a non-CPU type, table[i].performance won't be initialized in the previous em_init_performance(), resulting in division by zero when calculating costs in em_compute_costs(). Since the 'cost' algorithm is only used for EAS energy efficiency calculations and is currently not utilized by other device drivers, we should add the _is_cpu_device(dev) check to prevent this division-by-zero issue. | 2025-07-10 | not yet calculated | CVE-2025-38297 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: EDAC/skx_common: Fix general protection fault After loading i10nm_edac (which automatically loads skx_edac_common), if unload only i10nm_edac, then reload it and perform error injection testing, a general protection fault may occur: mce: [Hardware Error]: Machine check events logged Oops: general protection fault ... ... Workqueue: events mce_gen_pool_process RIP: 0010:string+0x53/0xe0 ... Call Trace: <TASK> ? die_addr+0x37/0x90 ? exc_general_protection+0x1e7/0x3f0 ? asm_exc_general_protection+0x26/0x30 ? string+0x53/0xe0 vsnprintf+0x23e/0x4c0 snprintf+0x4d/0x70 skx_adxl_decode+0x16a/0x330 [skx_edac_common] skx_mce_check_error.part.0+0xf8/0x220 [skx_edac_common] skx_mce_check_error+0x17/0x20 [skx_edac_common] ... The issue arose was because the variable 'adxl_component_count' (inside skx_edac_common), which counts the ADXL components, was not reset. During the reloading of i10nm_edac, the count was incremented by the actual number of ADXL components again, resulting in a count that was double the real number of ADXL components. This led to an out-of-bounds reference to the ADXL component array, causing the general protection fault above. Fix this issue by resetting the 'adxl_component_count' in adxl_put(), which is called during the unloading of {skx,i10nm}_edac. | 2025-07-10 | not yet calculated | CVE-2025-38298 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY() ETDM2_IN_BE and ETDM1_OUT_BE are defined as COMP_EMPTY(), in the case the codec dai_name will be null. Avoid a crash if the device tree is not assigning a codec to these links. [ 1.179936] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 1.181065] Mem abort info: [ 1.181420] ESR = 0x0000000096000004 [ 1.181892] EC = 0x25: DABT (current EL), IL = 32 bits [ 1.182576] SET = 0, FnV = 0 [ 1.182964] EA = 0, S1PTW = 0 [ 1.183367] FSC = 0x04: level 0 translation fault [ 1.183983] Data abort info: [ 1.184406] ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 [ 1.185097] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 1.185766] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 1.186439] [0000000000000000] user address but active_mm is swapper [ 1.187239] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP [ 1.188029] Modules linked in: [ 1.188420] CPU: 7 UID: 0 PID: 70 Comm: kworker/u32:1 Not tainted 6.14.0-rc4-next-20250226+ #85 [ 1.189515] Hardware name: Radxa NIO 12L (DT) [ 1.190065] Workqueue: events_unbound deferred_probe_work_func [ 1.190808] pstate: 40400009 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 1.191683] pc : __pi_strcmp+0x24/0x140 [ 1.192170] lr : mt8195_mt6359_soc_card_probe+0x224/0x7b0 [ 1.192854] sp : ffff800083473970 [ 1.193271] x29: ffff800083473a10 x28: 0000000000001008 x27: 0000000000000002 [ 1.194168] x26: ffff800082408960 x25: ffff800082417db0 x24: ffff800082417d88 [ 1.195065] x23: 000000000000001e x22: ffff800082dbf480 x21: ffff800082dc07b8 [ 1.195961] x20: 0000000000000000 x19: 0000000000000013 x18: 00000000ffffffff [ 1.196858] x17: 000000040044ffff x16: 005000f2b5503510 x15: 0000000000000006 [ 1.197755] x14: ffff800082407af0 x13: 6e6f69737265766e x12: 692d6b636f6c6374 [ 1.198651] x11: 0000000000000002 x10: ffff80008240b920 x9 : 0000000000000018 [ 1.199547] x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000 [ 1.200443] x5 : 0000000000000000 x4 : 8080808080000000 x3 : 303933383978616d [ 1.201339] x2 : 0000000000000000 x1 : ffff80008240b920 x0 : 0000000000000000 [ 1.202236] Call trace: [ 1.202545] __pi_strcmp+0x24/0x140 (P) [ 1.203029] mtk_soundcard_common_probe+0x3bc/0x5b8 [ 1.203644] platform_probe+0x70/0xe8 [ 1.204106] really_probe+0xc8/0x3a0 [ 1.204556] __driver_probe_device+0x84/0x160 [ 1.205104] driver_probe_device+0x44/0x130 [ 1.205630] __device_attach_driver+0xc4/0x170 [ 1.206189] bus_for_each_drv+0x8c/0xf8 [ 1.206672] __device_attach+0xa8/0x1c8 [ 1.207155] device_initial_probe+0x1c/0x30 [ 1.207681] bus_probe_device+0xb0/0xc0 [ 1.208165] deferred_probe_work_func+0xa4/0x100 [ 1.208747] process_one_work+0x158/0x3e0 [ 1.209254] worker_thread+0x2c4/0x3e8 [ 1.209727] kthread+0x134/0x1f0 [ 1.210136] ret_from_fork+0x10/0x20 [ 1.210589] Code: 54000401 b50002c6 d503201f f86a6803 (f8408402) [ 1.211355] ---[ end trace 0000000000000000 ]--- | 2025-07-10 | not yet calculated | CVE-2025-38299 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() Fix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare(): 1] If dma_map_sg() fails for areq->dst, the device driver would try to free DMA memory it has not allocated in the first place. To fix this, on the "theend_sgs" error path, call dma unmap only if the corresponding dma map was successful. 2] If the dma_map_single() call for the IV fails, the device driver would try to free an invalid DMA memory address on the "theend_iv" path: ------------[ cut here ]------------ DMA-API: sun8i-ce 1904000.crypto: device driver tries to free an invalid DMA memory address WARNING: CPU: 2 PID: 69 at kernel/dma/debug.c:968 check_unmap+0x123c/0x1b90 Modules linked in: skcipher_example(O+) CPU: 2 UID: 0 PID: 69 Comm: 1904000.crypto- Tainted: G O 6.15.0-rc3+ #24 PREEMPT Tainted: [O]=OOT_MODULE Hardware name: OrangePi Zero2 (DT) pc : check_unmap+0x123c/0x1b90 lr : check_unmap+0x123c/0x1b90 ... Call trace: check_unmap+0x123c/0x1b90 (P) debug_dma_unmap_page+0xac/0xc0 dma_unmap_page_attrs+0x1f4/0x5fc sun8i_ce_cipher_do_one+0x1bd4/0x1f40 crypto_pump_work+0x334/0x6e0 kthread_worker_fn+0x21c/0x438 kthread+0x374/0x664 ret_from_fork+0x10/0x20 ---[ end trace 0000000000000000 ]--- To fix this, check for !dma_mapping_error() before calling dma_unmap_single() on the "theend_iv" path. | 2025-07-10 | not yet calculated | CVE-2025-38300 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvmem: zynqmp_nvmem: unbreak driver after cleanup Commit 29be47fcd6a0 ("nvmem: zynqmp_nvmem: zynqmp_nvmem_probe cleanup") changed the driver to expect the device pointer to be passed as the "context", but in nvmem the context parameter comes from nvmem_config.priv which is never set - Leading to null pointer exceptions when the device is accessed. | 2025-07-10 | not yet calculated | CVE-2025-38301 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: block: don't use submit_bio_noacct_nocheck in blk_zone_wplug_bio_work Bios queued up in the zone write plug have already gone through all all preparation in the submit_bio path, including the freeze protection. Submitting them through submit_bio_noacct_nocheck duplicates the work and can can cause deadlocks when freezing a queue with pending bio write plugs. Go straight to ->submit_bio or blk_mq_submit_bio to bypass the superfluous extra freeze protection and checks. | 2025-07-10 | not yet calculated | CVE-2025-38302 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: eir: Fix possible crashes on eir_create_adv_data eir_create_adv_data may attempt to add EIR_FLAGS and EIR_TX_POWER without checking if that would fit. | 2025-07-10 | not yet calculated | CVE-2025-38303 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix NULL pointer deference on eir_get_service_data The len parameter is considered optional so it can be NULL so it cannot be used for skipping to next entry of EIR_SERVICE_DATA. | 2025-07-10 | not yet calculated | CVE-2025-38304 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() There is no disagreement that we should check both ptp->is_virtual_clock and ptp->n_vclocks to check if the ptp virtual clock is in use. However, when we acquire ptp->n_vclocks_mux to read ptp->n_vclocks in ptp_vclock_in_use(), we observe a recursive lock in the call trace starting from n_vclocks_store(). ============================================ WARNING: possible recursive locking detected 6.15.0-rc6 #1 Not tainted -------------------------------------------- syz.0.1540/13807 is trying to acquire lock: ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: ptp_vclock_in_use drivers/ptp/ptp_private.h:103 [inline] ffff888035a24868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: ptp_clock_unregister+0x21/0x250 drivers/ptp/ptp_clock.c:415 but task is already holding lock: ffff888030704868 (&ptp->n_vclocks_mux){+.+.}-{4:4}, at: n_vclocks_store+0xf1/0x6d0 drivers/ptp/ptp_sysfs.c:215 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&ptp->n_vclocks_mux); lock(&ptp->n_vclocks_mux); *** DEADLOCK *** .... ============================================ The best way to solve this is to remove the logic that checks ptp->n_vclocks in ptp_vclock_in_use(). The reason why this is appropriate is that any path that uses ptp->n_vclocks must unconditionally check if ptp->n_vclocks is greater than 0 before unregistering vclocks, and all functions are already written this way. And in the function that uses ptp->n_vclocks, we already get ptp->n_vclocks_mux before unregistering vclocks. Therefore, we need to remove the redundant check for ptp->n_vclocks in ptp_vclock_in_use() to prevent recursive locking. | 2025-07-10 | not yet calculated | CVE-2025-38305 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/fhandle.c: fix a race in call of has_locked_children() may_decode_fh() is calling has_locked_children() while holding no locks. That's an oopsable race... The rest of the callers are safe since they are holding namespace_sem and are guaranteed a positive refcount on the mount in question. Rename the current has_locked_children() to __has_locked_children(), make it static and switch the fs/namespace.c users to it. Make has_locked_children() a wrapper for __has_locked_children(), calling the latter under read_seqlock_excl(&mount_lock). | 2025-07-10 | not yet calculated | CVE-2025-38306 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Verify content returned by parse_int_array() The first element of the returned array stores its length. If it is 0, any manipulation beyond the element at index 0 ends with null-ptr-deref. | 2025-07-10 | not yet calculated | CVE-2025-38307 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Fix possible null-ptr-deref when initing hw Search result of avs_dai_find_path_template() shall be verified before being used. As 'template' is already known when avs_hw_constraints_init() is fired, drop the search entirely. | 2025-07-10 | not yet calculated | CVE-2025-38308 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/xe/vm: move xe_svm_init() earlier In xe_vm_close_and_put() we need to be able to call xe_svm_fini(), however during vm creation we can call this on the error path, before having actually initialised the svm state, leading to various splats followed by a fatal NPD. (cherry picked from commit 4f296d77cf49fcb5f90b4674123ad7f3a0676165) | 2025-07-10 | not yet calculated | CVE-2025-38309 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: seg6: Fix validation of nexthop addresses The kernel currently validates that the length of the provided nexthop address does not exceed the specified length. This can lead to the kernel reading uninitialized memory if user space provided a shorter length than the specified one. Fix by validating that the provided length exactly matches the specified one. | 2025-07-10 | not yet calculated | CVE-2025-38310 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iavf: get rid of the crit lock Get rid of the crit lock. That frees us from the error prone logic of try_locks. Thanks to netdev_lock() by Jakub it is now easy, and in most cases we were protected by it already - replace crit lock by netdev lock when it was not the case. Lockdep reports that we should cancel the work under crit_lock [splat1], and that was the scheme we have mostly followed since [1] by Slawomir. But when that is done we still got into deadlocks [splat2]. So instead we should look at the bigger problem, namely "weird locking/scheduling" of the iavf. The first step to fix that is to remove the crit lock. I will followup with a -next series that simplifies scheduling/tasks. Cancel the work without netdev lock (weird unlock+lock scheme), to fix the [splat2] (which would be totally ugly if we would kept the crit lock). Extend protected part of iavf_watchdog_task() to include scheduling more work. Note that the removed comment in iavf_reset_task() was misplaced, it belonged to inside of the removed if condition, so it's gone now. [splat1] - w/o this patch - The deadlock during VF removal: WARNING: possible circular locking dependency detected sh/3825 is trying to acquire lock: ((work_completion)(&(&adapter->watchdog_task)->work)){+.+.}-{0:0}, at: start_flush_work+0x1a1/0x470 but task is already holding lock: (&adapter->crit_lock){+.+.}-{4:4}, at: iavf_remove+0xd1/0x690 [iavf] which lock already depends on the new lock. [splat2] - when cancelling work under crit lock, w/o this series, see [2] for the band aid attempt WARNING: possible circular locking dependency detected sh/3550 is trying to acquire lock: ((wq_completion)iavf){+.+.}-{0:0}, at: touch_wq_lockdep_map+0x26/0x90 but task is already holding lock: (&dev->lock){+.+.}-{4:4}, at: iavf_remove+0xa6/0x6e0 [iavf] which lock already depends on the new lock. [1] fc2e6b3b132a ("iavf: Rework mutexes for better synchronisation") [2] https://github.com/pkitszel/linux/commit/52dddbfc2bb60294083f5711a158a | 2025-07-10 | not yet calculated | CVE-2025-38311 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000, cvt.f_refresh will become 0 when multiplying it by 2 due to overflow. It's then passed to fb_cvt_hperiod(), where it's used as a divider -- division by 0 will result in kernel oops. Add a sanity check for cvt.f_refresh to avoid such overflow... Found by Linux Verification Center (linuxtesting.org) with the Svace static analysis tool. | 2025-07-10 | not yet calculated | CVE-2025-38312 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix double-free on mc_dev The blamed commit tried to simplify how the deallocations are done but, in the process, introduced a double-free on the mc_dev variable. In case the MC device is a DPRC, a new mc_bus is allocated and the mc_dev variable is just a reference to one of its fields. In this circumstance, on the error path only the mc_bus should be freed. This commit introduces back the following checkpatch warning which is a false-positive. WARNING: kfree(NULL) is safe and this check is probably not required + if (mc_bus) + kfree(mc_bus); | 2025-07-10 | not yet calculated | CVE-2025-38313 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: virtio-pci: Fix result size returned for the admin command completion The result size returned by virtio_pci_admin_dev_parts_get() is 8 bytes larger than the actual result data size. This occurs because the result_sg_size field of the command is filled with the result length from virtqueue_get_buf(), which includes both the data size and an additional 8 bytes of status. This oversized result size causes two issues: 1. The state transferred to the destination includes 8 bytes of extra data at the end. 2. The allocated buffer in the kernel may be smaller than the returned size, leading to failures when reading beyond the allocated size. The commit fixes this by subtracting the status size from the result of virtqueue_get_buf(). This fix has been tested through live migrations with virtio-net, virtio-net-transitional, and virtio-blk devices. | 2025-07-10 | not yet calculated | CVE-2025-38314 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: Check dsbr size from EFI variable Since the size of struct btintel_dsbr is already known, we can just start there instead of querying the EFI variable size. If the final result doesn't match what we expect also fail. This fixes a stack buffer overflow when the EFI variable is larger than struct btintel_dsbr. | 2025-07-10 | not yet calculated | CVE-2025-38315 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: avoid NULL pointer dereference in mt7996_set_monitor() The function mt7996_set_monitor() dereferences phy before the NULL sanity check. Fix this to avoid NULL pointer dereference by moving the dereference after the check. | 2025-07-10 | not yet calculated | CVE-2025-38316 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix buffer overflow in debugfs If the user tries to write more than 32 bytes then it results in memory corruption. Fortunately, this is debugfs so it's limited to root users. | 2025-07-10 | not yet calculated | CVE-2025-38317 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf: arm-ni: Fix missing platform_set_drvdata() Add missing platform_set_drvdata in arm_ni_probe(), otherwise calling platform_get_drvdata() in remove returns NULL. | 2025-07-10 | not yet calculated | CVE-2025-38318 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table The function atomctrl_initialize_mc_reg_table() and atomctrl_initialize_mc_reg_table_v2_2() does not check the return value of smu_atom_get_data_table(). If smu_atom_get_data_table() fails to retrieve vram_info, it returns NULL which is later dereferenced. | 2025-07-10 | not yet calculated | CVE-2025-38319 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() KASAN reports a stack-out-of-bounds read in regs_get_kernel_stack_nth(). Call Trace: [ 97.283505] BUG: KASAN: stack-out-of-bounds in regs_get_kernel_stack_nth+0xa8/0xc8 [ 97.284677] Read of size 8 at addr ffff800089277c10 by task 1.sh/2550 [ 97.285732] [ 97.286067] CPU: 7 PID: 2550 Comm: 1.sh Not tainted 6.6.0+ #11 [ 97.287032] Hardware name: linux,dummy-virt (DT) [ 97.287815] Call trace: [ 97.288279] dump_backtrace+0xa0/0x128 [ 97.288946] show_stack+0x20/0x38 [ 97.289551] dump_stack_lvl+0x78/0xc8 [ 97.290203] print_address_description.constprop.0+0x84/0x3c8 [ 97.291159] print_report+0xb0/0x280 [ 97.291792] kasan_report+0x84/0xd0 [ 97.292421] __asan_load8+0x9c/0xc0 [ 97.293042] regs_get_kernel_stack_nth+0xa8/0xc8 [ 97.293835] process_fetch_insn+0x770/0xa30 [ 97.294562] kprobe_trace_func+0x254/0x3b0 [ 97.295271] kprobe_dispatcher+0x98/0xe0 [ 97.295955] kprobe_breakpoint_handler+0x1b0/0x210 [ 97.296774] call_break_hook+0xc4/0x100 [ 97.297451] brk_handler+0x24/0x78 [ 97.298073] do_debug_exception+0xac/0x178 [ 97.298785] el1_dbg+0x70/0x90 [ 97.299344] el1h_64_sync_handler+0xcc/0xe8 [ 97.300066] el1h_64_sync+0x78/0x80 [ 97.300699] kernel_clone+0x0/0x500 [ 97.301331] __arm64_sys_clone+0x70/0x90 [ 97.302084] invoke_syscall+0x68/0x198 [ 97.302746] el0_svc_common.constprop.0+0x11c/0x150 [ 97.303569] do_el0_svc+0x38/0x50 [ 97.304164] el0_svc+0x44/0x1d8 [ 97.304749] el0t_64_sync_handler+0x100/0x130 [ 97.305500] el0t_64_sync+0x188/0x190 [ 97.306151] [ 97.306475] The buggy address belongs to stack of task 1.sh/2550 [ 97.307461] and is located at offset 0 in frame: [ 97.308257] __se_sys_clone+0x0/0x138 [ 97.308910] [ 97.309241] This frame has 1 object: [ 97.309873] [48, 184) 'args' [ 97.309876] [ 97.310749] The buggy address belongs to the virtual mapping at [ 97.310749] [ffff800089270000, ffff800089279000) created by: [ 97.310749] dup_task_struct+0xc0/0x2e8 [ 97.313347] [ 97.313674] The buggy address belongs to the physical page: [ 97.314604] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x14f69a [ 97.315885] flags: 0x15ffffe00000000(node=1|zone=2|lastcpupid=0xfffff) [ 97.316957] raw: 015ffffe00000000 0000000000000000 dead000000000122 0000000000000000 [ 97.318207] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 97.319445] page dumped because: kasan: bad access detected [ 97.320371] [ 97.320694] Memory state around the buggy address: [ 97.321511] ffff800089277b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 97.322681] ffff800089277b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 97.323846] >ffff800089277c00: 00 00 f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 00 00 [ 97.325023] ^ [ 97.325683] ffff800089277c80: 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 f3 f3 [ 97.326856] ffff800089277d00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 This issue seems to be related to the behavior of some gcc compilers and was also fixed on the s390 architecture before: commit d93a855c31b7 ("s390/ptrace: Avoid KASAN false positives in regs_get_kernel_stack_nth()") As described in that commit, regs_get_kernel_stack_nth() has confirmed that `addr` is on the stack, so reading the value at `*addr` should be allowed. Use READ_ONCE_NOCHECK() helper to silence the KASAN check for this case. [will: Use '*addr' as the argument to READ_ONCE_NOCHECK()] | 2025-07-10 | not yet calculated | CVE-2025-38320 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: Log an error when close_all_cached_dirs fails Under low-memory conditions, close_all_cached_dirs() can't move the dentries to a separate list to dput() them once the locks are dropped. This will result in a "Dentry still in use" error, so add an error message that makes it clear this is what happened: [ 495.281119] CIFS: VFS: \\otters.example.com\share Out of memory while dropping dentries [ 495.281595] ------------[ cut here ]------------ [ 495.281887] BUG: Dentry ffff888115531138{i=78,n=/} still in use (2) [unmount of cifs cifs] [ 495.282391] WARNING: CPU: 1 PID: 2329 at fs/dcache.c:1536 umount_check+0xc8/0xf0 Also, bail out of looping through all tcons as soon as a single allocation fails, since we're already in trouble, and kmalloc() attempts for subseqeuent tcons are likely to fail just like the first one did. | 2025-07-10 | not yet calculated | CVE-2025-38321 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix crash in icl_update_topdown_event() The perf_fuzzer found a hard-lockup crash on a RaptorLake machine: Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000 CPU: 23 UID: 0 PID: 0 Comm: swapper/23 Tainted: [W]=WARN Hardware name: Dell Inc. Precision 9660/0VJ762 RIP: 0010:native_read_pmc+0x7/0x40 Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ... RSP: 000:fffb03100273de8 EFLAGS: 00010046 .... Call Trace: <TASK> icl_update_topdown_event+0x165/0x190 ? ktime_get+0x38/0xd0 intel_pmu_read_event+0xf9/0x210 __perf_event_read+0xf9/0x210 CPUs 16-23 are E-core CPUs that don't support the perf metrics feature. The icl_update_topdown_event() should not be invoked on these CPUs. It's a regression of commit: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read") The bug introduced by that commit is that the is_topdown_event() function is mistakenly used to replace the is_topdown_count() call to check if the topdown functions for the perf metrics feature should be invoked. Fix it. | 2025-07-10 | not yet calculated | CVE-2025-38322 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: atm: add lec_mutex syzbot found its way in net/atm/lec.c, and found an error path in lecd_attach() could leave a dangling pointer in dev_lec[]. Add a mutex to protect dev_lecp[] uses from lecd_attach(), lec_vcc_attach() and lec_mcast_attach(). Following patch will use this mutex for /proc/net/atm/lec. BUG: KASAN: slab-use-after-free in lecd_attach net/atm/lec.c:751 [inline] BUG: KASAN: slab-use-after-free in lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008 Read of size 8 at addr ffff88807c7b8e68 by task syz.1.17/6142 CPU: 1 UID: 0 PID: 6142 Comm: syz.1.17 Not tainted 6.16.0-rc1-syzkaller-00239-g08215f5486ec #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xcd/0x680 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 lecd_attach net/atm/lec.c:751 [inline] lane_ioctl+0x2224/0x23e0 net/atm/lec.c:1008 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x118/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f </TASK> Allocated by task 6132: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4328 [inline] __kvmalloc_node_noprof+0x27b/0x620 mm/slub.c:5015 alloc_netdev_mqs+0xd2/0x1570 net/core/dev.c:11711 lecd_attach net/atm/lec.c:737 [inline] lane_ioctl+0x17db/0x23e0 net/atm/lec.c:1008 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x118/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x4c0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6132: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2381 [inline] slab_free mm/slub.c:4643 [inline] kfree+0x2b4/0x4d0 mm/slub.c:4842 free_netdev+0x6c5/0x910 net/core/dev.c:11892 lecd_attach net/atm/lec.c:744 [inline] lane_ioctl+0x1ce8/0x23e0 net/atm/lec.c:1008 do_vcc_ioctl+0x12c/0x930 net/atm/ioctl.c:159 sock_do_ioctl+0x118/0x280 net/socket.c:1190 sock_ioctl+0x227/0x6b0 net/socket.c:1311 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl fs/ioctl.c:893 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:893 | 2025-07-10 | not yet calculated | CVE-2025-38323 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). As syzbot reported [0], mpls_route_input_rcu() can be called from mpls_getroute(), where is under RTNL. net->mpls.platform_label is only updated under RTNL. Let's use rcu_dereference_rtnl() in mpls_route_input_rcu() to silence the splat. [0]: WARNING: suspicious RCU usage 6.15.0-rc7-syzkaller-00082-g5cdb2c77c4c3 #0 Not tainted ---------------------------- net/mpls/af_mpls.c:84 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by syz.2.4451/17730: #0: ffffffff9012a3e8 (rtnl_mutex){+.+.}-{4:4}, at: rtnl_lock net/core/rtnetlink.c:80 [inline] #0: ffffffff9012a3e8 (rtnl_mutex){+.+.}-{4:4}, at: rtnetlink_rcv_msg+0x371/0xe90 net/core/rtnetlink.c:6961 stack backtrace: CPU: 1 UID: 0 PID: 17730 Comm: syz.2.4451 Not tainted 6.15.0-rc7-syzkaller-00082-g5cdb2c77c4c3 #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x16c/0x1f0 lib/dump_stack.c:120 lockdep_rcu_suspicious+0x166/0x260 kernel/locking/lockdep.c:6865 mpls_route_input_rcu+0x1d4/0x200 net/mpls/af_mpls.c:84 mpls_getroute+0x621/0x1ea0 net/mpls/af_mpls.c:2381 rtnetlink_rcv_msg+0x3c9/0xe90 net/core/rtnetlink.c:6964 netlink_rcv_skb+0x16d/0x440 net/netlink/af_netlink.c:2534 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x53a/0x7f0 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8d1/0xdd0 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] ____sys_sendmsg+0xa98/0xc70 net/socket.c:2566 ___sys_sendmsg+0x134/0x1d0 net/socket.c:2620 __sys_sendmmsg+0x200/0x420 net/socket.c:2709 __do_sys_sendmmsg net/socket.c:2736 [inline] __se_sys_sendmmsg net/socket.c:2733 [inline] __x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2733 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x230 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0a2818e969 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f0a28f52038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f0a283b5fa0 RCX: 00007f0a2818e969 RDX: 0000000000000003 RSI: 0000200000000080 RDI: 0000000000000003 RBP: 00007f0a28210ab1 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f0a283b5fa0 R15: 00007ffce5e9f268 </TASK> | 2025-07-10 | not yet calculated | CVE-2025-38324 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: add free_transport ops in ksmbd connection free_transport function for tcp connection can be called from smbdirect. It will cause kernel oops. This patch add free_transport ops in ksmbd connection, and add each free_transports for tcp and smbdirect. | 2025-07-10 | not yet calculated | CVE-2025-38325 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: aoe: clean device rq_list in aoedev_downdev() An aoe device's rq_list contains accepted block requests that are waiting to be transmitted to the aoe target. This queue was added as part of the conversion to blk_mq. However, the queue was not cleaned out when an aoe device is downed which caused blk_mq_freeze_queue() to sleep indefinitely waiting for those requests to complete, causing a hang. This fix cleans out the queue before calling blk_mq_freeze_queue(). | 2025-07-10 | not yet calculated | CVE-2025-38326 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fgraph: Do not enable function_graph tracer when setting funcgraph-args When setting the funcgraph-args option when function graph tracer is net enabled, it incorrectly enables it. Worse, it unregisters itself when it was never registered. Then when it gets enabled again, it will register itself a second time causing a WARNing. ~# echo 1 > /sys/kernel/tracing/options/funcgraph-args ~# head -20 /sys/kernel/tracing/trace # tracer: nop # # entries-in-buffer/entries-written: 813/26317372 #P:8 # # _-----=> irqs-off/BH-disabled # / _----=> need-resched # | / _---=> hardirq/softirq # || / _--=> preempt-depth # ||| / _-=> migrate-disable # |||| / delay # TASK-PID CPU# ||||| TIMESTAMP FUNCTION # | | | ||||| | | <idle>-0 [007] d..4. 358.966010: 7) 1.692 us | fetch_next_timer_interrupt(basej=4294981640, basem=357956000000, base_local=0xffff88823c3ae040, base_global=0xffff88823c3af300, tevt=0xffff888100e47cb8); <idle>-0 [007] d..4. 358.966012: 7) | tmigr_cpu_deactivate(nextexp=357988000000) { <idle>-0 [007] d..4. 358.966013: 7) | _raw_spin_lock(lock=0xffff88823c3b2320) { <idle>-0 [007] d..4. 358.966014: 7) 0.981 us | preempt_count_add(val=1); <idle>-0 [007] d..5. 358.966017: 7) 1.058 us | do_raw_spin_lock(lock=0xffff88823c3b2320); <idle>-0 [007] d..4. 358.966019: 7) 5.824 us | } <idle>-0 [007] d..5. 358.966021: 7) | tmigr_inactive_up(group=0xffff888100cb9000, child=0x0, data=0xffff888100e47bc0) { <idle>-0 [007] d..5. 358.966022: 7) | tmigr_update_events(group=0xffff888100cb9000, child=0x0, data=0xffff888100e47bc0) { Notice the "tracer: nop" at the top there. The current tracer is the "nop" tracer, but the content is obviously the function graph tracer. Enabling function graph tracing will cause it to register again and trigger a warning in the accounting: ~# echo function_graph > /sys/kernel/tracing/current_tracer -bash: echo: write error: Device or resource busy With the dmesg of: ------------[ cut here ]------------ WARNING: CPU: 7 PID: 1095 at kernel/trace/ftrace.c:3509 ftrace_startup_subops+0xc1e/0x1000 Modules linked in: kvm_intel kvm irqbypass CPU: 7 UID: 0 PID: 1095 Comm: bash Not tainted 6.16.0-rc2-test-00006-gea03de4105d3 #24 PREEMPT Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:ftrace_startup_subops+0xc1e/0x1000 Code: 48 b8 22 01 00 00 00 00 ad de 49 89 84 24 88 01 00 00 8b 44 24 08 89 04 24 e9 c3 f7 ff ff c7 04 24 ed ff ff ff e9 b7 f7 ff ff <0f> 0b c7 04 24 f0 ff ff ff e9 a9 f7 ff ff c7 04 24 f4 ff ff ff e9 RSP: 0018:ffff888133cff948 EFLAGS: 00010202 RAX: 0000000000000001 RBX: 1ffff1102679ff31 RCX: 0000000000000000 RDX: 1ffffffff0b27a60 RSI: ffffffff8593d2f0 RDI: ffffffff85941140 RBP: 00000000000c2041 R08: ffffffffffffffff R09: ffffed1020240221 R10: ffff88810120110f R11: ffffed1020240214 R12: ffffffff8593d2f0 R13: ffffffff8593d300 R14: ffffffff85941140 R15: ffffffff85631100 FS: 00007f7ec6f28740(0000) GS:ffff8882b5251000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7ec6f181c0 CR3: 000000012f1d0005 CR4: 0000000000172ef0 Call Trace: <TASK> ? __pfx_ftrace_startup_subops+0x10/0x10 ? find_held_lock+0x2b/0x80 ? ftrace_stub_direct_tramp+0x10/0x10 ? ftrace_stub_direct_tramp+0x10/0x10 ? trace_preempt_on+0xd0/0x110 ? __pfx_trace_graph_entry_args+0x10/ ---truncated--- | 2025-07-10 | not yet calculated | CVE-2025-38327 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: jffs2: check jffs2_prealloc_raw_node_refs() result in few other places Fuzzing hit another invalid pointer dereference due to the lack of checking whether jffs2_prealloc_raw_node_refs() completed successfully. Subsequent logic implies that the node refs have been allocated. Handle that. The code is ready for propagating the error upwards. KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 PID: 5835 Comm: syz-executor145 Not tainted 5.10.234-syzkaller #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:jffs2_link_node_ref+0xac/0x690 fs/jffs2/nodelist.c:600 Call Trace: jffs2_mark_erased_block fs/jffs2/erase.c:460 [inline] jffs2_erase_pending_blocks+0x688/0x1860 fs/jffs2/erase.c:118 jffs2_garbage_collect_pass+0x638/0x1a00 fs/jffs2/gc.c:253 jffs2_reserve_space+0x3f4/0xad0 fs/jffs2/nodemgmt.c:167 jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362 jffs2_write_end+0x712/0x1110 fs/jffs2/file.c:302 generic_perform_write+0x2c2/0x500 mm/filemap.c:3347 __generic_file_write_iter+0x252/0x610 mm/filemap.c:3465 generic_file_write_iter+0xdb/0x230 mm/filemap.c:3497 call_write_iter include/linux/fs.h:2039 [inline] do_iter_readv_writev+0x46d/0x750 fs/read_write.c:740 do_iter_write+0x18c/0x710 fs/read_write.c:866 vfs_writev+0x1db/0x6a0 fs/read_write.c:939 do_pwritev fs/read_write.c:1036 [inline] __do_sys_pwritev fs/read_write.c:1083 [inline] __se_sys_pwritev fs/read_write.c:1078 [inline] __x64_sys_pwritev+0x235/0x310 fs/read_write.c:1078 do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2025-07-10 | not yet calculated | CVE-2025-38328 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Fix OOB memory read access in KUnit test (wmfw info) KASAN reported out of bounds access - cs_dsp_mock_wmfw_add_info(), because the source string length was rounded up to the allocation size. | 2025-07-10 | not yet calculated | CVE-2025-38329 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Fix OOB memory read access in KUnit test (ctl cache) KASAN reported out of bounds access - cs_dsp_ctl_cache_init_multiple_offsets(). The code uses mock_coeff_template.length_bytes (4 bytes) for register value allocations. But later, this length is set to 8 bytes which causes test code failures. As fix, just remove the lenght override, keeping the original value 4 for all operations. | 2025-07-10 | not yet calculated | CVE-2025-38330 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ethernet: cortina: Use TOE/TSO on all TCP It is desireable to push the hardware accelerator to also process non-segmented TCP frames: we pass the skb->len to the "TOE/TSO" offloader and it will handle them. Without this quirk the driver becomes unstable and lock up and and crash. I do not know exactly why, but it is probably due to the TOE (TCP offload engine) feature that is coupled with the segmentation feature - it is not possible to turn one part off and not the other, either both TOE and TSO are active, or neither of them. Not having the TOE part active seems detrimental, as if that hardware feature is not really supposed to be turned off. The datasheet says: "Based on packet parsing and TCP connection/NAT table lookup results, the NetEngine puts the packets belonging to the same TCP connection to the same queue for the software to process. The NetEngine puts incoming packets to the buffer or series of buffers for a jumbo packet. With this hardware acceleration, IP/TCP header parsing, checksum validation and connection lookup are offloaded from the software processing." After numerous tests with the hardware locking up after something between minutes and hours depending on load using iperf3 I have concluded this is necessary to stabilize the hardware. | 2025-07-10 | not yet calculated | CVE-2025-38331 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Use memcpy() for BIOS version The strlcat() with FORTIFY support is triggering a panic because it thinks the target buffer will overflow although the correct target buffer size is passed in. Anyway, instead of memset() with 0 followed by a strlcat(), just use memcpy() and ensure that the resulting buffer is NULL terminated. BIOSVersion is only used for the lpfc_printf_log() which expects a properly terminated string. | 2025-07-10 | not yet calculated | CVE-2025-38332 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to bail out in get_new_segment() ------------[ cut here ]------------ WARNING: CPU: 3 PID: 579 at fs/f2fs/segment.c:2832 new_curseg+0x5e8/0x6dc pc : new_curseg+0x5e8/0x6dc Call trace: new_curseg+0x5e8/0x6dc f2fs_allocate_data_block+0xa54/0xe28 do_write_page+0x6c/0x194 f2fs_do_write_node_page+0x38/0x78 __write_node_page+0x248/0x6d4 f2fs_sync_node_pages+0x524/0x72c f2fs_write_checkpoint+0x4bc/0x9b0 __checkpoint_and_complete_reqs+0x80/0x244 issue_checkpoint_thread+0x8c/0xec kthread+0x114/0x1bc ret_from_fork+0x10/0x20 get_new_segment() detects inconsistent status in between free_segmap and free_secmap, let's record such error into super block, and bail out get_new_segment() instead of continue using the segment. | 2025-07-10 | not yet calculated | CVE-2025-38333 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Prevent attempts to reclaim poisoned pages TL;DR: SGX page reclaim touches the page to copy its contents to secondary storage. SGX instructions do not gracefully handle machine checks. Despite this, the existing SGX code will try to reclaim pages that it _knows_ are poisoned. Avoid even trying to reclaim poisoned pages. The longer story: Pages used by an enclave only get epc_page->poison set in arch_memory_failure() but they currently stay on sgx_active_page_list until sgx_encl_release(), with the SGX_EPC_PAGE_RECLAIMER_TRACKED flag untouched. epc_page->poison is not checked in the reclaimer logic meaning that, if other conditions are met, an attempt will be made to reclaim an EPC page that was poisoned. This is bad because 1. we don't want that page to end up added to another enclave and 2. it is likely to cause one core to shut down and the kernel to panic. Specifically, reclaiming uses microcode operations including "EWB" which accesses the EPC page contents to encrypt and write them out to non-SGX memory. Those operations cannot handle MCEs in their accesses other than by putting the executing core into a special shutdown state (affecting both threads with HT.) The kernel will subsequently panic on the remaining cores seeing the core didn't enter MCE handler(s) in time. Call sgx_unmark_page_reclaimable() to remove the affected EPC page from sgx_active_page_list on memory error to stop it being considered for reclaiming. Testing epc_page->poison in sgx_reclaim_pages() would also work but I assume it's better to add code in the less likely paths. The affected EPC page is not added to &node->sgx_poison_page_list until later in sgx_encl_release()->sgx_free_epc_page() when it is EREMOVEd. Membership on other lists doesn't change to avoid changing any of the lists' semantics except for sgx_active_page_list. There's a "TBD" comment in arch_memory_failure() about pre-emptive actions, the goal here is not to address everything that it may imply. This also doesn't completely close the time window when a memory error notification will be fatal (for a not previously poisoned EPC page) -- the MCE can happen after sgx_reclaim_pages() has selected its candidates or even *inside* a microcode operation (actually easy to trigger due to the amount of time spent in them.) The spinlock in sgx_unmark_page_reclaimable() is safe because memory_failure() runs in process context and no spinlocks are held, explicitly noted in a mm/memory-failure.c comment. | 2025-07-10 | not yet calculated | CVE-2025-38334 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT When enabling PREEMPT_RT, the gpio_keys_irq_timer() callback runs in hard irq context, but the input_event() takes a spin_lock, which isn't allowed there as it is converted to a rt_spin_lock(). [ 4054.289999] BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:48 [ 4054.290028] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/0 ... [ 4054.290195] __might_resched+0x13c/0x1f4 [ 4054.290209] rt_spin_lock+0x54/0x11c [ 4054.290219] input_event+0x48/0x80 [ 4054.290230] gpio_keys_irq_timer+0x4c/0x78 [ 4054.290243] __hrtimer_run_queues+0x1a4/0x438 [ 4054.290257] hrtimer_interrupt+0xe4/0x240 [ 4054.290269] arch_timer_handler_phys+0x2c/0x44 [ 4054.290283] handle_percpu_devid_irq+0x8c/0x14c [ 4054.290297] handle_irq_desc+0x40/0x58 [ 4054.290307] generic_handle_domain_irq+0x1c/0x28 [ 4054.290316] gic_handle_irq+0x44/0xcc Considering the gpio_keys_irq_isr() can run in any context, e.g. it can be threaded, it seems there's no point in requesting the timer isr to run in hard irq context. Relax the hrtimer not to use the hard context. | 2025-07-10 | not yet calculated | CVE-2025-38335 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 The controller has a hardware bug that can hard hang the system when doing ATAPI DMAs without any trace of what happened. Depending on the device attached, it can also prevent the system from booting. In this case, the system hangs when reading the ATIP from optical media with cdrecord -vvv -atip on an _NEC DVD_RW ND-4571A 1-01 and an Optiarc DVD RW AD-7200A 1.06 attached to an ASRock 990FX Extreme 4, running at UDMA/33. The issue can be reproduced by running the same command with a cygwin build of cdrecord on WinXP, although it requires more attempts to cause it. The hang in that case is also resolved by forcing PIO. It doesn't appear that VIA has produced any drivers for that OS, thus no known workaround exists. HDDs attached to the controller do not suffer from any DMA issues. | 2025-07-10 | not yet calculated | CVE-2025-38336 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() Since handle->h_transaction may be a NULL pointer, so we should change it to call is_handle_aborted(handle) first before dereferencing it. And the following data-race was reported in my fuzzer: ================================================================== BUG: KCSAN: data-race in jbd2_journal_dirty_metadata / jbd2_journal_dirty_metadata write to 0xffff888011024104 of 4 bytes by task 10881 on cpu 1: jbd2_journal_dirty_metadata+0x2a5/0x770 fs/jbd2/transaction.c:1556 __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358 ext4_do_update_inode fs/ext4/inode.c:5220 [inline] ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869 __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074 ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103 .... read to 0xffff888011024104 of 4 bytes by task 10880 on cpu 0: jbd2_journal_dirty_metadata+0xf2/0x770 fs/jbd2/transaction.c:1512 __ext4_handle_dirty_metadata+0xe7/0x4b0 fs/ext4/ext4_jbd2.c:358 ext4_do_update_inode fs/ext4/inode.c:5220 [inline] ext4_mark_iloc_dirty+0x32c/0xd50 fs/ext4/inode.c:5869 __ext4_mark_inode_dirty+0xe1/0x450 fs/ext4/inode.c:6074 ext4_dirty_inode+0x98/0xc0 fs/ext4/inode.c:6103 .... value changed: 0x00000000 -> 0x00000001 ================================================================== This issue is caused by missing data-race annotation for jh->b_modified. Therefore, the missing annotation needs to be added. | 2025-07-10 | not yet calculated | CVE-2025-38337 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio() Sometimes, when a file was read while it was being truncated by another NFS client, the kernel could deadlock because folio_unlock() was called twice, and the second call would XOR back the `PG_locked` flag. Most of the time (depending on the timing of the truncation), nobody notices the problem because folio_unlock() gets called three times, which flips `PG_locked` back off: 1. vfs_read, nfs_read_folio, ... nfs_read_add_folio, nfs_return_empty_folio 2. vfs_read, nfs_read_folio, ... netfs_read_collection, netfs_unlock_abandoned_read_pages 3. vfs_read, ... nfs_do_read_folio, nfs_read_add_folio, nfs_return_empty_folio The problem is that nfs_read_add_folio() is not supposed to unlock the folio if fscache is enabled, and a nfs_netfs_folio_unlock() check is missing in nfs_return_empty_folio(). Rarely this leads to a warning in netfs_read_collection(): ------------[ cut here ]------------ R=0000031c: folio 10 is not locked WARNING: CPU: 0 PID: 29 at fs/netfs/read_collect.c:133 netfs_read_collection+0x7c0/0xf00 [...] Workqueue: events_unbound netfs_read_collection_worker RIP: 0010:netfs_read_collection+0x7c0/0xf00 [...] Call Trace: <TASK> netfs_read_collection_worker+0x67/0x80 process_one_work+0x12e/0x2c0 worker_thread+0x295/0x3a0 Most of the time, however, processes just get stuck forever in folio_wait_bit_common(), waiting for `PG_locked` to disappear, which never happens because nobody is really holding the folio lock. | 2025-07-10 | not yet calculated | CVE-2025-38338 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/bpf: fix JIT code size calculation of bpf trampoline arch_bpf_trampoline_size() provides JIT size of the BPF trampoline before the buffer for JIT'ing it is allocated. The total number of instructions emitted for BPF trampoline JIT code depends on where the final image is located. So, the size arrived at with the dummy pass in arch_bpf_trampoline_size() can vary from the actual size needed in arch_prepare_bpf_trampoline(). When the instructions accounted in arch_bpf_trampoline_size() is less than the number of instructions emitted during the actual JIT compile of the trampoline, the below warning is produced: WARNING: CPU: 8 PID: 204190 at arch/powerpc/net/bpf_jit_comp.c:981 __arch_prepare_bpf_trampoline.isra.0+0xd2c/0xdcc which is: /* Make sure the trampoline generation logic doesn't overflow */ if (image && WARN_ON_ONCE(&image[ctx->idx] > (u32 *)rw_image_end - BPF_INSN_SAFETY)) { So, during the dummy pass, instead of providing some arbitrary image location, account for maximum possible instructions if and when there is a dependency with image location for JIT'ing. | 2025-07-10 | not yet calculated | CVE-2025-38339 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Fix OOB memory read access in KUnit test KASAN reported out of bounds access - cs_dsp_mock_bin_add_name_or_info(), because the source string length was rounded up to the allocation size. | 2025-07-10 | not yet calculated | CVE-2025-38340 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: eth: fbnic: avoid double free when failing to DMA-map FW msg The semantics are that caller of fbnic_mbx_map_msg() retains the ownership of the message on error. All existing callers dutifully free the page. | 2025-07-10 | not yet calculated | CVE-2025-38341 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: software node: Correct a OOB check in software_node_get_reference_args() software_node_get_reference_args() wants to get @index-th element, so the property value requires at least '(index + 1) * sizeof(*ref)' bytes but that can not be guaranteed by current OOB check, and may cause OOB for malformed property. Fix by using as OOB check '((index + 1) * sizeof(*ref) > prop->length)'. | 2025-07-10 | not yet calculated | CVE-2025-38342 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: drop fragments with multicast or broadcast RA IEEE 802.11 fragmentation can only be applied to unicast frames. Therefore, drop fragments with multicast or broadcast RA. This patch addresses vulnerabilities such as CVE-2020-26145. | 2025-07-10 | not yet calculated | CVE-2025-38343 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi parse and parseext cache leaks ACPICA commit 8829e70e1360c81e7a5a901b5d4f48330e021ea5 I'm Seunghun Han, and I work for National Security Research Institute of South Korea. I have been doing a research on ACPI and found an ACPI cache leak in ACPI early abort cases. Boot log of ACPI cache leak is as follows: [ 0.352414] ACPI: Added _OSI(Module Device) [ 0.353182] ACPI: Added _OSI(Processor Device) [ 0.353182] ACPI: Added _OSI(3.0 _SCP Extensions) [ 0.353182] ACPI: Added _OSI(Processor Aggregator Device) [ 0.356028] ACPI: Unable to start the ACPI Interpreter [ 0.356799] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) [ 0.360215] kmem_cache_destroy Acpi-State: Slab cache still has objects [ 0.360648] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 4.12.0-rc4-next-20170608+ #10 [ 0.361273] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 [ 0.361873] Call Trace: [ 0.362243] ? dump_stack+0x5c/0x81 [ 0.362591] ? kmem_cache_destroy+0x1aa/0x1c0 [ 0.362944] ? acpi_sleep_proc_init+0x27/0x27 [ 0.363296] ? acpi_os_delete_cache+0xa/0x10 [ 0.363646] ? acpi_ut_delete_caches+0x6d/0x7b [ 0.364000] ? acpi_terminate+0xa/0x14 [ 0.364000] ? acpi_init+0x2af/0x34f [ 0.364000] ? __class_create+0x4c/0x80 [ 0.364000] ? video_setup+0x7f/0x7f [ 0.364000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.364000] ? do_one_initcall+0x4e/0x1a0 [ 0.364000] ? kernel_init_freeable+0x189/0x20a [ 0.364000] ? rest_init+0xc0/0xc0 [ 0.364000] ? kernel_init+0xa/0x100 [ 0.364000] ? ret_from_fork+0x25/0x30 I analyzed this memory leak in detail. I found that "Acpi-State" cache and "Acpi-Parse" cache were merged because the size of cache objects was same slab cache size. I finally found "Acpi-Parse" cache and "Acpi-parse_ext" cache were leaked using SLAB_NEVER_MERGE flag in kmem_cache_create() function. Real ACPI cache leak point is as follows: [ 0.360101] ACPI: Added _OSI(Module Device) [ 0.360101] ACPI: Added _OSI(Processor Device) [ 0.360101] ACPI: Added _OSI(3.0 _SCP Extensions) [ 0.361043] ACPI: Added _OSI(Processor Aggregator Device) [ 0.364016] ACPI: Unable to start the ACPI Interpreter [ 0.365061] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) [ 0.368174] kmem_cache_destroy Acpi-Parse: Slab cache still has objects [ 0.369332] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 4.12.0-rc4-next-20170608+ #8 [ 0.371256] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 [ 0.372000] Call Trace: [ 0.372000] ? dump_stack+0x5c/0x81 [ 0.372000] ? kmem_cache_destroy+0x1aa/0x1c0 [ 0.372000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.372000] ? acpi_os_delete_cache+0xa/0x10 [ 0.372000] ? acpi_ut_delete_caches+0x56/0x7b [ 0.372000] ? acpi_terminate+0xa/0x14 [ 0.372000] ? acpi_init+0x2af/0x34f [ 0.372000] ? __class_create+0x4c/0x80 [ 0.372000] ? video_setup+0x7f/0x7f [ 0.372000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.372000] ? do_one_initcall+0x4e/0x1a0 [ 0.372000] ? kernel_init_freeable+0x189/0x20a [ 0.372000] ? rest_init+0xc0/0xc0 [ 0.372000] ? kernel_init+0xa/0x100 [ 0.372000] ? ret_from_fork+0x25/0x30 [ 0.388039] kmem_cache_destroy Acpi-parse_ext: Slab cache still has objects [ 0.389063] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 4.12.0-rc4-next-20170608+ #8 [ 0.390557] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 [ 0.392000] Call Trace: [ 0.392000] ? dump_stack+0x5c/0x81 [ 0.392000] ? kmem_cache_destroy+0x1aa/0x1c0 [ 0.392000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.392000] ? acpi_os_delete_cache+0xa/0x10 [ 0.392000] ? acpi_ut_delete_caches+0x6d/0x7b [ 0.392000] ? acpi_terminate+0xa/0x14 [ 0.392000] ? acpi_init+0x2af/0x3 ---truncated--- | 2025-07-10 | not yet calculated | CVE-2025-38344 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi operand cache leak in dswstate.c ACPICA commit 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732 I found an ACPI cache leak in ACPI early termination and boot continuing case. When early termination occurs due to malicious ACPI table, Linux kernel terminates ACPI function and continues to boot process. While kernel terminates ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak. Boot log of ACPI operand cache leak is as follows: >[ 0.585957] ACPI: Added _OSI(Module Device) >[ 0.587218] ACPI: Added _OSI(Processor Device) >[ 0.588530] ACPI: Added _OSI(3.0 _SCP Extensions) >[ 0.589790] ACPI: Added _OSI(Processor Aggregator Device) >[ 0.591534] ACPI Error: Illegal I/O port address/length above 64K: C806E00000004002/0x2 (20170303/hwvalid-155) >[ 0.594351] ACPI Exception: AE_LIMIT, Unable to initialize fixed events (20170303/evevent-88) >[ 0.597858] ACPI: Unable to start the ACPI Interpreter >[ 0.599162] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) >[ 0.601836] kmem_cache_destroy Acpi-Operand: Slab cache still has objects >[ 0.603556] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26 >[ 0.605159] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 >[ 0.609177] Call Trace: >[ 0.610063] ? dump_stack+0x5c/0x81 >[ 0.611118] ? kmem_cache_destroy+0x1aa/0x1c0 >[ 0.612632] ? acpi_sleep_proc_init+0x27/0x27 >[ 0.613906] ? acpi_os_delete_cache+0xa/0x10 >[ 0.617986] ? acpi_ut_delete_caches+0x3f/0x7b >[ 0.619293] ? acpi_terminate+0xa/0x14 >[ 0.620394] ? acpi_init+0x2af/0x34f >[ 0.621616] ? __class_create+0x4c/0x80 >[ 0.623412] ? video_setup+0x7f/0x7f >[ 0.624585] ? acpi_sleep_proc_init+0x27/0x27 >[ 0.625861] ? do_one_initcall+0x4e/0x1a0 >[ 0.627513] ? kernel_init_freeable+0x19e/0x21f >[ 0.628972] ? rest_init+0x80/0x80 >[ 0.630043] ? kernel_init+0xa/0x100 >[ 0.631084] ? ret_from_fork+0x25/0x30 >[ 0.633343] vgaarb: loaded >[ 0.635036] EDAC MC: Ver: 3.0.0 >[ 0.638601] PCI: Probing PCI hardware >[ 0.639833] PCI host bridge to bus 0000:00 >[ 0.641031] pci_bus 0000:00: root bus resource [io 0x0000-0xffff] > ... Continue to boot and log is omitted ... I analyzed this memory leak in detail and found acpi_ds_obj_stack_pop_and_ delete() function miscalculated the top of the stack. acpi_ds_obj_stack_push() function uses walk_state->operand_index for start position of the top, but acpi_ds_obj_stack_pop_and_delete() function considers index 0 for it. Therefore, this causes acpi operand memory leak. This cache leak causes a security threat because an old kernel (<= 4.9) shows memory locations of kernel functions in stack dump. Some malicious users could use this information to neutralize kernel ASLR. I made a patch to fix ACPI operand cache leak. | 2025-07-10 | not yet calculated | CVE-2025-38345 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix UAF when lookup kallsym after ftrace disabled The following issue happens with a buggy module: BUG: unable to handle page fault for address: ffffffffc05d0218 PGD 1bd66f067 P4D 1bd66f067 PUD 1bd671067 PMD 101808067 PTE 0 Oops: Oops: 0000 [#1] SMP KASAN PTI Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS RIP: 0010:sized_strscpy+0x81/0x2f0 RSP: 0018:ffff88812d76fa08 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffffffffc0601010 RCX: dffffc0000000000 RDX: 0000000000000038 RSI: dffffc0000000000 RDI: ffff88812608da2d RBP: 8080808080808080 R08: ffff88812608da2d R09: ffff88812608da68 R10: ffff88812608d82d R11: ffff88812608d810 R12: 0000000000000038 R13: ffff88812608da2d R14: ffffffffc05d0218 R15: fefefefefefefeff FS: 00007fef552de740(0000) GS:ffff8884251c7000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffc05d0218 CR3: 00000001146f0000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ftrace_mod_get_kallsym+0x1ac/0x590 update_iter_mod+0x239/0x5b0 s_next+0x5b/0xa0 seq_read_iter+0x8c9/0x1070 seq_read+0x249/0x3b0 proc_reg_read+0x1b0/0x280 vfs_read+0x17f/0x920 ksys_read+0xf3/0x1c0 do_syscall_64+0x5f/0x2e0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The above issue may happen as follows: (1) Add kprobe tracepoint; (2) insmod test.ko; (3) Module triggers ftrace disabled; (4) rmmod test.ko; (5) cat /proc/kallsyms; --> Will trigger UAF as test.ko already removed; ftrace_mod_get_kallsym() ... strscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN); ... The problem is when a module triggers an issue with ftrace and sets ftrace_disable. The ftrace_disable is set when an anomaly is discovered and to prevent any more damage, ftrace stops all text modification. The issue that happened was that the ftrace_disable stops more than just the text modification. When a module is loaded, its init functions can also be traced. Because kallsyms deletes the init functions after a module has loaded, ftrace saves them when the module is loaded and function tracing is enabled. This allows the output of the function trace to show the init function names instead of just their raw memory addresses. When a module is removed, ftrace_release_mod() is called, and if ftrace_disable is set, it just returns without doing anything more. The problem here is that it leaves the mod_list still around and if kallsyms is called, it will call into this code and access the module memory that has already been freed as it will return: strscpy(module_name, mod_map->mod->name, MODULE_NAME_LEN); Where the "mod" no longer exists and triggers a UAF bug. | 2025-07-10 | not yet calculated | CVE-2025-38346 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on ino and xnid syzbot reported a f2fs bug as below: INFO: task syz-executor140:5308 blocked for more than 143 seconds. Not tainted 6.14.0-rc7-syzkaller-00069-g81e4f8d68c66 #0 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:syz-executor140 state:D stack:24016 pid:5308 tgid:5308 ppid:5306 task_flags:0x400140 flags:0x00000006 Call Trace: <TASK> context_switch kernel/sched/core.c:5378 [inline] __schedule+0x190e/0x4c90 kernel/sched/core.c:6765 __schedule_loop kernel/sched/core.c:6842 [inline] schedule+0x14b/0x320 kernel/sched/core.c:6857 io_schedule+0x8d/0x110 kernel/sched/core.c:7690 folio_wait_bit_common+0x839/0xee0 mm/filemap.c:1317 __folio_lock mm/filemap.c:1664 [inline] folio_lock include/linux/pagemap.h:1163 [inline] __filemap_get_folio+0x147/0xb40 mm/filemap.c:1917 pagecache_get_page+0x2c/0x130 mm/folio-compat.c:87 find_get_page_flags include/linux/pagemap.h:842 [inline] f2fs_grab_cache_page+0x2b/0x320 fs/f2fs/f2fs.h:2776 __get_node_page+0x131/0x11b0 fs/f2fs/node.c:1463 read_xattr_block+0xfb/0x190 fs/f2fs/xattr.c:306 lookup_all_xattrs fs/f2fs/xattr.c:355 [inline] f2fs_getxattr+0x676/0xf70 fs/f2fs/xattr.c:533 __f2fs_get_acl+0x52/0x870 fs/f2fs/acl.c:179 f2fs_acl_create fs/f2fs/acl.c:375 [inline] f2fs_init_acl+0xd7/0x9b0 fs/f2fs/acl.c:418 f2fs_init_inode_metadata+0xa0f/0x1050 fs/f2fs/dir.c:539 f2fs_add_inline_entry+0x448/0x860 fs/f2fs/inline.c:666 f2fs_add_dentry+0xba/0x1e0 fs/f2fs/dir.c:765 f2fs_do_add_link+0x28c/0x3a0 fs/f2fs/dir.c:808 f2fs_add_link fs/f2fs/f2fs.h:3616 [inline] f2fs_mknod+0x2e8/0x5b0 fs/f2fs/namei.c:766 vfs_mknod+0x36d/0x3b0 fs/namei.c:4191 unix_bind_bsd net/unix/af_unix.c:1286 [inline] unix_bind+0x563/0xe30 net/unix/af_unix.c:1379 __sys_bind_socket net/socket.c:1817 [inline] __sys_bind+0x1e4/0x290 net/socket.c:1848 __do_sys_bind net/socket.c:1853 [inline] __se_sys_bind net/socket.c:1851 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1851 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Let's dump and check metadata of corrupted inode, it shows its xattr_nid is the same to its i_ino. dump.f2fs -i 3 chaseyu.img.raw i_xattr_nid [0x 3 : 3] So that, during mknod in the corrupted directory, it tries to get and lock inode page twice, result in deadlock. - f2fs_mknod - f2fs_add_inline_entry - f2fs_get_inode_page --- lock dir's inode page - f2fs_init_acl - f2fs_acl_create(dir,..) - __f2fs_get_acl - f2fs_getxattr - lookup_all_xattrs - __get_node_page --- try to lock dir's inode page In order to fix this, let's add sanity check on ino and xnid. | 2025-07-10 | not yet calculated | CVE-2025-38347 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() Robert Morris reported: |If a malicious USB device pretends to be an Intersil p54 wifi |interface and generates an eeprom_readback message with a large |eeprom->v1.len, p54_rx_eeprom_readback() will copy data from the |message beyond the end of priv->eeprom. | |static void p54_rx_eeprom_readback(struct p54_common *priv, | struct sk_buff *skb) |{ | struct p54_hdr *hdr = (struct p54_hdr *) skb->data; | struct p54_eeprom_lm86 *eeprom = (struct p54_eeprom_lm86 *) hdr->data; | | if (priv->fw_var >= 0x509) { | memcpy(priv->eeprom, eeprom->v2.data, | le16_to_cpu(eeprom->v2.len)); | } else { | memcpy(priv->eeprom, eeprom->v1.data, | le16_to_cpu(eeprom->v1.len)); | } | [...] The eeprom->v{1,2}.len is set by the driver in p54_download_eeprom(). The device is supposed to provide the same length back to the driver. But yes, it's possible (like shown in the report) to alter the value to something that causes a crash/panic due to overrun. This patch addresses the issue by adding the size to the common device context, so p54_rx_eeprom_readback no longer relies on possibly tampered values... That said, it also checks if the "firmware" altered the value and no longer copies them. The one, small saving grace is: Before the driver tries to read the eeprom, it needs to upload >a< firmware. the vendor firmware has a proprietary license and as a reason, it is not present on most distributions by default. | 2025-07-10 | not yet calculated | CVE-2025-38348 |
| SUR-FBD CMMS--SUR-FBD CMMS | A vulnerability was identified in SUR-FBD CMMS where hard-coded credentials were found within a compiled DLL file. These credentials correspond to a built-in administrative account of the software. An attacker with local access to the system or the application's installation directory could extract these credentials, potentially leading to a complete compromise of the application's administrative functions. This issue was fixed in version 2025.03.27 of the SUR-FBD CMMS software. | 2025-07-07 | not yet calculated | CVE-2025-3920 |
| huggingface--huggingface/transformers | A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.50.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `<s_(.*?)>` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model. | 2025-07-11 | not yet calculated | CVE-2025-3933 |
| Quiter--Quiter Gateway (Java WAR on Apache Tomcat) | SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to retrieve, create, update and delete databases through the id_concesion parameter in /<Client>FacturaE/VerFacturaPDF. | 2025-07-08 | not yet calculated | CVE-2025-40711 |
| Quiter--Quiter Gateway (Java WAR on Apache Tomcat) | SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to retrieve, create, update and delete databases through the id_concesion parameter in /<Client>FacturaE/DescargarFactura. | 2025-07-08 | not yet calculated | CVE-2025-40712 |
| Quiter--Quiter Gateway (Java WAR on Apache Tomcat) | SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to retrieve, create, update and delete databases through the campo parameter in/<Client>FacturaE/BusquedasFacturasSesion. | 2025-07-08 | not yet calculated | CVE-2025-40713 |
| Quiter--Quiter Gateway (Java WAR on Apache Tomcat) | SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to retrieve, create, update and delete databases through the campo id_factura in /<Client>FacturaE/listado_facturas_ficha.jsp. | 2025-07-08 | not yet calculated | CVE-2025-40714 |
| Quiter--Quiter Gateway (Java WAR on Apache Tomcat) | SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to retrieve, create, update and delete databases through the campo mensaje in /QISClient/api/v1/sucesospaginas. | 2025-07-08 | not yet calculated | CVE-2025-40715 |
| Quiter--Quiter Gateway (Java WAR on Apache Tomcat) | SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to retrieve, create, update and delete databases through the suceso.contenido mensaje in /QMSCliente/Sucesos.action. | 2025-07-08 | not yet calculated | CVE-2025-40716 |
| Quiter--Quiter Gateway (Java WAR on Apache Tomcat) | SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to retrieve, create, update and delete databases through the pagina.filter.categoria mensaje in /QuiterGatewayWeb/api/v1/sucesospagina. | 2025-07-08 | not yet calculated | CVE-2025-40717 |
| Quiter--Quiter Gateway (Java WAR on Apache Tomcat) | Improper error handling vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to send malformed payloads to generate error messages containing sensitive information. | 2025-07-08 | not yet calculated | CVE-2025-40718 |
| Quiter--Quiter Gateway (Java WAR on Apache Tomcat) | Reflected Cross-site Scripting (XSS) vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL trhough the id_concesion parameter in /<Client>FacturaE/VerFacturaPDF. | 2025-07-08 | not yet calculated | CVE-2025-40719 |
| Quiter--Quiter Gateway (Java WAR on Apache Tomcat) | Reflected Cross-site Scripting (XSS) vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL trhough the campo parameter in /<Client>FacturaE/VerFacturaPDF. | 2025-07-08 | not yet calculated | CVE-2025-40720 |
| Quiter--Quiter Gateway (Java WAR on Apache Tomcat) | Reflected Cross-site Scripting (XSS) vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL trhough the id_factura parameter in /<Client>FacturaE/listado_facturas_ficha.jsp. | 2025-07-08 | not yet calculated | CVE-2025-40721 |
| HP Inc.--HP Support Assistant | A potential security vulnerability has been identified in the HP Support Assistant, which allows a local attacker to escalate privileges via an arbitrary file deletion. | 2025-07-08 | not yet calculated | CVE-2025-43019 |
| immich-app--immich | immich is a high performance self-hosted photo and video management solution. Prior to 1.132.0, immich is vulnerable to account hijacking through oauth2, because the state parameter is not being checked. The oauth2 state parameter is similar to a csrf token, so when the user starts the login flow this unpredictable token is generated and somehow saved in the browser session and passed to the identity provider, which will return the state parameter when redirecting the user back to immich. Before the user is logged in that parameter needs to be verified to make sure the login was actively initiated by the user in this browser session. On it's own, this wouldn't be too bad, but when immich uses the /user-settings page as a redirect_uri, it will automatically link the accounts if the user was already logged in. This means that if someone has an immich instance with a public oauth provider (like google), an attacker can - for example - embed a hidden iframe in a webpage or even just send the victim a forged oauth login url with a code that logs the victim into the attackers oauth account and redirects back to immich and links the accounts. After this, the attacker can log into the victims account using their own oauth credentials. This vulnerability is fixed in 1.132.0. | 2025-07-11 | not yet calculated | CVE-2025-43856 |
| n/a--Hashview | Hashview 0.8.1 allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header. | 2025-07-07 | not yet calculated | CVE-2025-43930 |
| n/a--flask-boilerplate | flask-boilerplate through a170e7c allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header. | 2025-07-07 | not yet calculated | CVE-2025-43931 |
| n/a--JobCenter | JobCenter through 7e7b0b2 allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header. | 2025-07-07 | not yet calculated | CVE-2025-43932 |
| n/a--fblog | fblog through 983bede allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header. | 2025-07-07 | not yet calculated | CVE-2025-43933 |
| White Star Software--White Star Software Protop | A directory traversal vulnerability was discovered in White Star Software Protop version 4.4.2-2024-11-27, specifically in the /pt3upd/ endpoint. An unauthenticated attacker can remotely read arbitrary files on the underlying OS using encoded traversal sequences. | 2025-07-09 | not yet calculated | CVE-2025-44177 |
| Ecovacs--Deebot | Ecovacs Deebot T10 1.7.2 transmits Wi-Fi credentials in cleartext during the pairing process. | 2025-07-10 | not yet calculated | CVE-2025-44251 |
| Texas Instruments--CC2652RB LaunchPad Development Kit | Texas Instruments CC2652RB LaunchPad SimpleLink CC13XX CC26XX SDK 7.41.00.17 was discovered to utilize insufficient permission checks on critical fields within Bluetooth Low Energy (BLE) data packets. This issue allows attackers to cause a Denial of Service (DoS) via a crafted LL_Length_Req packet. | 2025-07-09 | not yet calculated | CVE-2025-44525 |
| Realtek--RTL8762EKF-EVB | Realtek RTL8762EKF-EVB RTL8762E SDK V1.4.0 was discovered to utilize insufficient permission checks on critical fields within Bluetooth Low Energy (BLE) data packets. This issue allows attackers to cause a Denial of Service (DoS) via a crafted LL_Length_Req packet. | 2025-07-09 | not yet calculated | CVE-2025-44526 |
| PHP Gurukul--Employee Record Management System in PHP & MySQL | employee record management system in php and mysql v1 was discovered to contain a SQL injection vulnerability via the loginerms.php endpoint. | 2025-07-07 | not yet calculated | CVE-2025-45065 |
| educoder--educoder challenges | Insufficient security mechanisms for created containers in educoder challenges v1.0 allow attackers to execute arbitrary code via injecting crafted content into a container. | 2025-07-07 | not yet calculated | CVE-2025-45479 |
| n/a--mpgram-web | A cross-site scripting (XSS) vulnerability in the component /master/login.php of mpgram-web commit 94baadb allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload. | 2025-07-10 | not yet calculated | CVE-2025-45662 |
| Broadcom--Brocade SANnav | Brocade SANnav before SANnav 2.4.0a logs plaintext passphrases in the Brocade SANnav host server audit logs while executing OpenSSL command using a passphrase from the command line or while providing the passphrase through a temporary file. These audit logs are the local server VM's audit logs and are not controlled by SANnav. These logs are only visible to the server admin of the host server and are not visible to the SANnav admin or any SANnav user. | 2025-07-10 | not yet calculated | CVE-2025-4662 |
| Broadcom--Brocade Fabric OS | An Improper Check for Unusual or Exceptional Conditions vulnerability in Brocade Fabric OS before 9.2.2.a could allow an authenticated, network-based attacker to cause a Denial-of-Service (DoS). The vulnerability is encountered when supportsave is invoked remotely, using ssh command or SANnav inline ssh, and the corresponding ssh session is terminated with Control C (^c ) before supportsave completion. This issue affects Brocade Fabric OS 9.0.0 through 9.2.2 | 2025-07-08 | not yet calculated | CVE-2025-4663 |
| Samsung--Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 9110, W920, W930, W1000, Modem 5123, Modem 5300, Modem 5400 | In RRC in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400, the lack of a length check leads to out-of-bounds writes. | 2025-07-07 | not yet calculated | CVE-2025-47202 |
| Advanced Installer--Advanced Installer | Advanced Installer before 22.6 has an uncontrolled search path element local privilege escalation vulnerability. When running as SYSTEM in certain configurations, Advanced Installer looks in standard-user writable locations for non-existent binaries and executes them as SYSTEM. A low-privileged attacker can place a malicious binary in a targeted folder; when the installer is executed, the attacker achieves arbitrary SYSTEM code execution. | 2025-07-08 | not yet calculated | CVE-2025-47422 |
| lunary-ai--lunary-ai/lunary | lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). An unauthenticated attacker can inject malicious JavaScript into the `v1/runs/ingest` endpoint by adding an empty `citations` field, triggering a code path where `dangerouslySetInnerHTML` is used to render attacker-controlled text. This vulnerability allows the execution of arbitrary JavaScript in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious actions. | 2025-07-07 | not yet calculated | CVE-2025-4779 |
| git--git | Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform protocol injection. This protocol injection can cause the client to write the fetched bundle to a location controlled by the adversary. The fetched content is fully controlled by the server, which can in the worst case lead to arbitrary code execution. The use of bundle URIs is not enabled by default and can be controlled by the bundle.heuristic config option. Some cases of the vulnerability require that the adversary is in control of where a repository will be cloned to. This either requires social engineering or a recursive clone with submodules. These cases can thus be avoided by disabling recursive clones. This vulnerability is fixed in v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, and v2.50.1. | 2025-07-08 | not yet calculated | CVE-2025-48385 |
| Nimesa--Nimesa Backup and Recovery | An OS command injection issue exists in Nimesa Backup and Recovery v2.3 and v2.4. If this vulnerability is exploited, an arbitrary OS commands may be executed on the server where the product is running. | 2025-07-07 | not yet calculated | CVE-2025-48501 |
| Apache Software Foundation--Apache Commons Lang | Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue. | 2025-07-11 | not yet calculated | CVE-2025-48924 |
| Realtek--Ameba-AIoT ameba-arduino-d, ameba-rtos-d | For Realtek AmebaD devices, a heap-based buffer overflow was discovered in Ameba-AIoT ameba-arduino-d before version 3.1.9 and ameba-rtos-d before commit c2bfd8216a1cbc19ad2ab5f48f372ecea756d67a on 2025/07/03. In the WLAN driver defragment function, lack of validation of the size of fragmented Wi-Fi frames may lead to a heap-based buffer overflow. | 2025-07-09 | not yet calculated | CVE-2025-49604 |
| Apache Software Foundation--Apache HTTP Server | In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. Configurations affected are a reverse proxy is configured for an HTTP/2 backend, with ProxyPreserveHost set to "on". | 2025-07-10 | not yet calculated | CVE-2025-49630 |
| Apache Software Foundation--Apache HTTP Server | In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. Only configurations using "SSLEngine optional" to enable TLS upgrades are affected. Users are recommended to upgrade to version 2.4.64, which removes support for TLS upgrade. | 2025-07-10 | not yet calculated | CVE-2025-49812 |
| Schneider Electric--EcoStruxure IT Data Center Expert | A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause unauthenticated remote code execution when a malicious folder is created over the web interface HTTP when enabled. HTTP is disabled by default. | 2025-07-11 | not yet calculated | CVE-2025-50121 |
| Schneider Electric--EcoStruxure IT Data Center Expert | A CWE-331: Insufficient Entropy vulnerability exists that could cause root password discovery when the password generation algorithm is reverse engineered with access to installation or upgrade artifacts. | 2025-07-11 | not yet calculated | CVE-2025-50122 |
| Schneider Electric--EcoStruxure IT Data Center Expert | A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote command execution by a privileged account when the server is accessed via a console and through exploitation of the hostname input. | 2025-07-11 | not yet calculated | CVE-2025-50123 |
| Schneider Electric--EcoStruxure IT Data Center Expert | A CWE-269: Improper Privilege Management vulnerability exists that could cause privilege escalation when the server is accessed by a privileged account via a console and through exploitation of a setup script. | 2025-07-11 | not yet calculated | CVE-2025-50124 |
| Schneider Electric--EcoStruxure IT Data Center Expert | A CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists that could cause unauthenticated remote code execution when the server is accessed via the network with knowledge of hidden URLs and manipulation of host request header. | 2025-07-11 | not yet calculated | CVE-2025-50125 |
| ESET, spol. s.r.o--ESET NOD32 Antivirus | Installation file of ESET security products on Windows allow an attacker to misuse to delete an arbitrary file without having the permissions to do so. | 2025-07-11 | not yet calculated | CVE-2025-5028 |
| n/a--JGM Pandoc | A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe. | 2025-07-11 | not yet calculated | CVE-2025-51591 |
| TOTOLINK--N300RB | A hidden remote support feature protected by a static secret in TOTOLINK N300RB firmware version 8.54 allows an authenticated attacker to execute arbitrary OS commands with root privileges. | 2025-07-11 | not yet calculated | CVE-2025-52089 |
| Shenzhen C-Data Technology Co., Ltd.--FD602GW-DX-R410 Fiber Router | Cross-Site Scripting (XSS) vulnerability exists in the ping diagnostic feature of FiberHome FD602GW-DX-R410 router (firmware V2.2.14), allowing an authenticated attacker to execute arbitrary JavaScript code in the context of the router s web interface. The vulnerability is triggered via user-supplied input in the ping form field, which fails to sanitize special characters. This can be exploited to hijack sessions or escalate privileges through social engineering or browser-based attacks. | 2025-07-09 | not yet calculated | CVE-2025-52357 |
| Tenda--CP3 Pro | Insecure Permissions vulnerability in Tenda CP3 Pro Firmware V22.5.4.93 allows the telnet service (telnetd) by default at boot via the initialization script /etc/init.d/eth.sh. This allows remote attackers to connect to the device s shell over the network, potentially without authentication if default or weak credentials are present | 2025-07-09 | not yet calculated | CVE-2025-52364 |
| Apache Software Foundation--Apache Tomcat | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 9.0.107, which fixes the issue. | 2025-07-10 | not yet calculated | CVE-2025-52434 |
| Paxton Access LTD--Paxton Paxton10 | A vulnerability has been discovered in the firmware of Paxton Paxton10 before 4.6 SR6. The firmware file, rootfs.tar.gz, contains hard-coded credentials for the Twilio API. A remote attacker who obtains a copy of the firmware can extract these credentials. This could allow the attacker to gain unauthorized access to the associated Twilio account, leading to information disclosure, potential service disruption, and unauthorized use of the Twilio services. | 2025-07-07 | not yet calculated | CVE-2025-52492 |
| Apache Software Foundation--Apache Tomcat | For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. | 2025-07-10 | not yet calculated | CVE-2025-52520 |
| Apache Software Foundation--Apache HTTP Server | Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. This issue affects Apache HTTP Server: from 2.4.17 up to 2.4.63. Users are recommended to upgrade to version 2.4.64, which fixes the issue. | 2025-07-10 | not yet calculated | CVE-2025-53020 |
| ahmed-elgaml11--Natours | Natours is a Tour Booking API. The attacker can easily take over any victim account by injecting an attacker-controlled server domain in the Host header when requesting the /forgetpassword endpoint. This vulnerability is fixed with commit 7401793a8d9ed0f0c250c4e0ee2815d685d7a70b. | 2025-07-07 | not yet calculated | CVE-2025-53373 |
| Dokploy--dokploy | Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated low-privileged account can retrieve detailed profile information about another users in the same organization by directly invoking user.one. The response discloses personally-identifiable information (PII) such as e-mail address, role, two-factor status, organization ID, and various account flags. The fix will be available in the v0.23.7. | 2025-07-07 | not yet calculated | CVE-2025-53374 |
| Dokploy--dokploy | Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated attacker can read any file that the Traefik process user can access (e.g., /etc/passwd, application source, environment variable files containing credentials and secrets). This may lead to full compromise of other services or lateral movement. This vulnerability is fixed in 0.23.7. | 2025-07-07 | not yet calculated | CVE-2025-53375 |
| Dokploy--dokploy | Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. An authenticated, low-privileged user can run arbitrary OS commands on the Dokploy host. The tRPC procedure docker.getContainersByAppNameMatch interpolates the attacker-supplied appName value into a Docker CLI call without sanitisation, enabling command injection under the Dokploy service account. This vulnerability is fixed in 0.23.7. | 2025-07-07 | not yet calculated | CVE-2025-53376 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the cadastro_dependente_pessoa_nova.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the id_funcionario parameter. This vulnerability is fixed in 3.4.3. | 2025-07-07 | not yet calculated | CVE-2025-53377 |
| Nimesa--Nimesa Backup and Recovery | Server-side request forgery (SSRF) vulnerability exists n multiple versions of Nimesa Backup and Recovery, If this vulnerability is exploited, unintended requests may be sent to internal servers. | 2025-07-07 | not yet calculated | CVE-2025-53473 |
| Wikimedia Foundation--Mediawiki - CheckUser extension | The CheckUser extension's Special:Investigate interface is vulnerable to reflected XSS due to improper escaping of certain internationalized system messages rendered on the "IPs and User agents" tab. This issue affects Mediawiki - CheckUser extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | 2025-07-07 | not yet calculated | CVE-2025-53478 |
| Wikimedia Foundation--Mediawiki - CheckUser extension | The CheckUser extension's Special:CheckUser interface is vulnerable to reflected XSS via the rev-deleted-user message. This message is rendered without proper escaping, making it possible to inject JavaScript through the uselang=x-xss language override mechanism. This issue affects Mediawiki - CheckUser extension: from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | 2025-07-08 | not yet calculated | CVE-2025-53479 |
| Wikimedia Foundation--Mediawiki - CheckUser extension | The CheckUser extension's Special:Investigate page has a vulnerability in the Account information tab, where specific internationalized messages are rendered without proper escaping. Attackers can exploit this by appending ?uselang=x-xss to the URL, causing reflected XSS when the UI renders affected message keys. This issue affects Mediawiki - CheckUser extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | 2025-07-08 | not yet calculated | CVE-2025-53480 |
| Wikimedia Foundation--Mediawiki - WikiCategoryTagCloud extension | The WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute, which is improperly concatenated into inline HTML without escaping. An attacker can inject JavaScript event handlers such as onmouseenter using carefully crafted input via the {{#tag:tagcloud}} parser function, resulting in arbitrary JavaScript execution when a victim hovers over a link in the category cloud. The vulnerability exists because the linkstyle parameter is only passed through Sanitizer::checkCss() (which does not escape HTML) and is then directly inserted into a style attribute using string concatenation instead of Html::element or Html::openElement. This issue affects Mediawiki - WikiCategoryTagCloud extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | 2025-07-07 | not yet calculated | CVE-2025-53486 |
| Wikimedia Foundation--Mediawiki - ApprovedRevs extension | The ApprovedRevs extension for MediaWiki is vulnerable to stored XSS in multiple locations where system messages are inserted into raw HTML without proper escaping. Attackers can exploit this by injecting JavaScript payloads via the uselang=x-xss language override, which causes crafted message keys to be rendered unescaped. This issue affects Mediawiki - ApprovedRevs extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | 2025-07-07 | not yet calculated | CVE-2025-53487 |
| Wikimedia Foundation--Mediawiki - WikiHiero Extension | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - WikiHiero Extension allows Stored XSS.This issue affects Mediawiki - WikiHiero Extension: from 1.43.X before 1.43.2. | 2025-07-07 | not yet calculated | CVE-2025-53488 |
| Wikimedia Foundation--Mediawiki - FlaggedRevs Extension | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - FlaggedRevs Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - FlaggedRevs Extension: from 1.43.X before 1.43.2. | 2025-07-07 | not yet calculated | CVE-2025-53491 |
| Wikimedia Foundation--Mediawiki - AbuseFilter Extension | Missing Authorization vulnerability in Wikimedia Foundation Mediawiki - AbuseFilter Extension allows Unauthorized Access.This issue affects Mediawiki - AbuseFilter Extension: from 1.43.X before 1.43.2. | 2025-07-07 | not yet calculated | CVE-2025-53495 |
| Wikimedia Foundation--Mediawiki - MediaSearch Extension | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - MediaSearch Extension allows Stored XSS.This issue affects Mediawiki - MediaSearch Extension: from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | 2025-07-07 | not yet calculated | CVE-2025-53496 |
| Wikimedia Foundation--Mediawiki - RelatedArticles Extension | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - RelatedArticles Extension allows Stored XSS.This issue affects Mediawiki - RelatedArticles Extension: from 1.43.X before 1.43.2. | 2025-07-07 | not yet calculated | CVE-2025-53497 |
| Wikimedia Foundation--Mediawiki - AbuseFilter Extension | Insufficient Logging vulnerability in Wikimedia Foundation Mediawiki - AbuseFilter Extension allows Data Leakage Attacks.This issue affects Mediawiki - AbuseFilter Extension: from 1.43.X before 1.43.2. | 2025-07-07 | not yet calculated | CVE-2025-53498 |
| Wikimedia Foundation--Mediawiki - AbuseFilter Extension | Missing Authorization vulnerability in Wikimedia Foundation Mediawiki - AbuseFilter Extension allows Unauthorized Access.This issue affects Mediawiki - AbuseFilter Extension: from 1.43.X before 1.43.2. | 2025-07-07 | not yet calculated | CVE-2025-53499 |
| Apache Software Foundation--Apache Tomcat | Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. | 2025-07-10 | not yet calculated | CVE-2025-53506 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. A Reflected Cross-Site Scripting (XSS) vulnerability was identified in the profile_familiar.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts in the id_dependente parameter. This vulnerability is fixed in 3.4.3. | 2025-07-07 | not yet calculated | CVE-2025-53525 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. An XSS Injection vulnerability was identified in novo_memorando.php. After the memo was submitted, the vulnerability was confirmed by accessing listar_memorandos_antigos.php. Upon loading this page, the injected script was executed in the browser. This vulnerability is fixed in 3.4.3. | 2025-07-07 | not yet calculated | CVE-2025-53526 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. A Time-Based Blind SQL Injection vulnerability was discovered in the almox parameter of the /controle/relatorio_geracao.php endpoint. This issue allows attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration. This vulnerability is fixed in 3.4.1. | 2025-07-07 | not yet calculated | CVE-2025-53527 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. The Wegia server has a vulnerability that allows excessively long HTTP GET requests to a specific URL. This issue arises from the lack of validation for the length of the errorstr parameter. Tests confirmed that the server processes URLs up to 8,142 characters, resulting in high resource consumption, elevated latency, timeouts, and read errors. This makes the server susceptible to Denial of Service (DoS) attacks. This vulnerability is fixed in 3.3.0. | 2025-07-07 | not yet calculated | CVE-2025-53530 |
| LabRedesCefetRJ--WeGIA | WeGIA is a web manager for charitable institutions. The Wegia server has a vulnerability that allows excessively long HTTP GET requests to a specific URL. This issue arises from the lack of validation for the length of the fid parameter. Tests confirmed that the server processes URLs up to 8,142 characters, resulting in high resource consumption, elevated latency, timeouts, and read errors. This makes the server susceptible to Denial of Service (DoS) attacks. This vulnerability is fixed in 3.3.0. | 2025-07-07 | not yet calculated | CVE-2025-53531 |
| better-auth--better-auth | Better Auth is an authentication and authorization library for TypeScript. An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback. This vulnerability is fixed in 1.2.10. | 2025-07-07 | not yet calculated | CVE-2025-53535 |
| rennf93--fastapi-guard | FastAPI Guard is a security library for FastAPI that provides middleware to control IPs, log requests, and detect penetration attempts. fastapi-guard's penetration attempts detection uses regex to scan incoming requests. However, some of the regex patterns used in detection are extremely inefficient and can cause polynomial complexity backtracks when handling specially crafted inputs. This vulnerability is fixed in 3.0.1. | 2025-07-07 | not yet calculated | CVE-2025-53539 |
| espressif--arduino-esp32 | arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. Several OTA update examples and the HTTPUpdateServer implementation are vulnerable to Cross-Site Request Forgery (CSRF). The update endpoints accept POST requests for firmware uploads without CSRF protection. This allows an attacker to upload and execute arbitrary firmware, resulting in remote code execution (RCE). This vulnerability is fixed in 3.2.1. | 2025-07-07 | not yet calculated | CVE-2025-53540 |
| frappe--press | Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). Users can circumvent 2FA login for users due to a lack of server side validation for the same. This vulnerability is fixed in commit ddb439f8eb1816010f2ef653a908648b71f9bba8. | 2025-07-08 | not yet calculated | CVE-2025-53545 |
| matrix-org--matrix-rust-sdk | The Matrix Rust SDK is a collection of libraries that make it easier to build Matrix clients in Rust. An SQL injection vulnerability in the EventCache::find_event_with_relations method of matrix-sdk 0.11 and 0.12 allows malicious room members to execute arbitrary SQL commands in Matrix clients that directly pass relation types provided by those room members into this method, when used with the default sqlite-based store backend. Exploitation is unlikely, as no known clients currently use the API in this manner. This vulnerability is fixed in 0.13. | 2025-07-10 | not yet calculated | CVE-2025-53549 |
| QwikDev--qwik | @builder.io/qwik-city is the meta-framework for Qwik. When a Qwik Server Action QRL is executed it dynamically load the file containing the symbol. When an invalid qfunc is sent, the server does not handle the thrown error. The error then causes Node JS to exit. This vulnerability is fixed in 1.13.0. | 2025-07-09 | not yet calculated | CVE-2025-53620 |
| Universal-Omega--DynamicPageList3 | The DynamicPageList3 extension is a reporting tool for MediaWiki, listing category members and intersections with various formats and details. Several #dpl parameters can leak usernames that have been hidden using revision deletion, suppression, or the hideuser block flag. The vulnerability is fixed in 3.6.4. | 2025-07-10 | not yet calculated | CVE-2025-53625 |
| yhirose--cpp-httplib | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. Prior to 0.20.1, cpp-httplib does not have a limit for a unique line, permitting an attacker to explore this to allocate memory arbitrarily. This vulnerability is fixed in 0.20.1. NOTE: This vulnerability is related to CVE-2025-53629. | 2025-07-10 | not yet calculated | CVE-2025-53628 |
| ggml-org--llama.cpp | llama.cpp is an inference of several LLM models in C/C++. Integer Overflow in the gguf_init_from_file_impl function in ggml/src/gguf.cpp can lead to Heap Out-of-Bounds Read/Write. This vulnerability is fixed in commit 26a48ad699d50b6268900062661bd22f3e792579. | 2025-07-10 | not yet calculated | CVE-2025-53630 |
| ctfer-io--chall-manager | Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario (i.e. a zip archive), the path of the file to write is not checked, potentially leading to zip slips. Exploitation does not require authentication nor authorization, so anyone can exploit it. It should nonetheless not be exploitable as it is highly recommended to bury Chall-Manager deep within the infrastructure due to its large capabilities, so no users could reach the system. Patch has been implemented by commit 47d188f and shipped in v0.1.4. | 2025-07-10 | not yet calculated | CVE-2025-53632 |
| ctfer-io--chall-manager | Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. When decoding a scenario (i.e. a zip archive), the size of the decoded content is not checked, potentially leading to zip bombs decompression. Exploitation does not require authentication nor authorization, so anyone can exploit it. It should nonetheless not be exploitable as it is highly recommended to bury Chall-Manager deep within the infrastructure due to its large capabilities, so no users could reach the system. Patch has been implemented by commit 14042aa and shipped in v0.1.4. | 2025-07-10 | not yet calculated | CVE-2025-53633 |
| ctfer-io--chall-manager | Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. The HTTP Gateway processes headers, but with no timeout set. With a slow loris attack, an attacker could cause Denial of Service (DoS). Exploitation does not require authentication nor authorization, so anyone can exploit it. It should nonetheless not be exploitable as it is highly recommended to bury Chall-Manager deep within the infrastructure due to its large capabilities, so no users could reach the system. Patch has been implemented by commit 1385bd8 and shipped in v0.1.4. | 2025-07-10 | not yet calculated | CVE-2025-53634 |
| Zimbra--Zimbra Collaboration Suite | Zimbra Collaboration Suite (ZCS) before 9.0.0 Patch 46, 10.0.x before 10.0.15, and 10.1.x before 10.1.9 is vulnerable to a denial of service condition due to improper handling of excessive, comma-separated path segments in both the Webmail interface and the Admin Console. An unauthenticated remote attacker can send specially crafted GET requests that trigger redundant processing and inflated responses. This leads to uncontrolled resource consumption, resulting in denial of service. | 2025-07-09 | not yet calculated | CVE-2025-53645 |
| Jenkins Project--Jenkins Credentials Binding Plugin | Jenkins Credentials Binding Plugin 687.v619cb_15e923f and earlier does not properly mask (i.e., replace with asterisks) credentials present in exception error messages that are written to the build log. | 2025-07-09 | not yet calculated | CVE-2025-53650 |
| Jenkins Project--Jenkins HTML Publisher Plugin | Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log. | 2025-07-09 | not yet calculated | CVE-2025-53651 |
| Jenkins Project--Jenkins Git Parameter Plugin | Jenkins Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices, allowing attackers with Item/Build permission to inject arbitrary values into Git parameters. | 2025-07-09 | not yet calculated | CVE-2025-53652 |
| Jenkins Project--Jenkins Aqua Security Scanner Plugin | Jenkins Aqua Security Scanner Plugin 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | 2025-07-09 | not yet calculated | CVE-2025-53653 |
| Jenkins Project--Jenkins Statistics Gatherer Plugin | Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system. | 2025-07-09 | not yet calculated | CVE-2025-53654 |
| Jenkins Project--Jenkins Statistics Gatherer Plugin | Jenkins Statistics Gatherer Plugin 2.0.3 and earlier does not mask the AWS Secret Key on the global configuration form, increasing the potential for attackers to observe and capture it. | 2025-07-09 | not yet calculated | CVE-2025-53655 |
| Jenkins Project--Jenkins ReadyAPI Functional Testing Plugin | Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | 2025-07-09 | not yet calculated | CVE-2025-53656 |
| Jenkins Project--Jenkins ReadyAPI Functional Testing Plugin | Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier does not mask SLM License Access Keys, client secrets, and passwords displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | 2025-07-09 | not yet calculated | CVE-2025-53657 |
| Jenkins Project--Jenkins Applitools Eyes Plugin | Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. | 2025-07-09 | not yet calculated | CVE-2025-53658 |
| Jenkins Project--Jenkins QMetry Test Management Plugin | Jenkins QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | 2025-07-09 | not yet calculated | CVE-2025-53659 |
| Jenkins Project--Jenkins QMetry Test Management Plugin | Jenkins QMetry Test Management Plugin 1.13 and earlier does not mask Qmetry Automation API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | 2025-07-09 | not yet calculated | CVE-2025-53660 |
| Jenkins Project--Jenkins Testsigma Test Plan run Plugin | Jenkins Testsigma Test Plan run Plugin 1.6 and earlier does not mask Testsigma API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | 2025-07-09 | not yet calculated | CVE-2025-53661 |
| Jenkins Project--Jenkins IFTTT Build Notifier Plugin | Jenkins IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | 2025-07-09 | not yet calculated | CVE-2025-53662 |
| Jenkins Project--Jenkins IBM Cloud DevOps Plugin | Jenkins IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | 2025-07-09 | not yet calculated | CVE-2025-53663 |
| Jenkins Project--Jenkins Apica Loadtest Plugin | Jenkins Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | 2025-07-09 | not yet calculated | CVE-2025-53664 |
| Jenkins Project--Jenkins Apica Loadtest Plugin | Jenkins Apica Loadtest Plugin 1.10 and earlier does not mask Apica Loadtest LTP authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | 2025-07-09 | not yet calculated | CVE-2025-53665 |
| Jenkins Project--Jenkins Dead Man's Snitch Plugin | Jenkins Dead Man's Snitch Plugin 0.1 stores Dead Man's Snitch tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | 2025-07-09 | not yet calculated | CVE-2025-53666 |
| Jenkins Project--Jenkins Dead Man's Snitch Plugin | Jenkins Dead Man's Snitch Plugin 0.1 does not mask Dead Man's Snitch tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | 2025-07-09 | not yet calculated | CVE-2025-53667 |
| Jenkins Project--Jenkins VAddy Plugin | Jenkins VAddy Plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | 2025-07-09 | not yet calculated | CVE-2025-53668 |
| Jenkins Project--Jenkins VAddy Plugin | Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | 2025-07-09 | not yet calculated | CVE-2025-53669 |
| Jenkins Project--Jenkins Nouvola DiveCloud Plugin | Jenkins Nouvola DiveCloud Plugin 1.08 and earlier stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | 2025-07-09 | not yet calculated | CVE-2025-53670 |
| Jenkins Project--Jenkins Nouvola DiveCloud Plugin | Jenkins Nouvola DiveCloud Plugin 1.08 and earlier does not mask DiveCloud API Keys and Credentials Encryption Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | 2025-07-09 | not yet calculated | CVE-2025-53671 |
| Jenkins Project--Jenkins Kryptowire Plugin | Jenkins Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system. | 2025-07-09 | not yet calculated | CVE-2025-53672 |
| Jenkins Project--Jenkins Sensedia Api Platform tools Plugin | Jenkins Sensedia Api Platform tools Plugin 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system. | 2025-07-09 | not yet calculated | CVE-2025-53673 |
| Jenkins Project--Jenkins Sensedia Api Platform tools Plugin | Jenkins Sensedia Api Platform tools Plugin 1.0 does not mask the Sensedia API Manager integration token on the global configuration form, increasing the potential for attackers to observe and capture it. | 2025-07-09 | not yet calculated | CVE-2025-53674 |
| Jenkins Project--Jenkins Warrior Framework Plugin | Jenkins Warrior Framework Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | 2025-07-09 | not yet calculated | CVE-2025-53675 |
| Jenkins Project--Jenkins Xooa Plugin | Jenkins Xooa Plugin 0.0.7 and earlier stores the Xooa Deployment Token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system. | 2025-07-09 | not yet calculated | CVE-2025-53676 |
| Jenkins Project--Jenkins Xooa Plugin | Jenkins Xooa Plugin 0.0.7 and earlier does not mask the Xooa Deployment Token on the global configuration form, increasing the potential for attackers to observe and capture it. | 2025-07-09 | not yet calculated | CVE-2025-53677 |
| Jenkins Project--Jenkins User1st uTester Plugin | Jenkins User1st uTester Plugin 1.1 and earlier stores the uTester JWT token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system. | 2025-07-09 | not yet calculated | CVE-2025-53678 |
| Jenkins Project--Jenkins Applitools Eyes Plugin | Jenkins Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | 2025-07-09 | not yet calculated | CVE-2025-53742 |
| Jenkins Project--Jenkins Applitools Eyes Plugin | Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not mask Applitools API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | 2025-07-09 | not yet calculated | CVE-2025-53743 |
| run-llama--run-llama/llama_index | The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. This vulnerability allows attackers to trigger a Denial of Service (DoS) by submitting deeply nested JSON structures, leading to a RecursionError and crashing applications. The root cause is the unsafe recursive traversal design and lack of depth validation, which makes the JSONReader susceptible to stack overflow when processing deeply nested JSON. This impacts the availability of services, making them unreliable and disrupting workflows. The issue is resolved in version 0.12.38. | 2025-07-07 | not yet calculated | CVE-2025-5472 |
| The Qt Company--Qt | When passing values outside of the expected range to QColorTransferGenericFunction it can cause a denial of service, for example, this can happen when passing a specifically crafted ICC profile to QColorSpace::fromICCProfile.This issue affects Qt from 6.6.0 through 6.8.3, from 6.9.0 through 6.9.1. This is fixed in 6.8.4 and 6.9.2. | 2025-07-11 | not yet calculated | CVE-2025-5992 |
| Google--ChromeOS | An Improper Access Control vulnerability in the Stylus Tools component of Google ChromeOS version 16238.64.0 on the garaged stylus devices allows a physical attacker to bypass the lock screen and access user files by removing the stylus while the device is closed and using the screen capture feature. | 2025-07-07 | not yet calculated | CVE-2025-6044 |
| Unknown--GeoDirectory | The GeoDirectory WordPress plugin before 2.8.120 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 2025-07-11 | not yet calculated | CVE-2025-6200 |
| run-llama--run-llama/llama_index | A path traversal vulnerability exists in run-llama/llama_index versions 0.12.27 through 0.12.40, specifically within the `encode_image` function in `generic_utils.py`. This vulnerability allows an attacker to manipulate the `image_path` input to read arbitrary files on the server, including sensitive system files. The issue arises due to improper validation or sanitization of the file path, enabling path traversal sequences to access files outside the intended directory. The vulnerability is fixed in version 0.12.41. | 2025-07-07 | not yet calculated | CVE-2025-6209 |
| run-llama--run-llama/llama_index | A vulnerability in the ObsidianReader class of the run-llama/llama_index repository, specifically in version 0.12.27, allows for hardlink-based path traversal. This flaw permits attackers to bypass path restrictions and access sensitive system files, such as /etc/passwd, by exploiting hardlinks. The vulnerability arises from inadequate handling of hardlinks in the load_data() method, where the security checks fail to differentiate between real files and hardlinks. This issue is resolved in version 0.5.2. | 2025-07-07 | not yet calculated | CVE-2025-6210 |
| run-llama--run-llama/llama_index | A vulnerability in the DocugamiReader class of the run-llama/llama_index repository, up to version 0.12.28, involves the use of MD5 hashing to generate IDs for document chunks. This approach leads to hash collisions when structurally distinct chunks contain identical text, resulting in one chunk overwriting another. This can cause loss of semantically or legally important document content, breakage of parent-child chunk hierarchies, and inaccurate or hallucinated responses in AI outputs. The issue is resolved in version 0.3.1. | 2025-07-10 | not yet calculated | CVE-2025-6211 |
| Unknown--Hostel | The Hostel WordPress plugin before 1.1.5.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | 2025-07-10 | not yet calculated | CVE-2025-6234 |
| Unknown--Hostel | The Hostel WordPress plugin before 1.1.5.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | 2025-07-10 | not yet calculated | CVE-2025-6236 |
| Rockwell Automation--Arena | A remote code execution security issue exists in the Rockwell Automation Arena®. A crafted DOE file can force Arena Simulation to write beyond the boundaries of an allocated object. Exploitation requires user interaction, such as opening a malicious file within the software. If exploited, a threat actor could execute arbitrary code on the target system. The software must run under the context of the administrator in order to cause worse case impact. This is reflected in the Rockwell CVSS score, as AT:P. | 2025-07-09 | not yet calculated | CVE-2025-6376 |
| Rockwell Automation--Arena | A remote code execution security issue exists in the Rockwell Automation Arena®. A crafted DOE file can force Arena Simulation to write beyond the boundaries of an allocated object. Exploitation requires user interaction, such as opening a malicious file within the software. If exploited, a threat actor could execute arbitrary code on the target system. The software must run under the context of the administrator in order to cause worse case impact. This is reflected in the Rockwell CVSS score, as AT:P. | 2025-07-09 | not yet calculated | CVE-2025-6377 |
| parisneo--parisneo/lollms | The parisneo/lollms repository is affected by a timing attack vulnerability in the `authenticate_user` function within the `lollms_authentication.py` file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The affected version is the latest, and the issue is resolved in version 20.1. The vulnerability arises from the use of Python's default string equality operator for password comparison, which compares characters sequentially and exits on the first mismatch, leading to variable response times based on the number of matching initial characters. | 2025-07-07 | not yet calculated | CVE-2025-6386 |
| Broadcom--Brocade SANnav | Brocade SANnav before SANnav 2.4.0a logs passwords and pbe keys in the Brocade SANnav server audit logs after installation and under specific conditions. These audit logs are the local server VM's audit logs and are not controlled by SANnav. These logs are only visible to the server admin of the host server and are not visible to the SANnav admin or any SANnav user. | 2025-07-10 | not yet calculated | CVE-2025-6390 |
| Broadcom--Brocade SANnav | Brocade SANnav before Brocade SANnav 2.4.0a could log database passwords in clear text in audit logs when the daily data dump collector invokes docker exec commands. These audit logs are the local server VM's audit logs and are not controlled by SANnav. These logs are only visible to the server admin of the host server and are not visible to the SANnav admin or any SANnav user. | 2025-07-10 | not yet calculated | CVE-2025-6392 |
| Schneider Electric--EcoStruxure IT Data Center Expert | A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause manipulation of SOAP API calls and XML external entities injection resulting in unauthorized file access when the server is accessed via the network using an application account. | 2025-07-11 | not yet calculated | CVE-2025-6438 |
| GStreamer--GStreamer | GStreamer H266 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the parsing of H266 sei messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27381. | 2025-07-07 | not yet calculated | CVE-2025-6663 |
| Citrix--Windows Virtual Delivery Agent for CVAD and Citrix DaaS | Local Privilege escalation allows a low-privileged user to gain SYSTEM privileges in Windows Virtual Delivery Agent for CVAD and Citrix DaaS | 2025-07-08 | not yet calculated | CVE-2025-6759 |
| Schneider Electric--EcoStruxure Power Monitoring Expert | A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that exposes TGML diagram resources to the wrong control sphere, providing other authenticated users with potentially inappropriate access to TGML diagrams. | 2025-07-11 | not yet calculated | CVE-2025-6788 |
| Marvell--QConvergeConsole | Marvell QConvergeConsole QLogicDownloadImpl Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability. This vulnerability allows remote attackers to delete arbitrary files and disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the QLogicDownloadImpl class. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files and disclose information in the context of SYSTEM. Was ZDI-CAN-24912. | 2025-07-07 | not yet calculated | CVE-2025-6793 |
| Marvell--QConvergeConsole | Marvell QConvergeConsole saveAsText Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the saveAsText method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-24913. | 2025-07-07 | not yet calculated | CVE-2025-6794 |
| Marvell--QConvergeConsole | Marvell QConvergeConsole getFileUploadSize Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the getFileUploadSize method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-24914. | 2025-07-07 | not yet calculated | CVE-2025-6795 |
| Marvell--QConvergeConsole | Marvell QConvergeConsole getAppFileBytes Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the getAppFileBytes method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-24916. | 2025-07-07 | not yet calculated | CVE-2025-6796 |
| Marvell--QConvergeConsole | Marvell QConvergeConsole getFileUploadBytes Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the getFileUploadBytes method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-24917. | 2025-07-07 | not yet calculated | CVE-2025-6797 |
| Marvell--QConvergeConsole | Marvell QConvergeConsole deleteAppFile Directory Traversal Arbitrary File Deletion Vulnerability. This vulnerability allows remote attackers to delete arbitrary files on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the deleteAppFile method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of SYSTEM. Was ZDI-CAN-24918. | 2025-07-07 | not yet calculated | CVE-2025-6798 |
| Marvell--QConvergeConsole | Marvell QConvergeConsole getFileUploadBytes Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the getFileUploadBytes method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-24919. | 2025-07-07 | not yet calculated | CVE-2025-6799 |
| Marvell--QConvergeConsole | Marvell QConvergeConsole restoreESwitchConfig Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the restoreESwitchConfig method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-24920. | 2025-07-07 | not yet calculated | CVE-2025-6800 |
| Marvell--QConvergeConsole | Marvell QConvergeConsole saveNICParamsToFile Directory Traversal Arbitrary File Write Vulnerability. This vulnerability allows remote attackers to create arbitrary files on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the saveNICParamsToFile method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to write files in the context of SYSTEM. Was ZDI-CAN-24921. | 2025-07-07 | not yet calculated | CVE-2025-6801 |
| Marvell--QConvergeConsole | Marvell QConvergeConsole getFileFromURL Unrestricted File Upload Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the getFileFromURL method. The issue results from the lack of proper validation of user-supplied data, which can allow the upload of arbitrary files. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-24922. | 2025-07-07 | not yet calculated | CVE-2025-6802 |
| Marvell--QConvergeConsole | Marvell QConvergeConsole compressDriverFiles Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the compressDriverFiles method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-24923. | 2025-07-07 | not yet calculated | CVE-2025-6803 |
| Marvell--QConvergeConsole | Marvell QConvergeConsole compressFirmwareDumpFiles Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the compressFirmwareDumpFiles method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-24924. | 2025-07-07 | not yet calculated | CVE-2025-6804 |
| Marvell--QConvergeConsole | Marvell QConvergeConsole deleteEventLogFile Directory Traversal Arbitrary File Deletion Vulnerability. This vulnerability allows remote attackers to delete arbitrary files on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the deleteEventLogFile method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to delete files in the context of SYSTEM. Was ZDI-CAN-24925. | 2025-07-07 | not yet calculated | CVE-2025-6805 |
| Marvell--QConvergeConsole | Marvell QConvergeConsole decryptFile Directory Traversal Arbitrary File Write Vulnerability. This vulnerability allows remote attackers to create arbitrary files on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the decryptFile method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to write files in the context of SYSTEM. Was ZDI-CAN-24979. | 2025-07-07 | not yet calculated | CVE-2025-6806 |
| Marvell--QConvergeConsole | Marvell QConvergeConsole getDriverTmpPath Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Marvell QConvergeConsole. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the getDriverTmpPath method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-24980. | 2025-07-07 | not yet calculated | CVE-2025-6807 |
| Mescius--ActiveReports.NET | Mescius ActiveReports.NET ReadValue Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Mescius ActiveReports.NET. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the implementation of the ReadValue method. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25246. | 2025-07-07 | not yet calculated | CVE-2025-6810 |
| Mescius--ActiveReports.NET | Mescius ActiveReports.NET TypeResolutionService Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Mescius ActiveReports.NET. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the TypeResolutionService class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25397. | 2025-07-07 | not yet calculated | CVE-2025-6811 |
| Cato Networks--Cato Client | An issue in Cato Networks' CatoClient for Linux, before version 5.5, allows a local attacker to escalate privileges to root by exploiting improper symbolic link handling. | 2025-07-13 | not yet calculated | CVE-2025-7012 |
| OpenAI--Operator | Fullscreen API Spoofing and UI Redressing in the handling of Fullscreen API and UI rendering in OpenAI Operator SaaS on Web allows a remote attacker to capture sensitive user input (e.g., login credentials, email addresses) via displaying a deceptive fullscreen interface with overlaid fake browser controls and a distracting element (like a cookie consent screen) to obscure fullscreen notifications, tricking the user into interacting with the malicious site. | 2025-07-10 | not yet calculated | CVE-2025-7021 |
| GIGABYTE--UEFI-GenericComponentSmmEntry | A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control the RBX register, which is used as an unchecked pointer in the CommandRcx0 function. If the contents at RBX match certain expected values (e.g., '$DB$' or '2DB$'), the function performs arbitrary writes to System Management RAM (SMRAM), leading to potential privilege escalation to System Management Mode (SMM) and persistent firmware compromise. | 2025-07-11 | not yet calculated | CVE-2025-7026 |
| GIGABYTE--UEFI-GenericComponentSmmEntry | A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control both the read and write addresses used by the CommandRcx1 function. The write target is derived from an unvalidated UEFI NVRAM variable (SetupXtuBufferAddress), while the write content is read from an attacker-controlled pointer based on the RBX register. This dual-pointer dereference enables arbitrary memory writes within System Management RAM (SMRAM), leading to potential SMM privilege escalation and firmware compromise. | 2025-07-11 | not yet calculated | CVE-2025-7027 |
| GIGABYTE--UEFI-SmiFlash | A vulnerability in the Software SMI handler (SwSmiInputValue 0x20) allows a local attacker to supply a crafted pointer (FuncBlock) through RBX and RCX register values. This pointer is passed unchecked into multiple flash management functions (ReadFlash, WriteFlash, EraseFlash, and GetFlashInfo) that dereference both the structure and its nested members, such as BufAddr. This enables arbitrary read/write access to System Management RAM (SMRAM), allowing an attacker to corrupt firmware memory, exfiltrate SMRAM content via flash, or install persistent implants. | 2025-07-11 | not yet calculated | CVE-2025-7028 |
| GIGABYTE--UEFI-OverClockSmiHandler | A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control the RBX register, which is used to derive pointers (OcHeader, OcData) passed into power and thermal configuration logic. These buffers are not validated before performing multiple structured memory writes based on OcSetup NVRAM values, enabling arbitrary SMRAM corruption and potential SMM privilege escalation. | 2025-07-11 | not yet calculated | CVE-2025-7029 |
| Drupal--Two-factor Authentication (TFA) | Privilege Defined With Unsafe Actions vulnerability in Drupal Two-factor Authentication (TFA) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.11.0. | 2025-07-08 | not yet calculated | CVE-2025-7030 |
| Drupal--Config Pages Viewer | Missing Authentication for Critical Function vulnerability in Drupal Config Pages Viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Config Pages Viewer: from 0.0.0 before 1.0.4. | 2025-07-08 | not yet calculated | CVE-2025-7031 |
| Wikimedia Foundation--Mediawiki - UrlShortener Extension | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - UrlShortener Extension allows Stored XSS.This issue affects Mediawiki - UrlShortener Extension: from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | 2025-07-07 | not yet calculated | CVE-2025-7056 |
| Wikimedia Foundation--Mediawiki - Quiz Extension | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - Quiz Extension allows Stored XSS.This issue affects Mediawiki - Quiz Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | 2025-07-07 | not yet calculated | CVE-2025-7057 |
| Pyload--Pyload | Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages | 2025-07-08 | not yet calculated | CVE-2025-7346 |
| Wikimedia Foundation--Mediawiki - MsUpload extension | The MsUpload extension for MediaWiki is vulnerable to stored XSS via the msu-continue system message, which is inserted into the DOM without proper sanitization. The vulnerability occurs in the file upload UI when the same filename is uploaded twice. This issue affects Mediawiki - MsUpload extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | 2025-07-08 | not yet calculated | CVE-2025-7362 |
| Wikimedia Foundation--Mediawiki - TitleIcon extension | The TitleIcon extension for MediaWiki is vulnerable to stored XSS through the #titleicon_unicode parser function. User input passed to this function is wrapped in an HtmlArmor object without sanitization and rendered directly into the page header, allowing attackers to inject arbitrary JavaScript. This issue affects Mediawiki - TitleIcon extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | 2025-07-08 | not yet calculated | CVE-2025-7363 |
| ASUSTOR--ADM | An improper Input Validation vulnerability allows injecting arbitrary values of the NAS configuration file in ASUSTOR ADM. This could potentially lead to system misconfiguration and break the format of the configuation file, causing the NAS to exhibit unexpected behavior. This issue affects ADM: from 4.1 before 4.3.1.R5A1. | 2025-07-09 | not yet calculated | CVE-2025-7378 |
| ASUSTOR--ADM | A security bypass vulnerability allows exploitation via Reverse Tabnabbing, a type of phishing attack where attackers can manipulate the content of the original tab, leading to credential theft and other security risks. This issue affects DataSync Center: from 1.1.0 before 1.1.0.r207, and from 1.2.0 before 1.2.0.r206. | 2025-07-09 | not yet calculated | CVE-2025-7379 |
| Shenzhen Liandian Communication Technology LTD--V380 IP Camera / AppFHE1_V1.0.6.0 | An OEM IP camera manufactured by Shenzhen Liandian Communication Technology LTD exposes a Telnet service (port 23) with undocumented, default credentials. The Telnet service is enabled by default and is not disclosed or configurable via the device's web interface or user manual. An attacker with network access can authenticate using default credentials and gain root-level shell access to the device. The affected firmware version is AppFHE1_V1.0.6.0 (Kernel: KerFHE1_PTZ_WIFI_V3.1.1, Hardware: HwFHE1_WF6_PTZ_WIFI_20201218). No official fix or firmware update is available, and the vendor could not be contacted. This vulnerability allows for remote code execution and privilege escalation. | 2025-07-11 | not yet calculated | CVE-2025-7503 |
Vulnerability Summary for the Week of June 30, 2025
Posted on Monday July 07, 2025
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| ABB--RMC-100 | Stack-based Buffer Overflow vulnerability in ABB RMC-100, ABB RMC-100 LITE. When the REST interface is enabled by the user, and an attacker gains access to the control network, and CVE-2025-6074 is exploited, the attacker can use the JSON configuration to overflow the date of expiration field.This issue affects RMC-100: from 2105457-043 through 2105457-045; RMC-100 LITE: from 2106229-015 through 2106229-016. | 2025-07-03 | 7.5 | CVE-2025-6072 |
| ABB--RMC-100 | Stack-based Buffer Overflow vulnerability in ABB RMC-100, ABB RMC-100 LITE. When the REST interface is enabled by the user, and an attacker gains access to the control network, and user/password broker authentication is enabled, and CVE-2025-6074 is exploited, the attacker can overflow the buffer for username or password. This issue affects RMC-100: from 2105457-043 through 2105457-045; RMC-100 LITE: from 2106229-015 through 2106229-016. | 2025-07-03 | 7.5 | CVE-2025-6073 |
| Alinto--SOPE | In Alinto SOPE SOGo 2.0.2 through 5.12.2, sope-core/NGExtensions/NGHashMap.m allows a NULL pointer dereference and SOGo crash via a request in which a parameter in the query string is a duplicate of a parameter in the POST body. | 2025-07-05 | 7.5 | CVE-2025-53603 |
| aonetheme--Service Finder Booking | Incorrect Privilege Assignment vulnerability in aonetheme Service Finder Booking allows Privilege Escalation. This issue affects Service Finder Booking: from n/a through 6.0. | 2025-07-04 | 9.8 | CVE-2025-23970 |
| ApusWP--Kossy - Minimalist eCommerce WordPress Theme | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusWP Kossy - Minimalist eCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects Kossy - Minimalist eCommerce WordPress Theme: from n/a through 1.45. | 2025-07-04 | 8.1 | CVE-2025-52807 |
| asaquzzaman--WP Human Resource Management | The WP Human Resource Management plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the ajax_insert_employee() and update_empoyee() functions in versions 2.0.0 through 2.2.17. The AJAX handler reads the client-supplied $_POST['role'] and, after basic cleaning via hrm_clean(), passes it directly to wp_insert_user() and later to $user->set_role() without verifying that the current user is allowed to assign that role. This makes it possible for authenticated attackers, with Employee-level access and above, to elevate their privileges to administrator. | 2025-07-04 | 8.8 | CVE-2025-5953 |
| ASR--Falcon_LinuxKestrelLapwing_Linux | Out-of-bounds access in ASR180x ã€ASR190x in lte-telephony, This vulnerability is associated with program files apps/lzma/src/LzmaEnc.c. This issue affects Falcon_Linuxã€Kestrelã€Lapwing_Linux: before v1536. | 2025-07-01 | 7.4 | CVE-2025-49480 |
| ASR--Falcon_LinuxKestrelLapwing_Linux | Out-of-bounds write in ASR180x in lte-telephony, May cause a buffer underrun. This vulnerability is associated with program files apps/atcmd_server/src/dev_api.C. This issue affects Falcon_Linuxã€Kestrelã€Lapwing_Linux: before v1536. | 2025-07-01 | 7.4 | CVE-2025-49492 |
| awplife--Neom Blog | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in awplife Neom Blog allows Reflected XSS. This issue affects Neom Blog: from n/a through 0.0.9. | 2025-07-04 | 7.1 | CVE-2025-49274 |
| Bearsthemes--Alone | Improper Control of Generation of Code ('Code Injection') vulnerability in Bearsthemes Alone allows Remote Code Inclusion. This issue affects Alone: from n/a through 7.8.2. | 2025-07-04 | 7.2 | CVE-2025-52718 |
| Belkin--F9K1122 | A vulnerability was found in Belkin F9K1122 1.00.33. It has been declared as critical. This vulnerability affects the function formWpsStart of the file /goform/formWpsStart of the component webs. The manipulation of the argument pinCode leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-06 | 8.8 | CVE-2025-7084 |
| Belkin--F9K1122 | A vulnerability was found in Belkin F9K1122 1.00.33. It has been rated as critical. This issue affects the function formiNICWpsStart of the file /goform/formiNICWpsStart of the component webs. The manipulation of the argument pinCode leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-06 | 8.8 | CVE-2025-7085 |
| Belkin--F9K1122 | A vulnerability classified as critical has been found in Belkin F9K1122 1.00.33. Affected is the function formPPTPSetup of the file /goform/formPPTPSetup of the component webs. The manipulation of the argument pptpUserName leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-06 | 8.8 | CVE-2025-7086 |
| Belkin--F9K1122 | A vulnerability classified as critical was found in Belkin F9K1122 1.00.33. Affected by this vulnerability is the function formL2TPSetup of the file /goform/formL2TPSetup of the component webs. The manipulation of the argument L2TPUserName leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-06 | 8.8 | CVE-2025-7087 |
| Belkin--F9K1122 | A vulnerability, which was classified as critical, was found in Belkin F9K1122 1.00.33. This affects the function formPPPoESetup of the file /goform/formPPPoESetup of the component webs. The manipulation of the argument pppUserName leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-06 | 8.8 | CVE-2025-7088 |
| Belkin--F9K1122 | A vulnerability was found in Belkin F9K1122 1.00.33 and classified as critical. This issue affects the function formWanTcpipSetup of the file /goform/formWanTcpipSetup of the component webs. The manipulation of the argument pppUserName leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-06 | 8.8 | CVE-2025-7089 |
| Belkin--F9K1122 | A vulnerability, which was classified as critical, has been found in Belkin F9K1122 1.00.33. Affected by this issue is the function formConnectionSetting of the file /goform/formConnectionSetting of the component webs. The manipulation of the argument max_Conn/timeOut leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-06 | 8.8 | CVE-2025-7090 |
| Belkin--F9K1122 | A vulnerability was found in Belkin F9K1122 1.00.33. It has been classified as critical. Affected is the function formWlanMP of the file /goform/formWlanMP of the component webs. The manipulation of the argument ateFunc/ateGain/ateTxCount/ateChan/ateRate/ateMacID/e2pTxPower1/e2pTxPower2/e2pTxPower3/e2pTxPower4/e2pTxPower5/e2pTxPower6/e2pTxPower7/e2pTx2Power1/e2pTx2Power2/e2pTx2Power3/e2pTx2Power4/e2pTx2Power5/e2pTx2Power6/e2pTx2Power7/ateTxFreqOffset/ateMode/ateBW/ateAntenna/e2pTxFreqOffset/e2pTxPwDeltaB/e2pTxPwDeltaG/e2pTxPwDeltaMix/e2pTxPwDeltaN/readE2P leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-06 | 8.8 | CVE-2025-7091 |
| Belkin--F9K1122 | A vulnerability has been found in Belkin F9K1122 1.00.33 and classified as critical. This vulnerability affects the function formWlanSetupWPS of the file /goform/formWlanSetupWPS of the component webs. The manipulation of the argument wps_enrolee_pin/webpage leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-06 | 8.8 | CVE-2025-7092 |
| Belkin--F9K1122 | A vulnerability was found in Belkin F9K1122 1.00.33. It has been declared as critical. Affected by this vulnerability is the function formSetLanguage of the file /goform/formSetLanguage of the component webs. The manipulation of the argument webpage leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-06 | 8.8 | CVE-2025-7093 |
| Belkin--F9K1122 | A vulnerability was found in Belkin F9K1122 1.00.33. It has been rated as critical. Affected by this issue is the function formBSSetSitesurvey of the file /goform/formBSSetSitesurvey of the component webs. The manipulation of the argument submit-url-ok leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-06 | 8.8 | CVE-2025-7094 |
| BestWpDeveloper--WooCommerce Product Multi-Action | Deserialization of Untrusted Data vulnerability in BestWpDeveloper WooCommerce Product Multi-Action allows Object Injection. This issue affects WooCommerce Product Multi-Action: from n/a through 1.3. | 2025-07-04 | 9.8 | CVE-2025-49417 |
| bitto.kazi--Custom Login And Signup Widget | Improper Control of Generation of Code ('Code Injection') vulnerability in bitto.Kazi Custom Login And Signup Widget allows Code Injection.This issue affects Custom Login And Signup Widget: from n/a through 1.0. | 2025-07-01 | 9.1 | CVE-2025-49029 |
| bsecuretech--bSecure – Your Universal Checkout | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bsecuretech bSecure – Your Universal Checkout allows Blind SQL Injection. This issue affects bSecure – Your Universal Checkout: from n/a through 1.7.9. | 2025-07-04 | 9.3 | CVE-2025-52830 |
| Campcodes--Employee Management System | A vulnerability has been found in Campcodes Employee Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /applyleave.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-01 | 7.3 | CVE-2025-6954 |
| Campcodes--Employee Management System | A vulnerability was found in Campcodes Employee Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /process/aprocess.php. The manipulation of the argument mailuid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-01 | 7.3 | CVE-2025-6955 |
| Campcodes--Employee Management System | A vulnerability was found in Campcodes Employee Management System 1.0. It has been classified as critical. This affects an unknown part of the file /changepassemp.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-01 | 7.3 | CVE-2025-6956 |
| Campcodes--Employee Management System | A vulnerability was found in Campcodes Employee Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /process/eprocess.php. The manipulation of the argument mailuid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-01 | 7.3 | CVE-2025-6957 |
| Campcodes--Employee Management System | A vulnerability was found in Campcodes Employee Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /edit.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-01 | 7.3 | CVE-2025-6958 |
| Campcodes--Employee Management System | A vulnerability classified as critical has been found in Campcodes Employee Management System 1.0. Affected is an unknown function of the file /eloginwel.php. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-01 | 7.3 | CVE-2025-6959 |
| Campcodes--Employee Management System | A vulnerability classified as critical was found in Campcodes Employee Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /empproject.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-01 | 7.3 | CVE-2025-6960 |
| Campcodes--Employee Management System | A vulnerability, which was classified as critical, has been found in Campcodes Employee Management System 1.0. Affected by this issue is some unknown functionality of the file /mark.php. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-01 | 7.3 | CVE-2025-6961 |
| Campcodes--Employee Management System | A vulnerability, which was classified as critical, was found in Campcodes Employee Management System 1.0. This affects an unknown part of the file /myprofileup.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-01 | 7.3 | CVE-2025-6962 |
| Campcodes--Employee Management System | A vulnerability has been found in Campcodes Employee Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /myprofile.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-01 | 7.3 | CVE-2025-6963 |
| Campcodes--Sales and Inventory System | A vulnerability was found in Campcodes Sales and Inventory System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /pages/payment_add.php. The manipulation of the argument cid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 7.3 | CVE-2025-6935 |
| Chimp Group--Home Villas | Real Estate WordPress Theme | The Home Villas | Real Estate WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wp_rem_cs_widget_file_delete' function in all versions up to, and including, 2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2025-07-02 | 8.8 | CVE-2025-5014 |
| Cisco--Cisco Unified Communications Manager | A vulnerability in Cisco Unified Communications Manager (Unified CM) and Cisco Unified Communications Manager Session Management Edition (Unified CM SME) could allow an unauthenticated, remote attacker to log in to an affected device using the root account, which has default, static credentials that cannot be changed or deleted. This vulnerability is due to the presence of static user credentials for the root account that are reserved for use during development. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user. | 2025-07-02 | 10 | CVE-2025-20309 |
| ClickandPledge--Click & Pledge Connect | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ClickandPledge Click & Pledge Connect allows Privilege Escalation. This issue affects Click & Pledge Connect: from 25.04010101 through WP6.8. | 2025-07-04 | 9.8 | CVE-2025-28983 |
| cmoreira--Team Showcase | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cmoreira Team Showcase allows DOM-Based XSS. This issue affects Team Showcase: from n/a through n/a. | 2025-07-04 | 7.1 | CVE-2025-49247 |
| cmoreira--Testimonials Showcase | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in cmoreira Testimonials Showcase allows Reflected XSS. This issue affects Testimonials Showcase: from n/a through 1.9.16. | 2025-07-04 | 7.1 | CVE-2025-49245 |
| cmsmasters--CMSMasters Content Composer | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in cmsmasters CMSMasters Content Composer allows PHP Local File Inclusion. This issue affects CMSMasters Content Composer: from n/a through n/a. | 2025-07-04 | 8.1 | CVE-2025-4414 |
| code-projects--Car Rental System | A vulnerability was found in code-projects Car Rental System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/approve.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 7.3 | CVE-2025-6903 |
| code-projects--Car Rental System | A vulnerability was found in code-projects Car Rental System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /admin/add_cars.php. The manipulation of the argument car_name leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 7.3 | CVE-2025-6904 |
| code-projects--Car Rental System | A vulnerability, which was classified as critical, has been found in code-projects Car Rental System 1.0. This issue affects some unknown processing of the file /signup.php. The manipulation of the argument fname leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 7.3 | CVE-2025-6905 |
| code-projects--Car Rental System | A vulnerability classified as critical has been found in code-projects Car Rental System 1.0. This affects an unknown part of the file /login.php. The manipulation of the argument uname leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 7.3 | CVE-2025-6906 |
| code-projects--Car Rental System | A vulnerability classified as critical was found in code-projects Car Rental System 1.0. This vulnerability affects unknown code of the file /book_car.php. The manipulation of the argument fname leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 7.3 | CVE-2025-6907 |
| code-projects--Inventory Management System | A vulnerability classified as critical has been found in code-projects Inventory Management System 1.0. Affected is an unknown function of the file /php_action/createUser.php. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 7.3 | CVE-2025-6891 |
| code-projects--Inventory Management System | A vulnerability was found in code-projects Inventory Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /php_action/removeUser.php. The manipulation of the argument userid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 7.3 | CVE-2025-6901 |
| code-projects--Inventory Management System | A vulnerability was found in code-projects Inventory Management System 1.0. It has been classified as critical. Affected is an unknown function of the file /php_action/editUser.php. The manipulation of the argument edituserName leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 7.3 | CVE-2025-6902 |
| code-projects--Movie Ticketing System | A vulnerability was found in code-projects Movie Ticketing System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /logIn.php. The manipulation of the argument postName leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 7.3 | CVE-2025-6889 |
| code-projects--Online Hotel Booking | A vulnerability has been found in code-projects Online Hotel Booking 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/registration.php. The manipulation of the argument uname leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 7.3 | CVE-2025-6917 |
| code-projects--Simple Pizza Ordering System | A vulnerability was found in code-projects Simple Pizza Ordering System 1.0. It has been classified as critical. This affects an unknown part of the file /addpro.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-01 | 7.3 | CVE-2025-6936 |
| code-projects--Simple Pizza Ordering System | A vulnerability was found in code-projects Simple Pizza Ordering System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /large.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-01 | 7.3 | CVE-2025-6937 |
| code-projects--Simple Pizza Ordering System | A vulnerability was found in code-projects Simple Pizza Ordering System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /editcus.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-07-01 | 7.3 | CVE-2025-6938 |
| CodeDropz--Drag and Drop Multiple File Upload (Pro) - WooCommerce | The Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dnd_upload_cf7_upload_chunks() function in version 5.0 - 5.0.5 (when bundled with the PrintSpace theme) and all versions up to, and including, 1.7.1 (in the standalone version). This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. The execution of PHP is disabled via a .htaccess file but is still possible in certain server configurations. | 2025-07-02 | 9.8 | CVE-2025-5746 |
| Comodo--Internet Security Premium | A vulnerability classified as critical was found in Comodo Internet Security Premium 12.3.4.8162. This vulnerability affects unknown code of the file cis_update_x64.xml of the component Manifest File Handler. The manipulation leads to improper validation of integrity check value. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-06 | 8.1 | CVE-2025-7096 |
| Comodo--Internet Security Premium | A vulnerability, which was classified as critical, has been found in Comodo Internet Security Premium 12.3.4.8162. This issue affects some unknown processing of the file cis_update_x64.xml of the component Manifest File Handler. The manipulation of the argument binary/params leads to os command injection. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-06 | 8.1 | CVE-2025-7097 |
| Cozmoslabs--Paid Member Subscriptions | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cozmoslabs Paid Member Subscriptions allows SQL Injection. This issue affects Paid Member Subscriptions: from n/a through 2.15.1. | 2025-07-04 | 7.5 | CVE-2025-49870 |
| CreedAlly--Bulk Featured Image | Unrestricted Upload of File with Dangerous Type vulnerability in CreedAlly Bulk Featured Image allows Upload a Web Shell to a Web Server. This issue affects Bulk Featured Image: from n/a through 1.2.1. | 2025-07-04 | 9.1 | CVE-2025-28951 |
| cyanheads--git-mcp-server | @cyanheads/git-mcp-server is an MCP server designed to interact with Git repositories. Prior to version 2.1.5, there is a command injection vulnerability caused by the unsanitized use of input parameters within a call to child_process.exec, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (|, >, &&, etc.). An MCP Client can be instructed to execute additional actions for example via indirect prompt injection when asked to read git logs. This issue has been patched in version 2.1.5. | 2025-07-01 | 7.5 | CVE-2025-53107 |
| cybio--Gallery Widget | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in cybio Gallery Widget allows SQL Injection. This issue affects Gallery Widget: from n/a through 1.2.1. | 2025-07-04 | 8.5 | CVE-2025-28969 |
| D-Link--DI-8100 | A vulnerability was found in D-Link DI-8100 16.07.21. It has been rated as critical. Affected by this issue is some unknown functionality of the file /pppoe_base.asp of the component jhttpd. The manipulation of the argument mschap_en leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 8.8 | CVE-2025-6881 |
| D-Link--DIR-513 | A vulnerability classified as critical has been found in D-Link DIR-513 1.0. This affects an unknown part of the file /goform/formSetWanPPTP. The manipulation of the argument curTime leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-06-30 | 8.8 | CVE-2025-6882 |
| Dell--OpenManage Network Integration | Dell OpenManage Network Integration, versions prior to 3.8, contains an Authentication Bypass by Capture-replay vulnerability in the RADIUS protocol. An attacker with local network access could potentially exploit this vulnerability to forge a valid protocol accept message in response to a failed authentication request. | 2025-06-30 | 8.8 | CVE-2025-36593 |
| Delta Electronics--DTM Soft | Delta Electronics DTM Soft Project File Parsing Deserialization of Untrusted Data Remote Code Execution | 2025-06-30 | 7.8 | CVE-2025-53415 |
| designthemes--LMS | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in designthemes LMS allows SQL Injection. This issue affects LMS: from n/a through 9.1. | 2025-07-04 | 9.3 | CVE-2025-52833 |
| designthemes--Red Art | Deserialization of Untrusted Data vulnerability in designthemes Red Art allows Object Injection. This issue affects Red Art: from n/a through 3.7. | 2025-07-04 | 8.8 | CVE-2025-52828 |
| dunskii--Booking X Appointment and Reservation Availability Calendar | The Booking X plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_now() function in versions 1.0 to 1.1.2. This makes it possible for unauthenticated attackers to download all plugin data, including user accounts, user meta, and PayPal credentials, by issuing a crafted POST request. | 2025-07-04 | 7.5 | CVE-2025-6814 |
| e4jvikwp--VikRentCar Car Rental Management System | The VikRentCar Car Rental Management System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the do_updatecar and createcar functions in all versions up to, and including, 1.4.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible. | 2025-07-03 | 7.2 | CVE-2025-5322 |
| electron--electron | Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 30.0.0-alpha.1 to before 30.0.5 and 31.0.0-alpha.1 to before 31.0.0-beta.1, Electron is vulnerable to an ASAR Integrity bypass. This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is specific to Windows, apps using these fuses on macOS are not impacted. Specifically this issue can only be exploited if the app is launched from a filesystem the attacker has write access too. i.e. the ability to edit files inside the .app bundle on macOS which these fuses are supposed to protect against. This issue has been patched in versions 30.0.5 and 31.0.0-beta.1. There are no workarounds for this issue. | 2025-07-01 | 7.8 | CVE-2024-46992 |
| Endress+Hauser--Endress+Hauser MEAC300-FNADE4 | The application is vulnerable to SQL injection attacks. An attacker is able to dump the PostgreSQL database and read its content. | 2025-07-03 | 8.6 | CVE-2025-1708 |
| Endress+Hauser--Endress+Hauser MEAC300-FNADE4 | The maxView Storage Manager does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks. | 2025-07-03 | 7.5 | CVE-2025-1710 |
| Endress+Hauser--Endress+Hauser MEAC300-FNADE4 | The web application is susceptible to cross-site-scripting attacks. An attacker can create a prepared URL, which injects JavaScript code into the website. The code is executed in the victim's browser when an authenticated administrator clicks the link. | 2025-07-03 | 7.4 | CVE-2025-27447 |
| Endress+Hauser--Endress+Hauser MEAC300-FNADE4 | The MEAC300-FNADE4 does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks. | 2025-07-03 | 7.5 | CVE-2025-27449 |
| Endress+Hauser--Endress+Hauser MEAC300-FNADE4 | The SMB server's login mechanism does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it susceptible to brute-force attacks. | 2025-07-03 | 7.5 | CVE-2025-27456 |
| Endress+Hauser--Endress+Hauser MEAC300-FNADE4 | The hard drives of the device are not encrypted using a full volume encryption feature such as BitLocker. This allows an attacker with physical access to the device to use an alternative operating system to interact with the hard drives, completely circumventing the Windows login. The attacker can read from and write to all files on the hard drives. | 2025-07-03 | 7.6 | CVE-2025-27460 |
| Endress+Hauser--Endress+Hauser MEAC300-FNADE4 | During startup, the device automatically logs in the EPC2 Windows user without requesting a password. | 2025-07-03 | 7.6 | CVE-2025-27461 |
| eyecix--JobSearch | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eyecix JobSearch allows Reflected XSS. This issue affects JobSearch: from n/a through 2.9.0. | 2025-07-04 | 7.1 | CVE-2025-52798 |
| Fastw3b LLC--FW Gallery | Unrestricted Upload of File with Dangerous Type vulnerability in Fastw3b LLC FW Gallery allows Using Malicious Files. This issue affects FW Gallery: from n/a through 8.0.0. | 2025-07-04 | 10 | CVE-2025-49414 |
| favethemes--Homey | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey allows Reflected XSS. This issue affects Homey: from n/a through 2.4.5. | 2025-07-04 | 7.1 | CVE-2025-31037 |
| filebrowser--filebrowser | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.10, the implementation of the allowlist is erroneous, allowing a user to execute more shell commands than they are authorized for. The concrete impact of this vulnerability depends on the commands configured, and the binaries installed on the server or in the container image. Due to the missing separation of scopes on the OS-level, this could give an attacker access to all files managed the application, including the File Browser database. This issue has been patched in version 2.33.10. | 2025-06-30 | 8.1 | CVE-2025-52995 |
| gluestack--gluestack-ui | gluestack-ui is a library of copy-pasteable components & patterns crafted with Tailwind CSS (NativeWind). Prior to commit e6b4271, a command injection vulnerability was discovered in the discussion-to-slack.yml GitHub Actions workflow. Untrusted discussion fields (title, body, etc.) were directly interpolated into shell commands in a run: block. An attacker could craft a malicious GitHub Discussion title or body (e.g., $(curl ...)) to execute arbitrary shell commands on the Actions runner. This issue has been fixed in commit e6b4271 where the discussion-to-slack.yml workflow was removed. Users should remove the discussion-to-slack.yml workflow if using a fork or derivative of this repository. | 2025-07-01 | 9.1 | CVE-2025-53104 |
| gopiplus--Cool fade popup | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus Cool fade popup allows Blind SQL Injection. This issue affects Cool fade popup: from n/a through 10.1. | 2025-07-04 | 8.5 | CVE-2025-30947 |
| gopiplus--iFrame Images Gallery | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus iFrame Images Gallery allows SQL Injection. This issue affects iFrame Images Gallery: from n/a through 9.0. | 2025-07-04 | 8.5 | CVE-2025-30969 |
| gopiplus--Pixelating image slideshow gallery | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in gopiplus Pixelating image slideshow gallery allows SQL Injection. This issue affects Pixelating image slideshow gallery: from n/a through 8.0. | 2025-07-04 | 8.5 | CVE-2025-30979 |
| Hung Trang Si--SB Breadcrumbs | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hung Trang Si SB Breadcrumbs allows Reflected XSS. This issue affects SB Breadcrumbs: from n/a through 1.0. | 2025-07-04 | 7.1 | CVE-2025-28978 |
| ifm electronic GmbH--ifm Smart PLC AC4xxS Firmware | The endpoint hosts a script that allows an unauthorized remote attacker to put the system in a fail-safe state over the network due to missing authentication. | 2025-06-30 | 7.5 | CVE-2024-8419 |
| Infinera--G42 | The target device exposes a service on a specific TCP port with a configured endpoint. The access to that endpoint is granted using a Basic Authentication method. The endpoint accepts also the PUT method and it is possible to write files on the target device file system. Files are written as root. Using Postman it is possible to perform a Directory Traversal attack and write files into any location of the device file system. Similarly to the PUT method, it is possible to leverage the same mechanism to read any file from the file system by using the GET method. | 2025-07-02 | 8.8 | CVE-2025-27025 |
| Infinera--G42 | The misconfiguration in the sudoers configuration of the operating system in Infinera G42 version R6.1.3 allows low privileged OS users to read/write physical memory via devmem command line tool. This could allow sensitive information disclosure, denial of service, and privilege escalation by tampering with kernel memory. Details: The output of "sudo -l" reports the presence of "devmem" command executable as super user without using a password. This command allows to read and write an arbitrary memory area of the target device, specifying an absolute address. | 2025-07-02 | 7 | CVE-2025-27021 |
| Infinera--G42 | A path traversal vulnerability of the WebGUI HTTP endpoint in Infinera G42 version R6.1.3 allows remote authenticated users to download all OS files via HTTP requests. Details: Lack or insufficient validation of user-supplied input allows authenticated users to access all files on the target machine file system that are readable to the user account used to run the httpd service. | 2025-07-02 | 7.5 | CVE-2025-27022 |
| InspiryThemes--RealHomes | Incorrect Privilege Assignment vulnerability in InspiryThemes RealHomes allows Privilege Escalation. This issue affects RealHomes: from n/a through 4.4.0. | 2025-07-04 | 9.8 | CVE-2025-49867 |
| jkdevstudio--JKDEVKIT | The JKDEVKIT plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'font_upload_handler' function in all versions up to, and including, 1.9.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). If WooCommerce is enabled, attackers will need Contributor-level access and above. | 2025-07-03 | 8.8 | CVE-2025-2932 |
| jokob-sk--NetAlertX | NetAlertX is a network, presence scanner, and alert framework. Prior to version 25.6.7, a vulnerability in the authentication logic allows users to bypass password verification using SHA-256 magic hashes, due to loose comparison in PHP. In vulnerable versions of the application, a password comparison is performed using the `==` operator at line 40 in front/index.php. This introduces a security issue where specially crafted "magic hash" values that evaluate to true in a loose comparison can bypass authentication. Because of the use of `==` instead of the strict `===`, different strings that begin with 0e and are followed by only digits can be interpreted as scientific notation (i.e., zero) and treated as equal. This issue falls under the Login Bypass vulnerability class. Users with certain "weird" passwords that produce magic hashes are particularly affected. Services relying on this logic are at risk of unauthorized access. Version 25.6.7 fixes the vulnerability. | 2025-07-04 | 9.4 | CVE-2025-48952 |
| LambertGroup--All In One Slider Responsive | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup All In One Slider Responsive allows SQL Injection. This issue affects All In One Slider Responsive: from n/a through 3.7.9. | 2025-07-04 | 8.5 | CVE-2025-24748 |
| LCweb--PrivateContent - Mail Actions | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LCweb PrivateContent - Mail Actions allows PHP Local File Inclusion. This issue affects PrivateContent - Mail Actions: from n/a through 2.3.2. | 2025-07-04 | 7.5 | CVE-2025-47627 |
| LiquidThemes--LogisticsHub | Unrestricted Upload of File with Dangerous Type vulnerability in LiquidThemes LogisticsHub allows Upload a Web Shell to a Web Server. This issue affects LogisticsHub: from n/a through 1.1.6. | 2025-07-04 | 10 | CVE-2025-30933 |
| LizardByte--Sunshine | Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Cross-Site Request Forgery (CSRF) attacks. This vulnerability allows an attacker to craft a malicious web page that, when visited by an authenticated user, can trigger unintended actions within the Sunshine application on behalf of that user. Specifically, since the application does OS command execution by design, this issue can be exploited to abuse the "Command Preparations" feature, enabling an attacker to inject arbitrary commands that will be executed with Administrator privileges when an application is launched. This issue has been patched in version 2025.628.4510. | 2025-07-01 | 9.7 | CVE-2025-53095 |
| machouinard--Aviation Weather from NOAA | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in machouinard Aviation Weather from NOAA allows Path Traversal. This issue affects Aviation Weather from NOAA: from n/a through 0.7.2. | 2025-07-04 | 7.7 | CVE-2025-28980 |
| Mbed--mbedtls | Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to extract an AES key from a multithreaded program, or perform a GCM forgery. | 2025-07-04 | 7.8 | CVE-2025-52496 |
| metagauss--Download Plugin | The Download Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dpwap_plugin_locInstall function in all versions up to, and including, 2.2.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. | 2025-07-04 | 7.2 | CVE-2025-6586 |
| Microsoft--Microsoft Edge (Chromium-based) | Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network. | 2025-07-02 | 8.8 | CVE-2025-49713 |
| Microsoft--Microsoft Edge (Chromium-based) | No cwe for this issue in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network. | 2025-07-01 | 7.4 | CVE-2025-49741 |
| mtr--mtr | mtr through 0.95, in certain privileged contexts, mishandles execution of a program specified by the MTR_PACKET environment variable. NOTE: mtr on macOS may often have Sudo rules, as an indirect consequence of Homebrew not installing setuid binaries. | 2025-07-04 | 7.8 | CVE-2025-49809 |
| NasaTheme--Elessi | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NasaTheme Elessi allows PHP Local File Inclusion. This issue affects Elessi: from n/a through n/a. | 2025-07-04 | 7.5 | CVE-2025-49070 |
| Nikel--Beautiful Cookie Consent Banner | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nikel Beautiful Cookie Consent Banner allows Reflected XSS. This issue affects Beautiful Cookie Consent Banner: from n/a through 4.6.1. | 2025-07-04 | 7.1 | CVE-2025-49866 |
| Odin_Design--Vikinger | The Vikinger theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the vikinger_delete_activity_media_ajax() function in all versions up to, and including, 1.9.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Note: Requires Vikinger Media plugin to be installed and active. | 2025-07-02 | 8.1 | CVE-2025-4946 |
| OP-TEE--optee_os | OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. In version 4.5.0, using a specially crafted tee-supplicant binary running in REE userspace, an attacker can trigger a panic in a TA that uses the libutee Secure Storage API. Many functions in libutee, specifically those which make up the Secure Storage API, will panic if a system call returns an unexpected return code. This behavior is mandated by the TEE Internal Core API specification. However, in OP-TEE's implementation, return codes of secure storage operations are passed through unsanitized from the REE tee-supplicant, through the Linux kernel tee-driver, through the OP-TEE kernel, back to libutee. Thus, an attacker with access to REE userspace, and the ability to stop tee-supplicant and replace it with their own process (generally trivial for a root user, and depending on the way permissions are set up, potentially available even to less privileged users) can run a malicious tee-supplicant process that responds to storage requests with unexpected response codes, triggering a panic in the requesting TA. This is particularly dangerous for TAs built with `TA_FLAG_SINGLE_INSTANCE` (corresponding to `gpd.ta.singleInstance` and `TA_FLAG_INSTANCE_KEEP_ALIVE` (corresponding to `gpd.ta.keepAlive`). The behavior of these TAs may depend on memory that is preserved between sessions, and the ability of an attacker to panic the TA and reload it with a clean memory space can compromise the behavior of those TAs. A critical example of this is the optee_ftpm TA. It uses the kept alive memory to hold PCR values, which crucially must be non-resettable. An attacker who can trigger a panic in the fTPM TA can reset the PCRs, and then extend them PCRs with whatever they choose, falsifying boot measurements, accessing sealed data, and potentially more. The impact of this issue depends significantly on the behavior of affected TAs. For some, it could manifest as a denial of service, while for others, like the fTPM TA, it can result in the disclosure of sensitive data. Anyone running the fTPM TA is affected, but similar attacks may be possible on other TAs that leverage the Secure Storage API. A fix is available in commit 941a58d78c99c4754fbd4ec3079ec9e1d596af8f. | 2025-07-04 | 7.9 | CVE-2025-46733 |
| optinlyhq--GoZen Forms | The GoZen Forms plugin for WordPress is vulnerable to SQL Injection via the 'forms-id' parameter of the dirGZActiveForm() function in all versions up to, and including, 1.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-07-04 | 7.5 | CVE-2025-6782 |
| optinlyhq--GoZen Forms | The GoZen Forms plugin for WordPress is vulnerable to SQL Injection via the 'forms-id' parameter of the emdedSc() function in all versions up to, and including, 1.1.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-07-04 | 7.5 | CVE-2025-6783 |
| OTWthemes--Content Manager Light | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTWthemes Content Manager Light allows Reflected XSS. This issue affects Content Manager Light: from n/a through 3.2. | 2025-07-04 | 7.1 | CVE-2025-24771 |
| PeepSo--PeepSo Core: Groups | The PeepSo Core: Groups plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Group Description field in all versions up to, and including, 6.4.6.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-03 | 7.2 | CVE-2024-9017 |
| PHPGurukul--Teachers Record Management System | A vulnerability, which was classified as critical, was found in PHPGurukul Teachers Record Management System 2.1. Affected is an unknown function of the file /admin/edit-teacher-detail.php. The manipulation of the argument tid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 7.3 | CVE-2025-6885 |
| PHPGurukul--Teachers Record Management System | A vulnerability was found in PHPGurukul Teachers Record Management System 2.1. It has been classified as critical. This affects an unknown part of the file /admin/changeimage.php. The manipulation of the argument tid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 7.3 | CVE-2025-6888 |
| pietro--MobiLoud | Missing Authorization vulnerability in pietro MobiLoud allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MobiLoud: from n/a through 4.6.5. | 2025-07-04 | 8.1 | CVE-2025-52813 |
| Pilz--IndustrialPI 4 with Firmware Bullseye | An unauthenticated remote attacker can run arbitrary commands on the affected devices with high privileges because the authentication for the Node_RED server is not configured by default. | 2025-07-01 | 10 | CVE-2025-41656 |
| Pilz--IndustrialPI 4 with IndustrialPI webstatus | An unauthenticated remote attacker can bypass the login to the web application of the affected devices making it possible to access and change all available settings of the IndustrialPI. | 2025-07-01 | 9.8 | CVE-2025-41648 |
| printcart--Printcart Web to Print Product Designer for WooCommerce | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in printcart Printcart Web to Print Product Designer for WooCommerce allows SQL Injection. This issue affects Printcart Web to Print Product Designer for WooCommerce: from n/a through 2.4.0. | 2025-07-04 | 8.5 | CVE-2025-24780 |
| python-pillow--Pillow | Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently large (>64k encoded with default settings) image in the DDS format due to writing into a buffer without checking for available space. This only affects users who save untrusted data as a compressed DDS image. This issue has been patched in version 11.3.0. | 2025-07-01 | 7.1 | CVE-2025-48379 |
| QuanticaLabs--Pressroom - News Magazine WordPress Theme | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuanticaLabs Pressroom - News Magazine WordPress Theme allows Reflected XSS. This issue affects Pressroom - News Magazine WordPress Theme: from n/a through 6.9. | 2025-07-04 | 7.1 | CVE-2025-32311 |
| quantumcloud--Simple Link Directory | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in quantumcloud Simple Link Directory allows SQL Injection. This issue affects Simple Link Directory: from n/a through 14.7.3. | 2025-07-04 | 8.5 | CVE-2025-32297 |
| Quest--KACE Systems Management Appliance | The agent in Quest KACE Systems Management Appliance (SMA) before 14.0.97 and 14.1.x before 14.1.19 potentially allows privilege escalation on managed systems. | 2025-07-04 | 9.3 | CVE-2025-26850 |
| Red Hat--Red Hat Ansible Automation Platform 2.5 for RHEL 8 | A flaw was found in Ansible Automation Platform's EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker to inject arguments and execute arbitrary commands on the EDA worker. In Kubernetes/OpenShift environments, this can lead to service account token theft and cluster access. | 2025-06-30 | 8.8 | CVE-2025-49520 |
| Red Hat--Red Hat Ansible Automation Platform 2.5 for RHEL 8 | A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated users to inject expressions that execute commands or access sensitive files on the EDA worker. In OpenShift, it can lead to service account token theft. | 2025-06-30 | 8.8 | CVE-2025-49521 |
| Scott Paterson--Easy Stripe | Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson Easy Stripe allows Remote Code Inclusion. This issue affects Easy Stripe: from n/a through 1.1. | 2025-07-04 | 10 | CVE-2025-49302 |
| ScriptCase--ScriptCase | In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), the Administrator password reset mechanism is mishandled. Making both a GET and a POST request to login.php.is sufficient. An unauthenticated attacker can then bypass authentication via administrator account takeover. | 2025-07-05 | 7.5 | CVE-2025-47227 |
| scripteo--Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager | The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion which leads to Remote Code Execution in all versions up to, and including, 4.89. This is due to the presence of a SQL Injection vulnerability and Local File Inclusion vulnerability that can be chained with an image upload. This makes it possible for unauthenticated attackers to execute code on the server upload image files on the server than can be fetched via a SQL injection vulnerability, and ultimately executed as PHP code through the local file inclusion vulnerability. | 2025-07-02 | 9.8 | CVE-2025-4689 |
| scripteo--Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager | The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.89 via the 'bsa_template' parameter of the `bsa_preview_callback` function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases .php files can can be uploaded and included, or already exist on the site. | 2025-07-02 | 8.1 | CVE-2025-4380 |
| scripteo--Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager | The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.89. This is due to missing or incorrect nonce validation on the bsaCreateAdTemplate function. This makes it possible for unauthenticated attackers to inject and execute arbitrary PHP code via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-07-02 | 8.8 | CVE-2025-6459 |
| scripteo--Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager | The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to SQL Injection via the '$id' variable of the getSpace() function in all versions up to, and including, 4.89 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-07-02 | 7.5 | CVE-2025-4381 |
| scripteo--Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager | The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to time-based SQL Injection via the 'bsa_pro_id' parameter in all versions up to, and including, 4.89 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-07-02 | 7.5 | CVE-2025-5339 |
| scripteo--Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager | The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to SQL Injection via the 'oid' parameter in all versions up to, and including, 4.89 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-07-02 | 7.5 | CVE-2025-6437 |
| Shenzhen Libituo Technology--LBT-T300-T310 | A vulnerability classified as critical has been found in Shenzhen Libituo Technology LBT-T300-T310 up to 2.2.3.6. This affects the function config_3g_para of the file /appy.cgi. The manipulation of the argument username_3g/password_3g leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-06 | 8.8 | CVE-2025-7077 |
| smackcoders--Lead Form Data Collection to CRM | The Lead Form Data Collection to CRM plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the doFieldAjaxAction() function in all versions up to, and including, 3.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Other AJAX actions handling plugin settings are also insufficiently protected and exploitable. | 2025-07-02 | 8.8 | CVE-2025-5692 |
| StarCitizenTools--mediawiki-extensions-ShortDescription | Short Description is a MediaWiki extension that provides local short description support. In version 4.0.0, short descriptions are not properly sanitized before being inserted as HTML using mw.util.addSubtitle, allowing any user to insert arbitrary HTML into the DOM by editing a page. This issue has been patched in version 4.0.1. | 2025-07-03 | 8.6 | CVE-2025-53369 |
| StarCitizenTools--mediawiki-skins-Citizen | Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, page descriptions are inserted into raw HTML without proper sanitization by the Citizen skin when using the old search bar. Any user with page editing privileges can insert cross-site scripting (XSS) payloads into the DOM for other users who are searching for specific pages. This issue has been patched in version 3.4.0. | 2025-07-03 | 8.6 | CVE-2025-53368 |
| StarCitizenTools--mediawiki-skins-Citizen | Citizen is a MediaWiki skin that makes extensions part of the cohesive experience. From versions 1.9.4 to before 3.4.0, short descriptions set via the ShortDescription extension are inserted as raw HTML by the Citizen skin, allowing any user to insert arbitrary HTML into the DOM by editing a page. This issue has been patched in version 3.4.0. | 2025-07-03 | 8.6 | CVE-2025-53370 |
| Steve Truman--Contact Us page - Contact people LITE | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Steve Truman Contact Us page - Contact people LITE allows SQL Injection. This issue affects Contact Us page - Contact people LITE: from n/a through 3.7.4. | 2025-07-04 | 8.5 | CVE-2025-28967 |
| Sudo project--Sudo | Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option. | 2025-06-30 | 9.3 | CVE-2025-32463 |
| suhailahmad64--Amazon Products to WooCommerce | The Amazon Products to WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.2.7 via the wcta2w_get_urls(). This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-07-02 | 7.2 | CVE-2025-5817 |
| TeconceTheme--Allmart | Server-Side Request Forgery (SSRF) vulnerability in TeconceTheme Allmart allows Server Side Request Forgery. This issue affects Allmart: from n/a through 1.0.0. | 2025-07-04 | 7.2 | CVE-2025-49418 |
| Tenable--Nessus | In Tenable Nessus versions prior to 10.8.5 on a Windows host, it was found that a non-administrative user could overwrite arbitrary local system files with log content at SYSTEM privilege. | 2025-07-01 | 8.4 | CVE-2025-36630 |
| Tenda--AC5 | A vulnerability has been found in Tenda AC5 15.03.06.47 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /goform/openSchedWifi. The manipulation of the argument schedStartTime/schedEndTime leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 8.8 | CVE-2025-6886 |
| Tenda--AC5 | A vulnerability was found in Tenda AC5 15.03.06.47 and classified as critical. Affected by this issue is some unknown functionality of the file /goform/SetSysTimeCfg. The manipulation of the argument time/timeZone leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 8.8 | CVE-2025-6887 |
| tggfref--WP-Recall | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tggfref WP-Recall allows Reflected XSS. This issue affects WP-Recall: from n/a through 16.26.14. | 2025-07-04 | 7.1 | CVE-2025-52796 |
| thanhtungtnt--Video List Manager | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in thanhtungtnt Video List Manager allows SQL Injection. This issue affects Video List Manager: from n/a through 1.7. | 2025-07-04 | 9.3 | CVE-2025-52831 |
| thanhtungtnt--Video List Manager | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in thanhtungtnt Video List Manager allows Stored XSS. This issue affects Video List Manager: from n/a through 1.7. | 2025-07-04 | 7.1 | CVE-2025-52776 |
| ThemeREX--Education Center | LMS & Online Courses WordPress Theme | The education theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.10 via deserialization of untrusted input in the 'themerex_callback_view_more_posts' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | 2025-07-02 | 9.8 | CVE-2024-13786 |
| themesgrove--Download Manager and Payment Form WordPress Plugin WP SmartPay | The Download Manager and Payment Form WordPress Plugin - WP SmartPay plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 1.1.0 to 2.7.13. This is due to the plugin not properly validating a user's identity prior to updating their email through the update() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. | 2025-07-02 | 8.8 | CVE-2025-3848 |
| tigroumeow--AI Engine | The AI Engine plugin for WordPress is vulnerable to open redirect in version 2.8.4. This is due to an insecure OAuth implementation, as the 'redirect_uri' parameter is missing validation during the authorization flow. This makes it possible for unauthenticated attackers to intercept the authorization code and obtain an access token by redirecting the user to an attacker-controlled URI. Note: OAuth is disabled, the 'Meow_MWAI_Labs_OAuth' class is not loaded in the plugin in the patched version 2.8.5. | 2025-07-04 | 8 | CVE-2025-6238 |
| TOTOLINK--A3002RU | A vulnerability classified as critical has been found in TOTOLINK A3002RU 3.0.0-B20230809.1615. Affected is an unknown function of the file /boafrm/formWlSiteSurvey of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-01 | 8.8 | CVE-2025-6939 |
| TOTOLINK--A3002RU | A vulnerability, which was classified as critical, was found in TOTOLINK A3002RU 3.0.0-B20230809.1615. Affected is an unknown function of the file /boafrm/formParentControl of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-01 | 8.8 | CVE-2025-6953 |
| TOTOLINK--A702R | A vulnerability classified as critical was found in TOTOLINK A702R 4.0.0-B20230721.1521. Affected by this vulnerability is an unknown functionality of the file /boafrm/formParentControl of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-07-01 | 8.8 | CVE-2025-6940 |
| TOTOLINK--T6 | A vulnerability, which was classified as critical, was found in TOTOLINK T6 4.1.5cu.748_B20211015. This affects the function Form_Login of the file /formLoginAuth.htm. The manipulation of the argument authCode/goURL leads to missing authentication. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 8.8 | CVE-2025-6916 |
| Tunnelblick Project--Tunnelblick | Tunnelblick 3.5beta06 before 7.0, when incompletely uninstalled, allows attackers to execute arbitrary code as root (upon the next boot) by dragging a crafted Tunnelblick.app file into /Applications. | 2025-07-04 | 8.1 | CVE-2025-43711 |
| ValvePress--Rankie | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ValvePress Rankie allows Reflected XSS. This issue affects Rankie: from n/a through 1.8.2. | 2025-07-04 | 7.1 | CVE-2025-39487 |
| VaultDweller--Leyka | Path Traversal vulnerability in VaultDweller Leyka allows PHP Local File Inclusion. This issue affects Leyka: from n/a through 3.31.9. | 2025-07-04 | 7.5 | CVE-2025-52805 |
| vercel--next.js | Next.js is a React framework for building full-stack web applications. From versions 15.0.4-canary.51 to before 15.1.8, a cache poisoning bug leading to a Denial of Service (DoS) condition was found in Next.js. This issue does not impact customers hosted on Vercel. Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page. This issue has been addressed in version 15.1.8. | 2025-07-03 | 7.5 | CVE-2025-49826 |
| Vladimir Prelovac--WP Wall | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Prelovac WP Wall allows Reflected XSS. This issue affects WP Wall: from n/a through 1.7.3. | 2025-07-04 | 7.1 | CVE-2025-28968 |
| WPCenter--AiBud WP | Unrestricted Upload of File with Dangerous Type vulnerability in WPCenter AiBud WP allows Upload a Web Shell to a Web Server.This issue affects AiBud WP: from n/a through 1.8.5. | 2025-07-03 | 9.1 | CVE-2025-23968 |
| wpmudev--Forminator Forms Contact Form, Payment Form & Custom Form Builder | The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. This makes it possible for unauthenticated attackers to include arbitrary file paths in a form submission. The file will be deleted when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings. This can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2025-07-02 | 8.8 | CVE-2025-6463 |
| wpmudev--Forminator Forms Contact Form, Payment Form & Custom Form Builder | The Forminator Forms - Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.44.2 via deserialization of untrusted input in the 'entry_delete_upload_files' function. This makes it possible for unauthenticated attackers to inject a PHP Object through a PHAR file. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. Deserialization occurs when the form submission is deleted, whether by an Administrator or via auto-deletion determined by plugin settings. | 2025-07-02 | 7.5 | CVE-2025-6464 |
| wpo-HR--NGG Smart Image Search | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpo-HR NGG Smart Image Search allows SQL Injection. This issue affects NGG Smart Image Search: from n/a through 3.4.1. | 2025-07-04 | 9.3 | CVE-2025-52832 |
| wpopal--Opal Estate Pro Property Management and Submission | The Opal Estate Pro - Property Management and Submission plugin for WordPress, used by the FullHouse - Real Estate Responsive WordPress Theme, is vulnerable to privilege escalation via in all versions up to, and including, 1.7.5. This is due to a lack of role restriction during registration in the 'on_regiser_user' function. This makes it possible for unauthenticated attackers to arbitrarily choose the role, including the Administrator role, assigned when registering. | 2025-07-01 | 9.8 | CVE-2025-6934 |
| wpvividplugins--Migration, Backup, Staging WPvivid Backup & Migration | The Migration, Backup, Staging - WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'wpvivid_upload_import_files' function in all versions up to, and including, 0.9.116. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. NOTE: Uploaded files are only accessible on WordPress instances running on the NGINX web server as the existing .htaccess within the target file upload folder prevents access on Apache servers. | 2025-07-03 | 7.2 | CVE-2025-5961 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| A. Jones--(Simply) Guest Author Name | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A. Jones (Simply) Guest Author Name allows DOM-Based XSS. This issue affects (Simply) Guest Author Name: from n/a through 4.36. | 2025-07-04 | 6.5 | CVE-2025-24764 |
| Aakif Kadiwala--Posts Slider Shortcode | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aakif Kadiwala Posts Slider Shortcode allows DOM-Based XSS. This issue affects Posts Slider Shortcode: from n/a through 1.0. | 2025-07-04 | 6.5 | CVE-2025-30943 |
| ABB--Lite Panel Pro | Insufficient Session Expiration vulnerability in ABB Lite Panel Pro.This issue affects Lite Panel Pro: through 1.0.1. | 2025-06-30 | 6.7 | CVE-2025-4407 |
| ABB--RMC-100 | Use of Hard-coded Cryptographic Key vulnerability in ABB RMC-100, ABB RMC-100 LITE. When the REST interface is enabled by the user, and an attacker gains access to source code and control network, the attacker can bypass the REST interface authentication and gain access to MQTT configuration data. This issue affects RMC-100: from 2105457-043 through 2105457-045; RMC-100 LITE: from 2106229-015 through 2106229-016. | 2025-07-03 | 6.5 | CVE-2025-6074 |
| ABB--RMC-100 | Use of Hard-coded Cryptographic Key vulnerability in ABB RMC-100, ABB RMC-100 LITE. An attacker can gain access to salted information to decrypt MQTT information. This issue affects RMC-100: from 2105457-043 through 2105457-045; RMC-100 LITE: from 2106229-015 through 2106229-016. | 2025-07-03 | 5.3 | CVE-2025-6071 |
| Akamai--CloudTest | Akamai CloudTest before 60 2025.06.02 (12988) allows file inclusion via XML External Entity (XXE) injection. | 2025-06-30 | 5.8 | CVE-2025-49493 |
| Akamai--CloudTest | Akamai CloudTest before 60 2025.06.09 (12989) allows SSRF. | 2025-06-30 | 5.8 | CVE-2025-52491 |
| AmauriC--tarteaucitron.js | tarteaucitron.js is a compliant and accessible cookie banner. Prior to version 1.22.0, a vulnerability was identified in tarteaucitron.js where document.currentScript was accessed without verifying that it referenced an actual <script> element. If an attacker injected an HTML element, it could clobber the document.currentScript property. This causes the script to resolve incorrectly to an element instead of the <script> tag, leading to unexpected behavior or failure to load the script path correctly. This issue arises because in some browser environments, named DOM elements become properties on the global document object. An attacker with control over the HTML could exploit this to change the CDN domain of tarteaucitron. This issue has been patched in version 1.22.0. | 2025-07-03 | 4.2 | CVE-2025-48939 |
| amazewp--fluXtore | Missing Authorization vulnerability in amazewp fluXtore allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects fluXtore: from n/a through 1.6.0. | 2025-07-04 | 5.3 | CVE-2025-30929 |
| antwerpes--DocCheck Login | The DocCheck Login plugin for WordPress is vulnerable to unauthorized post access in all versions up to, and including, 1.1.5. This is due to plugin redirecting a user to login on a password protected post after the page has loaded. This makes it possible for unauthenticated attackers to read posts they should not have access to. | 2025-07-04 | 5.3 | CVE-2025-6786 |
| Apache Software Foundation--Apache Guacamole | The terminal emulator of Apache Guacamole 1.5.5 and older does not properly validate console codes received from servers via text-based protocols like SSH. If a malicious user has access to a text-based connection, a specially-crafted sequence of console codes could allow arbitrary code to be executed with the privileges of the running guacd process. Users are recommended to upgrade to version 1.6.0, which fixes this issue. | 2025-07-02 | 6.8 | CVE-2024-35164 |
| AresIT--WP Compress | Weak Authentication vulnerability in AresIT WP Compress allows Authentication Abuse. This issue affects WP Compress: from n/a through 6.30.30. | 2025-07-04 | 5.3 | CVE-2025-47479 |
| arshidkv12--Contact Form 7 Database Addon CFDB7 | The Contact Form 7 Database Addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tmpD' parameter in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-04 | 6.1 | CVE-2025-6740 |
| asaquzzaman--WP Human Resource Management | The WP Human Resource Management plugin for WordPress is vulnerable to Arbitrary User Deletion due to a missing authorization within the ajax_delete_employee() function in versions 2.0.0 through 2.2.17. The plugin's deletion handler reads the client-supplied $_POST['delete'] array and passes each ID directly to wp_delete_user() without verifying that the caller has the delete_users capability or limiting which user IDs may be removed. This makes it possible for authenticated attackers, with Employee-level access and above, to delete arbitrary accounts, including administrators. | 2025-07-04 | 6.5 | CVE-2025-5956 |
| ashanjay--EventON | Missing Authorization vulnerability in ashanjay EventON allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EventON: from n/a through 4.9.9. | 2025-07-04 | 6.3 | CVE-2025-47565 |
| ASR--Falcon_LinuxKestrelLapwing_Linux | Improper Resource Shutdown or Release vulnerability in ASR180x ã€ASR190x in router modules allows Resource Leak Exposure. This vulnerability is associated with program files router/phonebook/pbwork-queue.C. This issue affects Falcon_Linuxã€Kestrelã€Lapwing_Linux: before v1536. | 2025-07-01 | 5.4 | CVE-2025-49481 |
| ASR--Falcon_LinuxKestrelLapwing_Linux | Improper Resource Shutdown or Release vulnerability in ASR180x ã€ASR190x in tr069 modules allows Resource Leak Exposure. This vulnerability is associated with program files tr069/tr098.c. This issue affects Falcon_Linuxã€Kestrelã€Lapwing_Linux: before v1536. | 2025-07-01 | 5.4 | CVE-2025-49482 |
| ASR--Falcon_LinuxKestrelLapwing_Linux | Improper Resource Shutdown or Release vulnerability in ASR180x ã€ASR190x in tr069 modules allows Resource Leak Exposure. This vulnerability is associated with program files tr069/tr069_uci.c. This issue affects Falcon_Linuxã€Kestrelã€Lapwing_Linux: before v1536. | 2025-07-01 | 5.4 | CVE-2025-49483 |
| ASR--Falcon_LinuxKestrelLapwing_Linux | Improper Resource Shutdown or Release vulnerability in ASR180x ã€ASR190x in router components allows Resource Leak Exposure. This vulnerability is associated with program files router/phonebook/pb.c. This issue affects Falcon_Linuxã€Kestrelã€Lapwing_Linux: before v1536. | 2025-07-01 | 5.4 | CVE-2025-49488 |
| ASR--Falcon_LinuxKestrelLapwing_Linux | Improper Resource Shutdown or Release vulnerability in ASR Falcon_Linuxã€Kestrelã€Lapwing_Linux on Linux (con_mgr components) allows Resource Leak Exposure. This vulnerability is associated with program files con_mgr/dialer_task.C. This issue affects Falcon_Linuxã€Kestrelã€Lapwing_Linux: before v1536. | 2025-07-01 | 5.4 | CVE-2025-49489 |
| ASR--Falcon_LinuxKestrelLapwing_Linux | Resource leak vulnerability in ASR180x in router allows Resource Leak Exposure. This vulnerability is associated with program files router/sms/sms.c. This issue affects Falcon_Linuxã€Kestrelã€Lapwing_Linux: before v1536. | 2025-07-01 | 5.4 | CVE-2025-49490 |
| ASR--Falcon_LinuxKestrelLapwing_Linux | Improper Resource Shutdown or Release vulnerability in ASR Falcon_Linuxã€Kestrelã€Lapwing_Linux on Linux (traffic_stat modules) allows Resource Leak Exposure. This vulnerability is associated with program files traffic_stat/traffic_service/traffic_service.C. This issue affects Falcon_Linuxã€Kestrelã€Lapwing_Linux: before v1536. | 2025-07-01 | 5.4 | CVE-2025-49491 |
| ASR--Falcon_LinuxKestrelLapwing_Linux | Resource leak vulnerability in ASR180xã€ASR190x in con_mgr allows Resource Leak Exposure.This issue affects Falcon_Linuxã€Kestrelã€Lapwing_Linux: before v1536. | 2025-07-01 | 5.4 | CVE-2025-5072 |
| bauc--WPQuiz | The WPQuiz plugin for WordPress is vulnerable to SQL Injection via the 'id' attribute of the 'wpquiz' shortcode in all versions up to, and including, 0.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-07-04 | 6.5 | CVE-2025-6739 |
| bdthemes--Element Pack Elementor Addons and Templates | The Element Pack Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data-caption' attribute in all versions up to, and including, 8.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-03 | 6.4 | CVE-2025-5944 |
| Belkin--F9K1122 | A vulnerability has been found in Belkin F9K1122 1.00.33 and classified as critical. Affected by this vulnerability is the function formSetWanStatic of the file /goform/formSetWanStatic of the component webs. The manipulation of the argument m_wan_ipaddr/m_wan_netmask/m_wan_gateway/m_wan_staticdns1/m_wan_staticdns2 is directly passed by the attacker/so we can control the m_wan_ipaddr/m_wan_netmask/m_wan_gateway/m_wan_staticdns1/m_wan_staticdns2 leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-06 | 6.3 | CVE-2025-7081 |
| Belkin--F9K1122 | A vulnerability was found in Belkin F9K1122 1.00.33 and classified as critical. Affected by this issue is the function formBSSetSitesurvey of the file /goform/formBSSetSitesurvey of the component webs. The manipulation of the argument wan_ipaddr/wan_netmask/wan_gateway/wl_ssid is directly passed by the attacker/so we can control the wan_ipaddr/wan_netmask/wan_gateway/wl_ssid leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-06 | 6.3 | CVE-2025-7082 |
| Belkin--F9K1122 | A vulnerability was found in Belkin F9K1122 1.00.33. It has been classified as critical. This affects the function mp of the file /goform/mp of the component webs. The manipulation of the argument command leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-06 | 6.3 | CVE-2025-7083 |
| bitpressadmin--Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder | The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.17.4 via file uploads due to insufficient directory listing prevention and lack of randomization of file names. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via a form. The vulnerability was partially patched in version 2.17.5. | 2025-07-02 | 5.3 | CVE-2024-13451 |
| BlackVue--Dashcam 590X | A vulnerability was found in BlackVue Dashcam 590X up to 20250624. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /upload.cgi of the component HTTP Endpoint. The manipulation leads to unrestricted upload. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-05 | 6.3 | CVE-2025-7075 |
| BlackVue--Dashcam 590X | A vulnerability was found in BlackVue Dashcam 590X up to 20250624. It has been rated as critical. Affected by this issue is some unknown functionality of the file /upload.cgi of the component Configuration Handler. The manipulation leads to improper access controls. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-06 | 5.4 | CVE-2025-7076 |
| blossomthemes--BlossomThemes Social Feed | Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library (version 1.1.0) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream library (Magnific Popups version 1.2.0) by disabling the loading of HTML within certain fields by default. | 2025-07-03 | 6.4 | CVE-2024-5647 |
| bPlugins--Video Gallery Block Display your videos as a gallery in a professional way | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins Video Gallery Block - Display your videos as a gallery in a professional way allows Stored XSS. This issue affects Video Gallery Block - Display your videos as a gallery in a professional way: from n/a through 1.1.0. | 2025-07-04 | 6.5 | CVE-2025-27326 |
| Brian S. Reed--Contact Form 7 reCAPTCHA | Cross-Site Request Forgery (CSRF) vulnerability in Brian S. Reed Contact Form 7 reCAPTCHA allows Cross Site Request Forgery. This issue affects Contact Form 7 reCAPTCHA: from n/a through 1.2.0. | 2025-07-04 | 4.3 | CVE-2025-23972 |
| cageehv--ProcessingJS for WordPress | The ProcessingJS for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pjs4wp' shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-04 | 6.4 | CVE-2025-6039 |
| Canonical--Juju utils | Certificate generation in juju/utils using the cert.NewLeaf function could include private information. If this certificate were then transferred over the network in plaintext, an attacker listening on that network could sniff the certificate and trivially extract the private key from it. | 2025-07-01 | 6.5 | CVE-2025-6224 |
| Chatra--Chatra Live Chat + ChatBot + Cart Saver | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Chatra Chatra Live Chat + ChatBot + Cart Saver allows Stored XSS. This issue affects Chatra Live Chat + ChatBot + Cart Saver: from n/a through 1.0.11. | 2025-07-04 | 5.9 | CVE-2025-24735 |
| CHMLib--CHMLib | CHMLib through 2bef8d0, as used in SumatraPDF and other products, has a chm_lib.c _chm_decompress_block integer overflow. There is a resultant heap-based buffer overflow in _chm_fetch_bytes. | 2025-07-04 | 5.6 | CVE-2025-48172 |
| Cinnamon--kotaemon | kotaemon is an open-source RAG-based tool for document comprehension. From versions 0.10.6 and prior, in libs/ktem/ktem/index/file/ui.py, the index_fn method accepts both URLs and local file paths without validation. The pipeline streams these paths directly and stores them, enabling attackers to traverse directories (e.g. ../../../../../.env) and exfiltrate sensitive files. This issue has been patched via commit 37cdc28, in version 0.10.7 which has not been made public at time of publication. | 2025-07-02 | 6.5 | CVE-2025-53358 |
| Cisco--Cisco BroadWorks | A vulnerability in the web-based management interface of Cisco BroadWorks Application Delivery Platform could allow an authenticated, remote attacker to to conduct cross-site scripting (XSS) attacks against a user of the interface. This vulnerability is due to insufficient validation of user-supplied input by the web-based management interface of an affected system. An attacker could exploit this vulnerability by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, the attacker must have valid administrative credentials. | 2025-07-02 | 4.8 | CVE-2025-20307 |
| Cisco--Cisco DNA Spaces Connector | A vulnerability in Cisco Spaces Connector could allow an authenticated, local attacker to elevate privileges and execute arbitrary commands on the underlying operating system as root. This vulnerability is due to insufficient restrictions during the execution of specific CLI commands. An attacker could exploit this vulnerability by logging in to the Cisco Spaces Connector CLI as the spacesadmin user and executing a specific command with crafted parameters. A successful exploit could allow the attacker to elevate privileges from the spacesadmin user and execute arbitrary commands on the underlying operating system as root. | 2025-07-02 | 6 | CVE-2025-20308 |
| Cisco--Cisco Enterprise Chat and Email | A vulnerability in the web UI of Cisco Enterprise Chat and Email (ECE) could allow an unauthenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. This vulnerability exists because the web UI does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To successfully exploit this vulnerability, an attacker would need valid agent credentials. | 2025-07-02 | 6.1 | CVE-2025-20310 |
| code-projects--Library System | A vulnerability has been found in code-projects Library System 1.0 and classified as critical. This vulnerability affects unknown code of the file /add-book.php. The manipulation of the argument image leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 6.3 | CVE-2025-6900 |
| code-projects--Movie Ticketing System | A vulnerability was found in code-projects Movie Ticketing System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /ticketConfirmation.php. The manipulation of the argument Date leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 6.3 | CVE-2025-6890 |
| code-projects--Staff Audit System | A vulnerability classified as critical was found in code-projects Staff Audit System 1.0. This vulnerability affects unknown code of the file /update_index.php. The manipulation of the argument updateid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 6.3 | CVE-2025-6883 |
| code-projects--Staff Audit System | A vulnerability, which was classified as critical, has been found in code-projects Staff Audit System 1.0. This issue affects some unknown processing of the file /search_index.php. The manipulation of the argument Search leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 6.3 | CVE-2025-6884 |
| codepeople--Booking Calendar Contact Form | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codepeople Booking Calendar Contact Form allows Stored XSS. This issue affects Booking Calendar Contact Form: from n/a through 1.2.58. | 2025-07-04 | 6.5 | CVE-2025-48231 |
| Comodo--Internet Security Premium | A vulnerability, which was classified as critical, was found in Comodo Internet Security Premium 12.3.4.8162. Affected is an unknown function of the component File Name Handler. The manipulation of the argument name/folder leads to path traversal. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-06 | 5.6 | CVE-2025-7098 |
| CWD Web Designer--Easy Elements Hider | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CWD Web Designer Easy Elements Hider allows Stored XSS. This issue affects Easy Elements Hider: from n/a through 2.0. | 2025-07-04 | 5.9 | CVE-2025-28971 |
| D-Link--DI-7300G+ | A vulnerability classified as critical has been found in D-Link DI-7300G+ 19.12.25A1. Affected is an unknown function of the file wget_test.asp. The manipulation of the argument url leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 6.3 | CVE-2025-6896 |
| D-Link--DI-7300G+ | A vulnerability, which was classified as critical, has been found in D-Link DI-7300G+ 19.12.25A1. Affected by this issue is some unknown functionality of the file in proxy_client.asp. The manipulation of the argument proxy_srv/proxy_lanport/proxy_lanip/proxy_srvport leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 6.3 | CVE-2025-6898 |
| D-Link--DI-7300G+ | A vulnerability, which was classified as critical, was found in D-Link DI-7300G+ and DI-8200G 17.12.20A1/19.12.25A1. This affects an unknown part of the file msp_info.htm. The manipulation of the argument flag/cmd/iface leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 6.3 | CVE-2025-6899 |
| D-Link--DI-7300G+ | A vulnerability classified as critical was found in D-Link DI-7300G+ 19.12.25A1. Affected by this vulnerability is an unknown functionality of the file httpd_debug.asp. The manipulation of the argument Time leads to os command injection. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 5.5 | CVE-2025-6897 |
| dearhive--Dear Flipbook PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer | The Dear Flipbook - PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer plugin for WordPress is vulnerable to DOM-Based Reflected Cross-Site Scripting via the 'pdf-source' parameter in all versions up to, and including, 2.3.65 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-07-01 | 6.1 | CVE-2025-5314 |
| Dell--NetWorker | Dell NetWorker, versions 19.12.0.1 and prior, contains a Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Information disclosure. | 2025-07-01 | 4.8 | CVE-2025-36582 |
| Devinim Software--Library Software | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Devinim Software Library Software allows Reflected XSS.This issue affects Library Software: before 24.11.02. | 2025-06-30 | 4.6 | CVE-2024-12915 |
| dotrex--Portfolio for Elementor & Image Gallery | PowerFolio | The Portfolio for Elementor & Image Gallery | PowerFolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom JS Attributes of Plugin's widgets in all versions up to, and including, 3.2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue was partially fixed in version 3.2.0 and fully fixed in version 3.2.1 | 2025-07-04 | 6.4 | CVE-2025-7046 |
| dradisframework--Dradis | Dradis through 4.16.0 allows referencing external images (resources) over HTTPS, instead of forcing the use of embedded (uploaded) images. This can be leveraged by an authorized author to attempt to steal the Net-NTLM hashes of other authors on a Windows domain network. | 2025-07-05 | 4.1 | CVE-2023-50786 |
| Dromara--RuoYi-Vue-Plus | A vulnerability has been found in Dromara RuoYi-Vue-Plus 5.4.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /src/main/java/org/dromara/demo/controller/MailController.java of the component Mail Handler. The manipulation of the argument filePath leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-30 | 5.3 | CVE-2025-6925 |
| dsrodzin--Email Address Security by WebEmailProtector | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dsrodzin Email Address Security by WebEmailProtector allows Stored XSS. This issue affects Email Address Security by WebEmailProtector: from n/a through 3.3.6. | 2025-07-04 | 6.5 | CVE-2025-28976 |
| Endress+Hauser--Endress+Hauser MEAC300-FNADE4 | Several credentials for the local PostgreSQL database are stored in plain text (partially base64 encoded). | 2025-07-03 | 6.5 | CVE-2025-1709 |
| Endress+Hauser--Endress+Hauser MEAC300-FNADE4 | The web application is susceptible to cross-site-scripting attacks. An attacker who can create new dashboards can inject JavaScript code into the dashboard name which will be executed when the website is loaded. | 2025-07-03 | 6.8 | CVE-2025-27448 |
| Endress+Hauser--Endress+Hauser MEAC300-FNADE4 | The Secure attribute is missing on multiple cookies provided by the MEAC300-FNADE4. An attacker can trick a user to establish an unencrypted HTTP connection to the server and intercept the request containing the PHPSESSID cookie. | 2025-07-03 | 6.5 | CVE-2025-27450 |
| Endress+Hauser--Endress+Hauser MEAC300-FNADE4 | All communication between the VNC server and client(s) is unencrypted. This allows an attacker to intercept the traffic and obtain sensitive data. | 2025-07-03 | 6.5 | CVE-2025-27457 |
| Endress+Hauser--Endress+Hauser MEAC300-FNADE4 | The VNC authentication mechanism bases on a challenge-response system where both server and client use the same password for encryption. The challenge is sent from the server to the client, is encrypted by the client and sent back. The server does the same encryption locally and if the responses match it is prooven that the client knows the correct password. Since all VNC communication is unencrypted, an attacker can obtain the challenge and response and try to derive the password from this information. | 2025-07-03 | 6.5 | CVE-2025-27458 |
| Endress+Hauser--Endress+Hauser MEAC300-FNADE4 | For failed login attempts, the application returns different error messages depending on whether the login failed due to an incorrect password or a non-existing username. This allows an attacker to guess usernames until they find an existing one. | 2025-07-03 | 5.3 | CVE-2025-27451 |
| Endress+Hauser--Endress+Hauser MEAC300-FNADE4 | The configuration of the Apache httpd webserver which serves the MEAC300-FNADE4 web application, is partly insecure. There are modules activated that are not required for the operation of the FNADE4 web application. The functionality of the some modules pose a risk to the webserver which enable dircetory listing. | 2025-07-03 | 5.3 | CVE-2025-27452 |
| Endress+Hauser--Endress+Hauser MEAC300-FNADE4 | The HttpOnly flag is set to false on the PHPSESSION cookie. Therefore, the cookie can be accessed by other sources such as JavaScript. | 2025-07-03 | 5.3 | CVE-2025-27453 |
| Endress+Hauser--Endress+Hauser MEAC300-FNADE4 | Multiple services of the DUT as well as different scopes of the same service reuse the same credentials. | 2025-07-03 | 4.3 | CVE-2025-1711 |
| Endress+Hauser--Endress+Hauser MEAC300-FNADE4 | The application is vulnerable to cross-site request forgery. An attacker can trick a valid, logged in user into submitting a web request that they did not intend. The request uses the victim's browser's saved authorization to execute the request. | 2025-07-03 | 4.3 | CVE-2025-27454 |
| Endress+Hauser--Endress+Hauser MEAC300-FNADE4 | The web application is vulnerable to clickjacking attacks. The site can be embedded into another frame, allowing an attacker to trick a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects. | 2025-07-03 | 4.3 | CVE-2025-27455 |
| Endress+Hauser--Endress+Hauser MEAC300-FNADE4 | The VNC application stores its passwords encrypted within the registry but uses DES for encryption. As DES is broken, the original passwords can be recovered. | 2025-07-03 | 4.4 | CVE-2025-27459 |
| filebrowser--filebrowser | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.34.1, a missing password policy and brute-force protection makes the authentication process insecure. Attackers could mount a brute-force attack to retrieve the passwords of all accounts in a given instance. This issue has been patched in version 2.34.1. | 2025-06-30 | 5.9 | CVE-2025-52997 |
| filebrowser--filebrowser | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.9, access tokens are used as GET parameters. The JSON Web Token (JWT) which is used as a session identifier will get leaked to anyone having access to the URLs accessed by the user. This will give an attacker full access to a user's account and, in consequence, to all sensitive files the user has access to. This issue has been patched in version 2.33.9. | 2025-06-30 | 4.5 | CVE-2025-52901 |
| gn_themes--WP Shortcodes Plugin Shortcodes Ultimate | The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data-url' DOM element attribute in all versions up to, and including, 7.4.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-04 | 6.4 | CVE-2025-5567 |
| Gnuget--MF Plus WPML | Missing Authorization vulnerability in Gnuget MF Plus WPML allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MF Plus WPML: from n/a through 1.1. | 2025-07-04 | 6.5 | CVE-2025-49431 |
| gopiplus--Card flip image slideshow | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gopiplus Card flip image slideshow allows DOM-Based XSS. This issue affects Card flip image slideshow: from n/a through 1.5. | 2025-07-04 | 6.5 | CVE-2025-30983 |
| hellomohsinkhan--WP Front-end login and register | The WP Front-end login and register plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the email and wpmp_reset_password_token parameters in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2025-07-02 | 6.1 | CVE-2024-11405 |
| ibachal--Smart Docs | The Smart Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'smartdocs_search' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-04 | 6.4 | CVE-2025-6787 |
| IBM--Cloud Pak System | IBM Cloud Pak System 2.3.3.6, 2.3.36 iFix1, 2.3.3.7, 2.3.3.7 iFix1, 2.3.4.0, 2.3.4.1, and 2.3.4.1 iFix1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. | 2025-06-30 | 5.4 | CVE-2025-2895 |
| IBM--System Storage Virtualization Engine TS7700 | IBM System Storage Virtualization Engine TS7700 3957 VED R5.4 8.54.2.17, R6.0 8.60.0.115, 3948 VED R5.4 8.54.2.17, R6.0 8.60.0.115, and 3948 VEF R6.0 8.60.0.115 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2025-07-01 | 6.1 | CVE-2025-2141 |
| IBM--System Storage Virtualization Engine TS7700 | IBM System Storage Virtualization Engine TS7700 3957 VED R5.4 8.54.2.17, R6.0 8.60.0.115, 3948 VED R5.4 8.54.2.17, R6.0 8.60.0.115, and 3948 VEF R6.0 8.60.0.115 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2025-07-01 | 5.4 | CVE-2025-36056 |
| Infinera--G42 | Lack or insufficent input validation in WebGUI CLI web in Infinera G42 version R6.1.3 allows remote authenticated users to read all OS files via crafted CLI commands. Details: The web interface based management of the Infinera G42 appliance enables the feature of executing a restricted set of commands. This feature also offers the option to execute a script-file already present on the target device. When a non-script or incorrect file is specified, the content of the file is shown along with an error message. Due to an execution of the http service with a privileged user all files on the file system can be viewed this way. | 2025-07-02 | 6.5 | CVE-2025-27023 |
| Infinera--G42 | Unrestricted access to OS file system in SFTP service in Infinera G42 version R6.1.3 allows remote authenticated users to read/write OS files via SFTP connections. Details: Account members of the Network Administrator profile can access the target machine via SFTP with the same credentials used for SSH CLI access and are able to read all files according to the OS permission instead of remaining inside the chrooted directory position. | 2025-07-02 | 6.5 | CVE-2025-27024 |
| Infinera--G42 | A missing double-check feature in the WebGUI for CLI deactivation in Infinera G42 version R6.1.3 allows an authenticated administrator to make other management interfaces unavailable via local and network interfaces. The CLI deactivation via the WebGUI does not only stop CLI interface but deactivates also Linux Shell, WebGUI and Physical Serial Console access. No confirmation is asked at deactivation time. Loosing access to these services device administrators are at risk of completely loosing device control. | 2025-07-02 | 4.9 | CVE-2025-27026 |
| IROAD--Dashcam Q9 | A vulnerability has been found in IROAD Dashcam Q9 up to 20250624 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component MFA Pairing Request Handler. The manipulation leads to allocation of resources. The attack needs to be done within the local network. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-04 | 4.3 | CVE-2025-7070 |
| Jirafeau project--Jirafeau | Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110 and CVE-2024-12326), video and audio. However, it was possible to bypass this check by sending a manipulated MIME type containing a comma and an other MIME type like text/html (for example image/png,text/html). Browsers see multiple MIME types and text/html would takes precedence, allowing a possible attacker to do a cross-site scripting attack. The check for MIME types was enhanced to prevent a browser preview when the stored MIME type contains a comma. | 2025-07-04 | 6.1 | CVE-2025-7066 |
| junit-team--junit-framework | JUnit is a testing framework for Java and the JVM. From version 5.12.0 to 5.13.1, JUnit's support for writing Open Test Reporting XML files can leak Git credentials. The impact depends on the level of the access token exposed through the OpenTestReportGeneratingListener. If these test reports are published or stored anywhere public, then there is the possibility that a rouge attacker can steal the token and perform elevated actions by impersonating the user or app. This issue as been patched in version 5.13.2. | 2025-07-01 | 5.8 | CVE-2025-53103 |
| kamleshyadav--CF7 7 Mailchimp Add-on | Missing Authorization vulnerability in kamleshyadav CF7 7 Mailchimp Add-on allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CF7 7 Mailchimp Add-on: from n/a through 2.2. | 2025-07-04 | 5.3 | CVE-2025-29012 |
| Keylor Mendoza--WC Pickup Store | Missing Authorization vulnerability in Keylor Mendoza WC Pickup Store allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WC Pickup Store: from n/a through 1.8.9. | 2025-07-04 | 6.5 | CVE-2025-47634 |
| Konica Minolta--bizhub 227 Multifunction printers | Insufficiently Protected Credentials in LDAP in Konica Minolta bizhub 227 Multifunction printers version GCQ-Y3 or earlier allows an attacker can reconfigure the target device to use an external LDAP service controlled by the attacker. If an LDAP password is set on the target device, the attacker can force the target device to authenticate to the attacker controlled LDAP service. This will allow the attacker to capture the plaintext password of the configured LDAP service. | 2025-07-01 | 6.8 | CVE-2025-6081 |
| leap13--Premium Addons for Elementor | The Premium Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's linkURL in the Mobile Menu element in all versions up to, and including, 4.10.69 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-04 | 6.4 | CVE-2024-11937 |
| LizardByte--Sunshine | Sunshine is a self-hosted game stream host for Moonlight. Prior to version 2025.628.4510, the web UI of Sunshine lacks protection against Clickjacking attacks. This vulnerability allows an attacker to embed the Sunshine interface within a malicious website using an invisible or disguised iframe. If a user is tricked into interacting (one or multiple clicks) with the malicious page while authenticated, they may unknowingly perform actions within the Sunshine application without their consent. This issue has been patched in version 2025.628.4510. | 2025-07-01 | 5.4 | CVE-2025-53096 |
| LMSACE--LMSACE Connect | Missing Authorization vulnerability in LMSACE LMSACE Connect allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects LMSACE Connect: from n/a through 3.4. | 2025-07-04 | 4.3 | CVE-2025-29007 |
| Long Watch Studio--MyRewards | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Long Watch Studio MyRewards allows Stored XSS. This issue affects MyRewards: from n/a through 5.4.13.1. | 2025-07-04 | 6.5 | CVE-2025-24757 |
| Mattermost--Mattermost | Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly enforce channel member management permissions when adding participants to playbook runs. This allows authenticated users with member-level permissions to bypass system admin restrictions and add or remove users to/from private channels via the playbook run participants feature, even when the 'Manage Members' permission has been explicitly removed. This can lead to unauthorized access to sensitive channel content and allow guest users to gain channel management privileges. | 2025-06-30 | 5.4 | CVE-2025-46702 |
| Mattermost--Mattermost | Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to properly validate channel membership when retrieving playbook run metadata, allowing authenticated users who are playbook members but not channel members to access sensitive information about linked private channels including channel name, display name, and participant count through the run metadata API endpoint. | 2025-06-30 | 4.3 | CVE-2025-47871 |
| Mbed--mbedtls | In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS (Leighton-Micali Signature) forgery in a fault scenario. Specifically, unchecked return values in mbedtls_lms_verify allow an attacker (who can induce a hardware hash accelerator fault) to bypass LMS signature verification by reusing stale stack data, resulting in acceptance of an invalid signature. In mbedtls_lms_verify, the return values of the internal Merkle tree functions create_merkle_leaf_value and create_merkle_internal_value are not checked. These functions return an integer that indicates whether the call succeeded or not. If a failure occurs, the output buffer (Tc_candidate_root_node) may remain uninitialized, and the result of the signature verification is unpredictable. When the software implementation of SHA-256 is used, these functions will not fail. However, with hardware-accelerated hashing, an attacker could use fault injection against the accelerator to bypass verification. | 2025-07-04 | 4.9 | CVE-2025-49600 |
| Mbed--mbedtls | In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not check that the input buffer is at least 4 bytes before reading a 32-bit field, allowing a possible out-of-bounds read on truncated input. Specifically, an out-of-bounds read in mbedtls_lms_import_public_key allows context-dependent attackers to trigger a crash or limited adjacent-memory disclosure by supplying a truncated LMS (Leighton-Micali Signature) public-key buffer under four bytes. An LMS public key starts with a 4-byte type indicator. The function mbedtls_lms_import_public_key reads this type indicator before validating the size of its input. | 2025-07-04 | 4.8 | CVE-2025-49601 |
| Mbed--mbedtls | Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input. | 2025-07-04 | 4.8 | CVE-2025-52497 |
| Md Yeasin Ul Haider--URL Shortener | Server-Side Request Forgery (SSRF) vulnerability in Md Yeasin Ul Haider URL Shortener allows Server Side Request Forgery. This issue affects URL Shortener: from n/a through 3.0.7. | 2025-07-04 | 5.4 | CVE-2025-28963 |
| Melapress--Melapress File Monitor | Missing Authorization vulnerability in Melapress Melapress File Monitor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Melapress File Monitor: from n/a before 2.2.0. | 2025-07-03 | 5.4 | CVE-2025-3702 |
| Mollie--Mollie Payments for WooCommerce | Missing Authorization vulnerability in Mollie Mollie Payments for WooCommerce.This issue affects Mollie Payments for WooCommerce: from n/a through 8.0.2. | 2025-07-02 | 6.5 | CVE-2025-39362 |
| N-Media--Frontend File Manager | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in N-Media Frontend File Manager allows Code Injection.This issue affects Frontend File Manager: from n/a through 23.2. | 2025-07-04 | 4.6 | CVE-2025-27358 |
| n/a--07FLYCMS | A vulnerability classified as problematic was found in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.3.9. This vulnerability affects unknown code. The manipulation leads to cross-site request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-06 | 4.3 | CVE-2025-7078 |
| n/a--BoyunCMS | A vulnerability has been found in BoyunCMS up to 1.21 on PHP7 and classified as critical. Affected by this vulnerability is an unknown functionality of the file install/install2.php of the component Installation Handler. The manipulation of the argument db_host leads to deserialization. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | 2025-07-06 | 5.6 | CVE-2025-7099 |
| n/a--Monitorr | A vulnerability was found in Monitorr up to 1.7.6m. It has been classified as problematic. This affects an unknown part of the file assets/config/_installation/mkdbajax.php of the component Installer. The manipulation of the argument datadir leads to improper input validation. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-04 | 4.1 | CVE-2025-7060 |
| n8n-io--n8n | n8n is a workflow automation platform. Prior to version 1.99.0, there is a denial of Service vulnerability in /rest/binary-data endpoint when processing empty filesystem URIs (filesystem:// or filesystem-v2://). This allows authenticated attackers to cause service unavailability through malformed filesystem URI requests, effecting the /rest/binary-data endpoint and n8n.cloud instances (confirmed HTTP/2 524 timeout responses). Attackers can exploit this by sending GET requests with empty filesystem URIs (filesystem:// or filesystem-v2://) to the /rest/binary-data endpoint, causing resource exhaustion and service disruption. This issue has been patched in version 1.99.0. | 2025-07-03 | 4.9 | CVE-2025-49595 |
| nayon46--Awesome Wp Image Gallery | Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled prettyPhoto library (version 3.1.6) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-03 | 6.4 | CVE-2025-2540 |
| nikelschubert--Easy restaurant menu manager | The Easy restaurant menu manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's nsc_eprm_menu_link shortcode in versions up to, and including 2.0.1, due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-04 | 6.4 | CVE-2025-6673 |
| Noor Alam--WP fancybox | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Noor Alam WP fancybox allows Stored XSS. This issue affects WP fancybox: from n/a through 1.0.4. | 2025-07-04 | 6.5 | CVE-2025-26591 |
| OneLogin--Active Directory Connector | In One Identity OneLogin Active Directory Connector before 6.1.5, encryption of the DirectoryToken was mishandled, aka ST-812. | 2025-07-02 | 5 | CVE-2025-52925 |
| Open Zipkin--Zipkin | Zipkin through 3.5.1 has a /heapdump endpoint (associated with the use of Spring Boot Actuator), a similar issue to CVE-2025-48927. | 2025-07-04 | 5.3 | CVE-2025-53602 |
| osama.esh--WP Visitor Statistics (Real Time Traffic) | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osama.esh WP Visitor Statistics (Real Time Traffic) allows Stored XSS. This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through 7.8. | 2025-07-04 | 6.5 | CVE-2025-53566 |
| owasp-modsecurity--ModSecurity | ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off. | 2025-07-02 | 6.5 | CVE-2025-52891 |
| OwnerRez--OwnerRez | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OwnerRez OwnerRez allows Stored XSS. This issue affects OwnerRez: from n/a through 1.2.1. | 2025-07-04 | 6.5 | CVE-2025-28957 |
| Paytiko - Payment Orchestration Platform--Paytiko for WooCommerce | Missing Authorization vulnerability in Paytiko - Payment Orchestration Platform Paytiko for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Paytiko for WooCommerce: from n/a through 1.3.14. | 2025-07-04 | 6.5 | CVE-2025-50032 |
| PHPGurukul--Old Age Home Management System | A vulnerability, which was classified as critical, was found in PHPGurukul Old Age Home Management System 1.0. Affected is an unknown function of the file /admin/edit-services.php. The manipulation of the argument sertitle leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 6.3 | CVE-2025-6908 |
| PHPGurukul--Old Age Home Management System | A vulnerability has been found in PHPGurukul Old Age Home Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /admin/add-scdetails.php. The manipulation of the argument emeradd leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 6.3 | CVE-2025-6909 |
| PHPGurukul--Student Record System | A vulnerability was found in PHPGurukul Student Record System 3.2. It has been classified as critical. This affects an unknown part of the file /session.php. The manipulation of the argument session leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 6.3 | CVE-2025-6910 |
| PHPGurukul--Student Record System | A vulnerability was found in PHPGurukul Student Record System 3.2. It has been declared as critical. This vulnerability affects unknown code of the file /manage-subjects.php. The manipulation of the argument del leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 6.3 | CVE-2025-6911 |
| PHPGurukul--Student Record System | A vulnerability was found in PHPGurukul Student Record System 3.2. It has been rated as critical. This issue affects some unknown processing of the file /manage-students.php. The manipulation of the argument del leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 6.3 | CVE-2025-6912 |
| PHPGurukul--Student Record System | A vulnerability classified as critical has been found in PHPGurukul Student Record System 3.2. Affected is an unknown function of the file /admin-profile.php. The manipulation of the argument aemailid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 6.3 | CVE-2025-6913 |
| PHPGurukul--Student Record System | A vulnerability classified as critical was found in PHPGurukul Student Record System 3.2. Affected by this vulnerability is an unknown functionality of the file /edit-student.php. The manipulation of the argument fmarks2 leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 6.3 | CVE-2025-6914 |
| PHPGurukul--Student Record System | A vulnerability, which was classified as critical, has been found in PHPGurukul Student Record System 3.2. Affected by this issue is some unknown functionality of the file /register.php. The manipulation of the argument session leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 6.3 | CVE-2025-6915 |
| PHPGurukul--Zoo Management System | A vulnerability was found in PHPGurukul Zoo Management System 2.1. It has been rated as critical. This issue affects some unknown processing of the file /admin/view-normal-ticket.php. The manipulation of the argument viewid leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 6.3 | CVE-2025-6929 |
| PHPGurukul--Zoo Management System | A vulnerability classified as critical has been found in PHPGurukul Zoo Management System 2.1. Affected is an unknown function of the file /admin/manage-foreigners-ticket.php. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 6.3 | CVE-2025-6930 |
| pimeys--web-push | The web-push crate before 0.10.3 for Rust allows a denial of service (memory consumption) in the built-in clients via a large integer in a Content-Length header. | 2025-07-05 | 4 | CVE-2025-53604 |
| Plesk--Obsidian | In Plesk Obsidian 18.0.69, unauthenticated requests to /login_up.php can reveal an AWS accessKeyId, secretAccessKey, region, and endpoint. | 2025-07-03 | 5.8 | CVE-2025-49618 |
| pluginsGLPI--escalade | Escalade GLPI plugin is a ticket escalation process helper for GLPI. Prior to version 2.9.11, there is an improper access control vulnerability. This can lead to data exposure and workflow disruptions. This issue has been patched in version 2.9.11. | 2025-07-01 | 6.5 | CVE-2025-27153 |
| POSIMYTH Innovation--The Plus Addons for Elementor Pro | Missing Authorization vulnerability in POSIMYTH Innovation The Plus Addons for Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Plus Addons for Elementor Pro: from n/a before 6.3.7. | 2025-07-01 | 5.4 | CVE-2025-46259 |
| Progress Software--Kendo UI for jQuery | In the PdfViewer component, a Cross-Site Scripting (XSS) vulnerability is possible if a specially-crafted document has already been loaded and the user engages with a tool that requires the DOM to be re-rendered. | 2025-07-02 | 5.4 | CVE-2025-6725 |
| PublishPress--Gutenberg Blocks | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PublishPress Gutenberg Blocks allows Stored XSS.This issue affects Gutenberg Blocks: from n/a through 3.3.1. | 2025-07-03 | 6.5 | CVE-2025-49032 |
| qazomardok--PayMaster for WooCommerce | The PayMaster for WooCommerce plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 0.4.31 via the 'wp_ajax_paym_status' AJAX action This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-07-04 | 6.4 | CVE-2025-6729 |
| Red Hat--OpenShift Developer Tools and Services | A vulnerability was found in Red Hat OpenShift Jenkins. The bearer token is not obfuscated in the logs and potentially carries a high risk if those logs are centralized when collected. The token is typically valid for one year. This flaw allows a malicious user to jeopardize the environment if they have access to sensitive information. | 2025-07-04 | 6.5 | CVE-2024-9453 |
| Red Hat--Red Hat Advanced Cluster Management for Kubernetes 2 | A flaw was found in Red Hat Advanced Cluster Management through versions 2.10, before 2.10.7, 2.11, before 2.11.4, and 2.12, before 2.12.4. This vulnerability allows an unprivileged user to view confidential managed cluster credentials through the UI. This information should only be accessible to authorized users and may result in the loss of confidentiality of administrative information, which could be leaked to unauthorized actors. | 2025-07-02 | 5.5 | CVE-2025-6017 |
| Red Hat--Red Hat AI Inference Server | A flaw was found in the authentication enforcement mechanism of a model inference API in ai-inference-server. All /v1/* endpoints are expected to enforce API key validation. However, the POST /invocations endpoint failed to do so, resulting in an authentication bypass. This vulnerability allows unauthorized users to access the same inference features available on protected endpoints, potentially exposing sensitive functionality or allowing unintended access to backend resources. | 2025-07-01 | 5.3 | CVE-2025-6920 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success-the function may mistakenly return a success status even when key derivation fails. This results in uninitialized cryptographic key buffers being used in subsequent communication, potentially compromising SSH sessions' confidentiality, integrity, and availability. | 2025-07-04 | 5 | CVE-2025-5372 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in the key export functionality of libssh. The issue occurs in the internal function responsible for converting cryptographic keys into serialized formats. During error handling, a memory structure is freed but not cleared, leading to a potential double free issue if an additional failure occurs later in the function. This condition may result in heap corruption or application instability in low-memory scenarios, posing a risk to system reliability where key export operations are performed. | 2025-07-04 | 4.2 | CVE-2025-5351 |
| rexdot--Magic Buttons for Elementor | The Magic Buttons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's magic-button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-02 | 6.4 | CVE-2025-6686 |
| rexdot--Magic Buttons for Elementor | The Magic Buttons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's magic-button shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-02 | 6.4 | CVE-2025-6687 |
| richarddev7--RD Contacto | The RD Contacto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing or incorrect nonce validation on the rdWappUpdateData() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-07-04 | 4.3 | CVE-2025-5933 |
| SAFECAM--X300 | A vulnerability classified as problematic was found in SAFECAM X300 up to 20250611. This vulnerability affects unknown code of the component FTP Service. The manipulation leads to use of default credentials. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-01 | 4.3 | CVE-2025-6951 |
| ScriptCase--ScriptCase | In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), shell injection in the SSH connection settings allows authenticated attackers to execute system commands via crafted HTTP requests. | 2025-07-05 | 6.7 | CVE-2025-47228 |
| Shabti Kaplan--Frontend Admin by DynamiApps | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Shabti Kaplan Frontend Admin by DynamiApps allows Path Traversal. This issue affects Frontend Admin by DynamiApps: from n/a through 3.28.7. | 2025-07-04 | 6.8 | CVE-2025-49303 |
| skywaveinfo--WP Firebase Push Notification | The WP Firebase Push Notification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the wfpn_brodcast_notification_message() function. This makes it possible for unauthenticated attackers to send broadcast notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-07-04 | 4.3 | CVE-2025-5924 |
| SourceCodester--Best Salon Management System | A vulnerability was found in SourceCodester Best Salon Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /panel/search-appointment.php. The manipulation of the argument searchdata leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 6.3 | CVE-2025-6878 |
| SourceCodester--Best Salon Management System | A vulnerability was found in SourceCodester Best Salon Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /panel/add-tax.php. The manipulation of the argument Name leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 6.3 | CVE-2025-6879 |
| SourceCodester--Best Salon Management System | A vulnerability classified as critical has been found in SourceCodester Best Salon Management System 1.0. Affected is an unknown function of the file /panel/edit-tax.php. The manipulation of the argument editid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-30 | 6.3 | CVE-2025-6880 |
| stepancheg--protobuf | The protobuf crate before 3.7.2 for Rust allows uncontrolled recursion in the protobuf::coded_input_stream::CodedInputStream::skip_group parsing of unknown fields in untrusted input. | 2025-07-05 | 5.9 | CVE-2025-53605 |
| themefic--Ultra Addons for Contact Form 7 | The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's UACF7_CUSTOM_FIELDS shortcode in all versions up to, and including, 3.5.21 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-01 | 6.4 | CVE-2025-6756 |
| themesgrove--All-in-One Addons for Elementor WidgetKit | The All-in-One Addons for Elementor - WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button+modal' widget in all versions up to, and including, 2.5.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-02 | 6.4 | CVE-2025-2330 |
| Tony Zeoli--Radio Station | Cross-Site Request Forgery (CSRF) vulnerability in Tony Zeoli Radio Station allows Cross Site Request Forgery. This issue affects Radio Station: from n/a through 2.5.12. | 2025-07-04 | 4.3 | CVE-2025-53568 |
| Trust Payments--Trust Payments Gateway for WooCommerce (JavaScript Library) | Cross-Site Request Forgery (CSRF) vulnerability in Trust Payments Trust Payments Gateway for WooCommerce (JavaScript Library) allows Cross Site Request Forgery. This issue affects Trust Payments Gateway for WooCommerce (JavaScript Library): from n/a through 1.3.6. | 2025-07-04 | 4.3 | CVE-2025-53569 |
| undsgn--Uncode Core | The Uncode Core plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'uncode_hl_text' and 'uncode_text_icon' shortcodes in all versions up to, and including, 2.9.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-04 | 6.4 | CVE-2025-6944 |
| vercel--hyper | A vulnerability classified as problematic has been found in vercel hyper up to 3.4.1. This affects the function expand/braceExpand/ignoreMap of the file hyper/bin/rimraf-standalone.js. The manipulation leads to inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-07-05 | 4.3 | CVE-2025-7074 |
| vgwort--VG WORT METIS | Missing Authorization vulnerability in vgwort VG WORT METIS allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects VG WORT METIS: from n/a through 2.0.0. | 2025-07-04 | 6.5 | CVE-2025-50039 |
| wpdevart--YouTube Embed, Playlist and Popup by WpDevArt | Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled ThickBox JavaScript library (version 3.1) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-07-03 | 6.4 | CVE-2025-2537 |
| yonisink--yContributors | The yContributors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on the 'yContributors' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-07-04 | 6.1 | CVE-2025-6041 |
| ZoomIt--WooCommerce Shop Page Builder | Missing Authorization vulnerability in ZoomIt WooCommerce Shop Page Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WooCommerce Shop Page Builder: from n/a through 2.27.7. | 2025-07-04 | 4.3 | CVE-2025-29001 |
| zulip--zulip | Zulip is an open-source team chat application. From versions 2.0.0-rc1 to before 10.4 in Zulip Server, the /digest/ URL of a server shows a preview of what the email weekly digest would contain. This URL, though not the digest itself, contains a cross-site scripting (XSS) vulnerability in both topic names and channel names. This issue has been fixed in Zulip Server 10.4. A workaround for this issue involves denying access to /digest/. | 2025-07-02 | 6.8 | CVE-2025-52559 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| Comodo--Internet Security Premium | A vulnerability classified as critical has been found in Comodo Internet Security Premium 12.3.4.8162. This affects an unknown part of the component Update Handler. The manipulation leads to improper certificate validation. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-06 | 3.7 | CVE-2025-7095 |
| D-Link--DCS-6517 | A vulnerability classified as problematic was found in D-Link DCS-6517 and DCS-7517 up to 2.02.0. Affected by this vulnerability is the function generate_pass_from_mac of the file /bin/httpd of the component Root Password Generation Handler. The manipulation leads to insufficient entropy. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-06-30 | 3.7 | CVE-2025-6931 |
| D-Link--DCS-7517 | A vulnerability, which was classified as problematic, was found in D-Link DCS-7517 up to 2.02.0. This affects the function g_F_n_GenPassForQlync of the file /bin/httpd of the component Qlync Password Generation Handler. The manipulation leads to use of hard-coded password. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-06-30 | 3.7 | CVE-2025-6932 |
| Delinea--Secret Server | The distributed engine versions 8.4.39.0 and earlier of Secret Server versions 11.7.49 and earlier can be exploited during an initial authorization event that would allow an attacker to impersonate another distributed engine. | 2025-07-02 | 3.8 | CVE-2025-6942 |
| Delinea--Secret Server | Secret Server version 11.7 and earlier is vulnerable to a SQL report creation vulnerability that allows an administrator to gain access to restricted tables. | 2025-07-02 | 3.8 | CVE-2025-6943 |
| Done-0--Jank | A vulnerability, which was classified as problematic, was found in Done-0 Jank up to 322caebbad10568460364b9667aa62c3080bfc17. Affected is an unknown function of the file internal/utils/jwt_utils.go of the component JWT Token Handler. The manipulation of the argument accessSecret/refreshSecret with the input jank-blog-secret/jank-blog-refresh-secret leads to use of hard-coded password. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | 2025-07-06 | 3.7 | CVE-2025-7080 |
| filebrowser--filebrowser | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions 2.32.0 and prior, the implementation of password protected links is error-prone, resulting in potential unprotected sharing of a file through a direct download link. This link can either be shared unknowingly by a user or discovered from various locations such as the browser history or the log of a proxy server used. At time of publication, no known patched versions are available. | 2025-06-30 | 3.1 | CVE-2025-52996 |
| Intelbras--InControl | A vulnerability was found in Intelbras InControl up to 2.21.60.9. It has been declared as problematic. This vulnerability affects unknown code of the file /v1/operador/. The manipulation leads to csv injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-07-04 | 2.7 | CVE-2025-7061 |
| mao888--bluebell-plus | A vulnerability, which was classified as problematic, has been found in mao888 bluebell-plus up to 2.3.0. This issue affects some unknown processing of the file bluebell_backend/pkg/jwt/jwt.go of the component JWT Token Handler. The manipulation of the argument mySecret with the input bluebell-plus leads to use of hard-coded password. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. | 2025-07-06 | 3.7 | CVE-2025-7079 |
| n/a--Cockpit | A vulnerability was found in Cockpit up to 2.11.3. It has been rated as problematic. This issue affects some unknown processing of the file /system/users/save. The manipulation of the argument name/email leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 2.11.4 is able to address this issue. The patch is named bdcd5e3bc651c0839c7eea807f3eb6af856dbc76. It is recommended to upgrade the affected component. The vendor was contacted early about this disclosure and acted very professional. A patch and new release was made available very quickly. | 2025-07-04 | 3.5 | CVE-2025-7053 |
| n/a--HDF5 | A vulnerability classified as problematic was found in HDF5 1.14.6. This vulnerability affects the function H5FS__sinfo_serialize_node_cb of the file src/H5FScache.c. The manipulation leads to heap-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. | 2025-07-04 | 3.3 | CVE-2025-7067 |
| n/a--HDF5 | A vulnerability, which was classified as problematic, has been found in HDF5 1.14.6. This issue affects the function H5FL__malloc of the file src/H5FL.c. The manipulation leads to memory leak. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. | 2025-07-04 | 3.3 | CVE-2025-7068 |
| n/a--HDF5 | A vulnerability, which was classified as problematic, was found in HDF5 1.14.6. Affected is the function H5FS__sect_link_size of the file src/H5FSsection.c. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. | 2025-07-04 | 3.3 | CVE-2025-7069 |
| n/a--Open5GS | A vulnerability, which was classified as problematic, has been found in Open5GS up to 2.7.5. This issue affects the function amf_state_operational of the file src/amf/amf-sm.c of the component AMF Service. The manipulation leads to reachable assertion. It is possible to launch the attack on the local host. The identifier of the patch is 53e9e059ed96b940f7ddcd9a2b68cb512524d5db. It is recommended to apply a patch to fix this issue. | 2025-07-01 | 3.3 | CVE-2025-6952 |
| soumettre--Soumettre.fr | The Soumettre.fr plugin for WordPress is vulnerable to unauthorized access and modification of data due to a improper authorization checks on the make_signature function in all versions up to, and including, 2.1.5. This makes it possible for unauthenticated attackers to create/edit/delete Soumettre posts. This vulnerability affects only installations where the soumettre account is not connected (i.e. API key is not installed) | 2025-07-02 | 3.7 | CVE-2025-4654 |
| Sudo project--Sudo | Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines. | 2025-06-30 | 2.8 | CVE-2025-32462 |
| vercel--next.js | Next.js is a React framework for building full-stack web applications. In Next.js App Router from 15.3.0 to before 15.3.3 and Vercel CLI from 41.4.1 to 42.2.0, a cache poisoning vulnerability was found. The issue allowed page requests for HTML content to return a React Server Component (RSC) payload instead under certain conditions. When deployed to Vercel, this would only impact the browser cache, and would not lead to the CDN being poisoned. When self-hosted and deployed externally, this could lead to cache poisoning if the CDN does not properly distinguish between RSC / HTML in the cache keys. This issue has been resolved in Next.js 15.3.3. | 2025-07-03 | 3.7 | CVE-2025-49005 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| Aexol Studio--Remote for Mac | An unauthenticated remote code execution vulnerability exists in Remote for Mac, a macOS remote control utility developed by Aexol Studio, in versions up to and including 2025.7. When the application is configured with authentication disabled (i.e., the "Allow unknown devices" option is enabled), the /api/executeScript endpoint is exposed without access control. This allows unauthenticated remote attackers to inject arbitrary AppleScript payloads via the X-Script HTTP header, resulting in code execution using do shell script. Successful exploitation grants attackers the ability to run arbitrary commands on the macOS host with the privileges of the Remote for Mac background process. | 2025-07-03 | not yet calculated | CVE-2025-34089 |
| Akeles--Out of Office Assistant | Akeles Out of Office Assistant for Jira 4.0.1 is vulberable to Cross Site Scripting (XSS) via the Jira fullName parameter. | 2025-07-03 | not yet calculated | CVE-2025-45938 |
| Anthropic--Slack MCP Server | A data exfiltration vulnerability exists in Anthropic's deprecated Slack Model Context Protocol (MCP) Server via automatic link unfurling. When an AI agent using the Slack MCP Server processes untrusted data, it can be manipulated to generate messages containing attacker-crafted hyperlinks embedding sensitive data. Slack's link preview bots (e.g., Slack-LinkExpanding, Slackbot, Slack-ImgProxy) will then issue outbound requests to the attacker-controlled URL, resulting in zero-click exfiltration of private data. | 2025-07-02 | not yet calculated | CVE-2025-34072 |
| Apache Software Foundation--Apache APISIX | A vulnerability of plugin openid-connect in Apache APISIX. This vulnerability will only have an impact if all of the following conditions are met: 1. Use the openid-connect plugin with introspection mode 2. The auth service connected to openid-connect provides services to multiple issuers 3. Multiple issuers share the same private key and relies only on the issuer being different If affected by this vulnerability, it would allow an attacker with a valid account on one of the issuers to log into the other issuer. This issue affects Apache APISIX: until 3.12.0. Users are recommended to upgrade to version 3.12.0 or higher. | 2025-07-02 | not yet calculated | CVE-2025-46647 |
| Apache Software Foundation--Apache APISIX Java Plugin Runner | Incorrect Permission Assignment for Critical Resource vulnerability in Apache APISIX(java-plugin-runner). Local listening file permissions in APISIX plugin runner allow a local attacker to elevate privileges. This issue affects Apache APISIX(java-plugin-runner): from 0.2.0 through 0.5.0. Users are recommended to upgrade to version 0.6.0 or higher, which fixes the issue. | 2025-07-06 | not yet calculated | CVE-2025-27446 |
| Artica ST--Pandora FMS | An authenticated remote code execution vulnerability exists in Pandora FMS version 7.0NG and earlier. The net_tools.php functionality allows authenticated users to execute arbitrary OS commands via the select_ips parameter when performing network tools operations, such as pinging. This occurs because user input is not properly sanitized before being passed to system commands, enabling command injection. | 2025-07-03 | not yet calculated | CVE-2025-34088 |
| ASNA--n/a | ASNA Assist and ASNA Registrar before 2025-03-31 allow deserialization attacks against .NET remoting. These are Windows system services that support license key management and deprecated Windows network authentication. The services are implemented with .NET remoting and can be exploited via well-known deserialization techniques inherent in the technology. Because the services run with SYSTEM-level rights, exploits can be crafted to achieve escalation of privilege and arbitrary code execution. This affects DataGate for SQL Server 17.0.36.0 and 16.0.89.0, DataGate Component Suite 17.0.36.0 and 16.0.89.0, DataGate Monitor 17.0.26.0 and 16.0.65.0, DataGate WebPak 17.0.37.0 and 16.0.90.0, Monarch for .NET 11.4.50.0 and 10.0.62.0, Encore RPG 4.1.36.0, Visual RPG .NET FW 17.0.37.0 and 16.0.90.0, Visual RPG .NET FW Windows Deployment 17.0.36.0 and 16.0.89.0, WingsRPG 11.0.38.0 and 10.0.95.0, Mobile RPG 11.0.35.0 and 10.0.94.0, Monarch Framework for .NET FW 11.0.36.0 and 10.0.89.0, Browser Terminal 17.0.37.0 and 16.0.90.0, Visual RPG Classic 5.2.7.0 and 5.1.17.0, Visual RPG Deployment 5.2.7.0 and 5.1.17.0, and DataGate Studio 17.0.38.0 and 16.0.104.0. | 2025-07-03 | not yet calculated | CVE-2025-43713 |
| AVTECH--DVR devices | A server-side request forgery vulnerability exists in multiple firmware versions of AVTECH DVR devices that exposes the /cgi-bin/nobody/Search.cgi?action=cgi_query endpoint without authentication. An attacker can manipulate the ip, port, and queryb64str parameters to make arbitrary HTTP requests from the DVR to internal or external systems, potentially exposing sensitive data or interacting with internal services. | 2025-07-01 | not yet calculated | CVE-2025-34051 |
| AVTECH--DVR devices | An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root. | 2025-07-01 | not yet calculated | CVE-2025-34054 |
| AVTECH--IP camera, DVR, and NVR Devices | An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the adcommand.cgi endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the DoShellCmd operation, passing arbitrary input via the strCmd parameter. This input is executed directly by the system shell without sanitation allowing attackers to execute commands as the root user. | 2025-07-01 | not yet calculated | CVE-2025-34055 |
| AVTECH--IP camera, DVR, and NVR Devices | An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the PwdGrp.cgi endpoint, which handles user and group management operations. Authenticated users can supply input through the pwd or grp parameters, which are directly embedded into system commands without proper sanitation. This allows for the execution of arbitrary shell commands with root privileges. | 2025-07-01 | not yet calculated | CVE-2025-34056 |
| AVTECH--IP camera, DVR, and NVR Devices | An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices' streamd web server. The strstr() function allows unauthenticated access to any request containing "/nobody" in the URL, bypassing login controls. | 2025-07-01 | not yet calculated | CVE-2025-34065 |
| AVTECH--IP camera, DVR, and NVR devices | An authentication bypass vulnerability exists in AVTECH IP camera, DVR, and NVR devices' streamd web server. The strstr() function is used to identify ".cab" requests, allowing any URL containing ".cab" to bypass authentication and access protected endpoints. | 2025-07-01 | not yet calculated | CVE-2025-34053 |
| AVTECH--IP cameras | A cross-site request forgery (CSRF) vulnerability exists in the web interface of AVTECH IP camera, DVR, and NVR devices. An attacker can craft malicious requests that, when executed in the context of an authenticated user's browser session, allow unauthorized changes to the device configuration without user interaction. | 2025-07-01 | not yet calculated | CVE-2025-34050 |
| AVTECH--IP cameras | An unauthenticated information disclosure vulnerability exists in AVTECH IP cameras, DVRs, and NVRs via Machine.cgi?action=get_capability. Sensitive internal device information such as firmware version, MAC address, and codec support can be accessed without authentication. | 2025-07-01 | not yet calculated | CVE-2025-34052 |
| AVTECH--IP cameras | An improper certificate validation vulnerability exists in AVTECH IP cameras, DVRs, and NVRs due to the use of wget with --no-check-certificate in scripts like SyncCloudAccount.sh and SyncPermit.sh. This exposes HTTPS communications to man-in-the-middle (MITM) attacks. | 2025-07-01 | not yet calculated | CVE-2025-34066 |
| BerriAI--litellm | BerriAI litellm v1.65.4 was discovered to contain a SQL injection vulnerability via the /key/block endpoint. | 2025-07-03 | not yet calculated | CVE-2025-45809 |
| bitcoinjs--tiny-secp256k1 | tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. The Buffer.isBuffer check can be bypassed, resulting in k reuse for different messages, leading to private key extraction over a single invalid message (and a second one for which any message/signature could be taken, e.g. previously known valid one). This issue has been patched in version 1.1.7. | 2025-07-01 | not yet calculated | CVE-2024-49364 |
| bitcoinjs--tiny-secp256k1 | tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify(), when global Buffer is the buffer package. This affects only environments where require('buffer') is the NPM buffer package. Buffer.isBuffer check can be bypassed, resulting in strange objects being accepted as a message, and those messages could trick verify() into returning false-positive true values. This issue has been patched in version 1.1.7. | 2025-07-01 | not yet calculated | CVE-2024-49365 |
| Bolt--CMS | Bolt CMS versions 3.7.0 and earlier contain a chain of vulnerabilities that together allow an authenticated user to achieve remote code execution. A user with valid credentials can inject arbitrary PHP code into the displayname field of the user profile, which is rendered unsanitized in backend templates. The attacker can then list and rename cached session files via the /async/browse/cache/.sessions and /async/folder/rename endpoints. By renaming a .session file to a path under the publicly accessible /files/ directory with a .php extension, the attacker can turn the injected code into an executable web shell. Finally, the attacker triggers the payload via a crafted HTTP GET request to the rogue file. NOTE: The vendor announced that Bolt 3 reached end-of-life after 31 December 2021. | 2025-07-03 | not yet calculated | CVE-2025-34086 |
| Broadcom--Symantec IT Management Suite | Remote attackers can execute arbitrary code in the context of the vulnerable service process. | 2025-07-06 | not yet calculated | CVE-2025-5333 |
| Checkmk GmbH--Checkmk | Improper neutralization of Livestatus command delimiters in autocomplete endpoint within the RestAPI of Checkmk versions <2.4.0p6, <2.3.0p35, <2.2.0p44, and 2.1.0 (EOL) allows an authenticated user to inject arbitrary Livestatus commands. | 2025-07-04 | not yet calculated | CVE-2025-32918 |
| Contec Co.,Ltd.--CONPROSYS HMI System (CHS) | The Contec Co.,Ltd. CONPROSYS HMI System (CHS) is vulnerable to Cross-Site Scripting (XSS) in the getqsetting.php functionality that could allow reflected execution of scripts in the browser on interaction.This issue affects CONPROSYS HMI System (CHS): before 3.7.7. | 2025-07-01 | not yet calculated | CVE-2025-34080 |
| Contec Co.,Ltd.--CONPROSYS HMI System (CHS) | The Contec Co.,Ltd. CONPROSYS HMI System (CHS) exposes a PHP phpinfo() debug page to unauthenticated users that may contain sensitive data useful for an attacker.This issue affects CONPROSYS HMI System (CHS): before 3.7.7. | 2025-07-01 | not yet calculated | CVE-2025-34081 |
| D-Link--D-Link DIR-816 A2 | An issue D-Link DIR-816-A2 DIR-816A2_FWv1.10CNB05_R1B011D88210 allows a remote attacker to execute arbitrary code via system() function in the bin/goahead file | 2025-06-30 | not yet calculated | CVE-2025-45931 |
| Daily Expense Manager--Daily Expense Manager | SQL injection vulnerability in Daily Expense Manager v1.0. This vulnerability allows an attacker to retrieve, create, update and delete databases through the pname, pprice and id parameters in /update.php. | 2025-06-30 | not yet calculated | CVE-2025-40731 |
| Daily Expense Manager--Daily Expense Manager | user enumeration vulnerability in Daily Expense Manager v1.0. To exploit this vulnerability a POST request must be sent using the name parameter in /check.php | 2025-06-30 | not yet calculated | CVE-2025-40732 |
| Daily Expense Manager--Daily Expense Manager | Reflected Cross-Site Scripting (XSS) vulnerability in Daily Expense Manager v1.0. This vulnerability allows an attacker to execute JavaScript code by sending a POST request through the username parameter in /login.php. | 2025-06-30 | not yet calculated | CVE-2025-40733 |
| Daily Expense Manager--Daily Expense Manager | Reflected Cross-Site Scripting (XSS) vulnerability in Daily Expense Manager v1.0. This vulnerability allows an attacker to execute JavaScript code by sending a POST request through the password and confirm_password parameters in /register.php. | 2025-06-30 | not yet calculated | CVE-2025-40734 |
| dataease--dataease | DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, there is a bypass vulnerability in Dataease's Redshift Data Source JDBC Connection Parameters. The sslfactory and sslfactoryarg parameters could trigger a bypass vulnerability. This issue has been patched in version 2.10.11. | 2025-06-30 | not yet calculated | CVE-2025-53004 |
| dataease--dataease | DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, there is a bypass vulnerability in Dataease's PostgreSQL Data Source JDBC Connection Parameters. The sslfactory and sslfactoryarg parameters could trigger a bypass vulnerability. This issue has been patched in version 2.10.11. | 2025-07-01 | not yet calculated | CVE-2025-53005 |
| dataease--dataease | DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, in both PostgreSQL and Redshift, apart from parameters like "socketfactory" and "socketfactoryarg", there are also "sslfactory" and "sslfactoryarg" with similar functionality. The difference lies in that "sslfactory" and related parameters need to be triggered after establishing the connection. Other similar parameters include "sslhostnameverifier", "sslpasswordcallback", and "authenticationPluginClassName". This issue has been patched in 2.10.11. | 2025-07-02 | not yet calculated | CVE-2025-53006 |
| Debian--dpkg | It was discovered that dpkg-deb does not properly sanitize directory permissions when extracting a control member into a temporary directory, which is documented as being a safe operation even on untrusted data. This may result in leaving temporary files behind on cleanup. Given automated and repeated execution of dpkg-deb commands on adversarial .deb packages or with well compressible files, placed inside a directory with permissions not allowing removal by a non-root user, this can end up in a DoS scenario due to causing disk quota exhaustion or disk full conditions. | 2025-07-01 | not yet calculated | CVE-2025-6297 |
| DjvuNet--DjVuLibre | DjVuLibre is a GPL implementation of DjVu, a web-centric format for distributing documents and images. Prior to version 3.5.29, the MMRDecoder::scanruns method is affected by an OOB-write vulnerability, because it does not check that the xr pointer stays within the bounds of the allocated buffer. This can lead to writes beyond the allocated memory, resulting in a heap corruption condition. An out-of-bounds read with pr is also possible for the same reason. This issue has been patched in version 3.5.29. | 2025-07-03 | not yet calculated | CVE-2025-53367 |
| Docker--Docker Desktop | System environment variables are recorded in Docker Desktop diagnostic logs, when using shell auto-completion. This leads to unintentional disclosure of sensitive information such as api keys, passwords, etc. A malicious actor with read access to these logs could obtain secrets and further use them to gain unauthorized access to other systems. Starting with version 4.43.0 Docker Desktop no longer logs system environment variables as part of diagnostics log collection. | 2025-07-03 | not yet calculated | CVE-2025-6587 |
| electron--electron | Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 28.3.2, 29.3.3, and 30.0.3, the nativeImage.createFromPath() and nativeImage.createFromBuffer() functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents. This issue has been patched in versions 28.3.2, 29.3.3, and 30.0.3. There are no workarounds for this issue. | 2025-07-01 | not yet calculated | CVE-2024-46993 |
| ENENSYS Technologies--ENENSYS IPGuard V2 | ENENSYS IPGuard v2 2.10.0 was discovered to contain hardcoded credentials. | 2025-07-02 | not yet calculated | CVE-2025-45813 |
| Ergon Informatik AG--Airlock IAM | Timing difference in password reset in Ergon Informatik AG's Airlock IAM 7.7.9, 8.0.8, 8.1.7, 8.2.4 and 8.3.1 allows unauthenticated attackers to enumerate usernames. | 2025-07-04 | not yet calculated | CVE-2025-6056 |
| Flatboard Pro--Flatboard | Stored Cross-Site Scripting (XSS) vulnerability in versions prior to Flatboard 3.2.2 of Flatboard Pro, consisting of a stored XSS due to lack of proper validation of user input, through the replace parameter in /config.php/tags. | 2025-07-03 | not yet calculated | CVE-2025-40722 |
| Flatboard Pro--Flatboard | Stored Cross-Site Scripting (XSS) vulnerability in versions prior to Flatboard 3.2.2 of Flatboard Pro, consisting of a stored XSS due to lack of proper validation of user input, through the footer_text and announcement parameters in config.php. | 2025-07-03 | not yet calculated | CVE-2025-40723 |
| frappe--frappe | Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information. This issue has been patched in versions 14.94.3 and 15.58.0. There are no workarounds for this issue other than upgrading. | 2025-06-30 | not yet calculated | CVE-2025-52895 |
| frappe--frappe | Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting (XSS). This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds for this issue other than upgrading. | 2025-06-30 | not yet calculated | CVE-2025-52896 |
| frappe--frappe | Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users are safe. This issue has been patched in versions 14.94.3 and 15.58.0. Workarounds for this issue involve verifying password reset URLs before clicking on them or upgrading for self hosted users. | 2025-06-30 | not yet calculated | CVE-2025-52898 |
| getsentry--sentry | Sentry is a developer-first error tracking and performance monitoring tool. Prior to version 25.5.0, an attacker with a malicious OAuth application registered with Sentry can take advantage of a race condition and improper handling of authorization code within Sentry to maintain persistence to a user's account. With a specially timed requests and redirect flows, an attacker could generate multiple authorization codes that could be used to exchange for access and refresh tokens. This was possible even after de-authorizing the particular application. This issue has been patched in version 25.5.0. Self-hosted Sentry users should upgrade to version 25.5.0 or higher. Sentry SaaS users do not need to take any action. | 2025-07-01 | not yet calculated | CVE-2025-53099 |
| GFI Software--Kerio Control | An authentication bypass vulnerability exists in GFI Kerio Control 9.4.5 due to insecure default proxy configuration and weak access control in the GFIAgent service. The non-transparent proxy on TCP port 3128 can be used to forward unauthenticated requests to internal services such as GFIAgent, bypassing firewall restrictions and exposing internal management endpoints. This enables unauthenticated attackers to access the GFIAgent service on ports 7995 and 7996, retrieve the appliance UUID, and issue administrative requests via the proxy. Exploitation results in full administrative access to the Kerio Control appliance. | 2025-07-02 | not yet calculated | CVE-2025-34069 |
| GFI Software--Kerio Control | A missing authentication vulnerability in the GFIAgent component of GFI Kerio Control 9.4.5 allows unauthenticated remote attackers to perform privileged operations. The GFIAgent service, responsible for integration with GFI AppManager, exposes HTTP services on ports 7995 and 7996 without proper authentication. The /proxy handler on port 7996 allows arbitrary forwarding to administrative endpoints when provided with an Appliance UUID, which itself can be retrieved from port 7995. This results in a complete authentication bypass, permitting access to sensitive administrative APIs. | 2025-07-02 | not yet calculated | CVE-2025-34070 |
| GFI Software--Kerio Control | A remote code execution vulnerability in GFI Kerio Control 9.4.5 allows attackers with administrative access to upload and execute arbitrary code through the firmware upgrade feature. The system upgrade mechanism accepts unsigned .img files, which can be modified to include malicious scripts within the upgrade.sh or disk image components. These modified upgrade images are not validated for authenticity or integrity, and are executed by the system post-upload, enabling root access. | 2025-07-02 | not yet calculated | CVE-2025-34071 |
| GitHub--GitHub Enterprise Server | An exposure of sensitive information vulnerability was identified in GitHub Enterprise Server that could allow an attacker to disclose the names of private repositories within an organization. This issue could be exploited by leveraging a user-to-server token with no scopes via the Search API endpoint. Successful exploitation required an organization administrator to install a malicious GitHub App in the organization's repositories. This vulnerability impacted only GitHub Enterprise Server version 3.17 and was addressed in version 3.17.2. The vulnerability was reported through the GitHub Bug Bounty program. | 2025-07-01 | not yet calculated | CVE-2025-6600 |
| Google--Chrome | A security bypass vulnerability exists in Google Chrome AppBound cookie encryption mechanism due to insufficient validation of COM server paths during inter-process communication. A local low-privileged attacker can hijack the COM class identifier (CLSID) registration used by Chrome's elevation service and point it to a non-existent or malicious binary. When this hijack occurs, Chrome silently falls back to the legacy cookie encryption mechanism (protected only by user-DPAPI), thereby enabling cookie decryption by any user-context malware without SYSTEM-level access. This flaw bypasses the protections intended by the AppBound encryption design and allows cookie theft from Chromium-based browsers. Confirmed in Google Chrome with AppBound Encryption enabled. Other Chromium-based browsers may be affected if they implement similar COM-based encryption mechanisms. | 2025-07-02 | not yet calculated | CVE-2025-34090 |
| Google--Chrome | A padding oracle vulnerability exists in Google Chrome's AppBound cookie encryption mechanism due to observable decryption failure behavior in Windows Event Logs when handling malformed ciphertext in SYSTEM-DPAPI-encrypted blobs. A local attacker can repeatedly send malformed ciphertexts to the Chrome elevation service and distinguish between padding and MAC errors, enabling a padding oracle attack. This allows partial decryption of the SYSTEM-DPAPI layer and eventual recovery of the user-DPAPI encrypted cookie key, which is trivially decrypted by the attacker's own context. This issue undermines the core purpose of AppBound Encryption by enabling low-privileged cookie theft through cryptographic misuse and verbose error feedback. Confirmed in Google Chrome with AppBound Encryption enabled. Other Chromium-based browsers may be affected if they implement similar COM-based encryption mechanisms. This behavior arises from a combination of Chrome's AppBound implementation and the way Microsoft Windows DPAPI reports decryption failures via Event Logs. As such, the vulnerability relies on cryptographic behavior and error visibility in all supported versions of Windows. | 2025-07-02 | not yet calculated | CVE-2025-34091 |
| Google--Chrome | A cookie encryption bypass vulnerability exists in Google Chrome's AppBound mechanism due to weak path validation logic within the elevation service. When Chrome encrypts a cookie key, it records its own executable path as validation metadata. Later, when decrypting, the elevation service compares the requesting process's path to this stored path. However, due to path canonicalization inconsistencies, an attacker can impersonate Chrome (e.g., by naming their binary chrome.exe and placing it in a similar path) and successfully retrieve the encrypted cookie key. This allows malicious processes to retrieve cookies intended to be restricted to the Chrome process only. Confirmed in Google Chrome with AppBound Encryption enabled. Other Chromium-based browsers may be affected if they implement similar COM-based encryption mechanisms. | 2025-07-02 | not yet calculated | CVE-2025-34092 |
| Google--Chrome | Type confusion in V8 in Google Chrome prior to 138.0.7204.96 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. (Chromium security severity: High) | 2025-06-30 | not yet calculated | CVE-2025-6554 |
| Graylog2--graylog2-server | Graylog is a free and open log management platform. In versions 6.2.0 to before 6.2.4 and 6.3.0-alpha.1 to before 6.3.0-rc.2, Graylog users can gain elevated privileges by creating and using API tokens for the local Administrator or any other user for whom the malicious user knows the ID. For the attack to succeed, the attacker needs a user account in Graylog. They can then proceed to issue hand-crafted requests to the Graylog REST API and exploit a weak permission check for token creation. This issue has been patched in versions 6.2.4 and 6.3.0-rc.2. A workaround involves disabling the respective configuration found in System > Configuration > Users > "Allow users to create personal access tokens". | 2025-07-02 | not yet calculated | CVE-2025-53106 |
| Hangzhou Future Speed Technology Co., Ltd.--Xinference | Incorrect access control in Xinference before v1.4.0 allows attackers to access the Web GUI without authentication. | 2025-07-02 | not yet calculated | CVE-2025-45424 |
| Hangzhou Hikvision System Technology--Streaming Media Management Server | Hikvision Streaming Media Management Server v2.3.5 uses default credentials that allow remote attackers to authenticate and access restricted functionality. After authenticating with these credentials, an attacker can exploit an arbitrary file read vulnerability in the /systemLog/downFile.php endpoint via directory traversal in the fileName parameter. This exploit chain can enable unauthorized access to sensitive system files. | 2025-07-01 | not yet calculated | CVE-2025-34058 |
| HashiCorp--Vagrant | An authenticated virtual machine escape vulnerability exists in HashiCorp Vagrant when using the default synced folder configuration. By design, Vagrant automatically mounts the host system's project directory into the guest VM under /vagrant (or C:\vagrant on Windows). This includes the Vagrantfile configuration file, which is a Ruby script evaluated by the host every time a vagrant command is executed in the project directory. If a low-privileged attacker obtains shell access to the guest VM, they can append arbitrary Ruby code to the mounted Vagrantfile. When a user on the host later runs any vagrant command, the injected code is executed on the host with that user's privileges. While this shared-folder behavior is well-documented by Vagrant, the security implications of Vagrantfile execution from guest-writable storage are not explicitly addressed. This effectively enables guest-to-host code execution in multi-tenant or adversarial VM scenarios. | 2025-07-02 | not yet calculated | CVE-2025-34075 |
| Henan Xiaopi Security Technology Co., Ltd.--PHPStudy | A backdoor in PHPStudy versions 2016 through 2018 allows unauthenticated remote attackers to execute arbitrary PHP code on affected installations. The backdoor listens for base64-encoded PHP payloads in the Accept-Charset HTTP header of incoming requests, decodes and executes the payload without proper validation. This leads to remote code execution as the web server user, compromising the affected system. | 2025-07-03 | not yet calculated | CVE-2025-34061 |
| Hewlett Packard Enterprise--Insight Remote Support | A vulnerability in HPE Insight Remote Support (IRS) prior to v7.15.0.646 may allow an unauthenticated denial of service | 2025-07-01 | not yet calculated | CVE-2025-37097 |
| Hewlett Packard Enterprise--Insight Remote Support | A path traversal vulnerability exists in HPE Insight Remote Support (IRS) prior to v7.15.0.646. | 2025-07-01 | not yet calculated | CVE-2025-37098 |
| Hewlett Packard Enterprise--Insight Remote Support | A remote code execution vulnerability exists in HPE Insight Remote Support (IRS) prior to v7.15.0.646. | 2025-07-01 | not yet calculated | CVE-2025-37099 |
| Hikvision--Integrated Security Management Platform | An unauthenticated remote command execution vulnerability exists in the applyCT component of the Hikvision Integrated Security Management Platform due to the use of a vulnerable version of the Fastjson library. The endpoint /bic/ssoService/v1/applyCT deserializes untrusted user input, allowing an attacker to trigger Fastjson's auto-type feature to load arbitrary Java classes. By referencing a malicious class via an LDAP URL, an attacker can achieve remote code execution on the underlying system. | 2025-07-02 | not yet calculated | CVE-2025-34067 |
| Honor Device Co., Ltd--Honor PC Manager | Several services in Honor Device Co., Ltd Honor PC Manager v16.0.0.118 was discovered to connect services to the named pipe iMateBookAssistant with default or overly permissive security attributes, leading to a privilege escalation. | 2025-06-30 | not yet calculated | CVE-2025-46014 |
| Hotspot Shield--Hotspot Shield VPN client | Host Header Injection (HHI) vulnerability in the Hotspot Shield VPN client, which can induce unexpected behaviour when accessing third-party web applications through the VPN tunnel. Although such applications do not present this vulnerability per se, the use of the tunnel, together with a forged Host header, can cause the VPN client to redirect or forward HTTP requests to servers other than those originally intended, leading to consequences such as open redirects or delivery of traffic to infrastructure controlled by an attacker. This does not imply a flaw in the target applications, but in how the VPN client internally handles outgoing headers and requests. | 2025-06-30 | not yet calculated | CVE-2025-40710 |
| HP Inc.--Universal Print Driver | HP Universal Print Driver is potentially vulnerable to denial of service due to buffer overflow in versions of UPD 7.4 or older (e.g., v7.3.x, v7.2.x, v7.1.x, etc.). | 2025-07-02 | not yet calculated | CVE-2025-43025 |
| IGEL Technology GmbH--OS | A command injection vulnerability exists in IGEL OS versions prior to 11.04.270 within the Secure Terminal and Secure Shadow services. The flaw arises due to improper input sanitization in the handling of specially crafted PROXYCMD commands on TCP ports 30022 and 5900. An unauthenticated attacker with network access to a vulnerable device can inject arbitrary commands, leading to remote code execution with elevated privileges. NOTE: IGEL OS v10.x has reached end-of-life (EOL) status. | 2025-07-03 | not yet calculated | CVE-2025-34082 |
| Intelbras--RX1500 Router | Intelbras RX1500 Router v2.2.17 and before is vulnerable to Integer Overflow. The websReadEvent function incorrectly uses the int type when processing the "command" field of the http header, causing the array to cross the boundary and overwrite other fields in the array. | 2025-07-01 | not yet calculated | CVE-2025-50404 |
| Intelbras--RX1500 Router | Intelbras RX1500 Router v2.2.17 and before is vulnerable to Incorrect Access Control in the FirmwareUpload function and GetFirmwareValidation function. | 2025-07-01 | not yet calculated | CVE-2025-50405 |
| JanssenProject--jans | The Janssen Project is an open-source identity and access management (IAM) platform. Prior to version 1.8.0, the Config API returns results without scope verification. This has a large internal surface attack area that exposes all sorts of information from the IDP including clients, users, scripts ..etc. This issue has been patched in version 1.8.0. A workaround for this vulnerability involves users forking and building the config api, patching it in their system following commit 92eea4d. | 2025-07-01 | not yet calculated | CVE-2025-53003 |
| Laundry--Laundry | Cross-Site Request Forgery (CSRF) vulnerability in Laundry on Linux, MacOS allows to perform an Account Takeover. This issue affects Laundry: 2.3.0. | 2025-07-02 | not yet calculated | CVE-2025-52841 |
| Laundry--Laundry | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Laundry on Linux, MacOS allows Account Takeover. This issue affects Laundry: 2.3.0. | 2025-07-02 | not yet calculated | CVE-2025-52842 |
| linkwarden--linkwarden | Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. In version 2.10.2, the server accepts links of format file:///etc/passwd and doesn't do any validation before sending them to parsers and playwright, this can result in leak of other user's links (and in some cases it might be possible to leak environment secrets). This issue has been patched in version 2.10.3 which has not been made public at time of publication. | 2025-07-02 | not yet calculated | CVE-2025-49588 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: fix use-after-free in taprio_dev_notifier Since taprio's taprio_dev_notifier() isn't protected by an RCU read-side critical section, a race with advance_sched() can lead to a use-after-free. Adding rcu_read_lock() inside taprio_dev_notifier() prevents this. | 2025-06-30 | not yet calculated | CVE-2025-38087 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap memtrace mmap issue has an out of bounds issue. This patch fixes the by checking that the requested mapping region size should stay within the allocated region size. | 2025-06-30 | not yet calculated | CVE-2025-38088 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sunrpc: handle SVC_GARBAGE during svc auth processing as auth error tianshuo han reported a remotely-triggerable crash if the client sends a kernel RPC server a specially crafted packet. If decoding the RPC reply fails in such a way that SVC_GARBAGE is returned without setting the rq_accept_statp pointer, then that pointer can be dereferenced and a value stored there. If it's the first time the thread has processed an RPC, then that pointer will be set to NULL and the kernel will crash. In other cases, it could create a memory scribble. The server sunrpc code treats a SVC_GARBAGE return from svc_authenticate or pg_authenticate as if it should send a GARBAGE_ARGS reply. RFC 5531 says that if authentication fails that the RPC should be rejected instead with a status of AUTH_ERR. Handle a SVC_GARBAGE return as an AUTH_ERROR, with a reason of AUTH_BADCRED instead of returning GARBAGE_ARGS in that case. This sidesteps the whole problem of touching the rpc_accept_statp pointer in this situation and avoids the crash. | 2025-06-30 | not yet calculated | CVE-2025-38089 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drivers/rapidio/rio_cm.c: prevent possible heap overwrite In riocm_cdev_ioctl(RIO_CM_CHAN_SEND) -> cm_chan_msg_send() -> riocm_ch_send() cm_chan_msg_send() checks that userspace didn't send too much data but riocm_ch_send() failed to check that userspace sent sufficient data. The result is that riocm_ch_send() can write to fields in the rio_ch_chan_hdr which were outside the bounds of the space which cm_chan_msg_send() allocated. Address this by teaching riocm_ch_send() to check that the entire rio_ch_chan_hdr was copied in from userspace. | 2025-06-30 | not yet calculated | CVE-2025-38090 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: check stream id dml21 wrapper to get plane_id [Why & How] Fix a false positive warning which occurs due to lack of correct checks when querying plane_id in DML21. This fixes the warning when performing a mode1 reset (cat /sys/kernel/debug/dri/1/amdgpu_gpu_recover): [ 35.751250] WARNING: CPU: 11 PID: 326 at /tmp/amd.PHpyAl7v/amd/amdgpu/../display/dc/dml2/dml2_dc_resource_mgmt.c:91 dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu] [ 35.751434] Modules linked in: amdgpu(OE) amddrm_ttm_helper(OE) amdttm(OE) amddrm_buddy(OE) amdxcp(OE) amddrm_exec(OE) amd_sched(OE) amdkcl(OE) drm_suballoc_helper drm_ttm_helper ttm drm_display_helper cec rc_core i2c_algo_bit rfcomm qrtr cmac algif_hash algif_skcipher af_alg bnep amd_atl intel_rapl_msr intel_rapl_common snd_hda_codec_hdmi snd_hda_intel edac_mce_amd snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec kvm_amd snd_hda_core snd_hwdep snd_pcm kvm snd_seq_midi snd_seq_midi_event snd_rawmidi crct10dif_pclmul polyval_clmulni polyval_generic btusb ghash_clmulni_intel sha256_ssse3 btrtl sha1_ssse3 snd_seq btintel aesni_intel btbcm btmtk snd_seq_device crypto_simd sunrpc cryptd bluetooth snd_timer ccp binfmt_misc rapl snd i2c_piix4 wmi_bmof gigabyte_wmi k10temp i2c_smbus soundcore gpio_amdpt mac_hid sch_fq_codel msr parport_pc ppdev lp parport efi_pstore nfnetlink dmi_sysfs ip_tables x_tables autofs4 hid_generic usbhid hid crc32_pclmul igc ahci xhci_pci libahci xhci_pci_renesas video wmi [ 35.751501] CPU: 11 UID: 0 PID: 326 Comm: kworker/u64:9 Tainted: G OE 6.11.0-21-generic #21~24.04.1-Ubuntu [ 35.751504] Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [ 35.751505] Hardware name: Gigabyte Technology Co., Ltd. X670E AORUS PRO X/X670E AORUS PRO X, BIOS F30 05/22/2024 [ 35.751506] Workqueue: amdgpu-reset-dev amdgpu_debugfs_reset_work [amdgpu] [ 35.751638] RIP: 0010:dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu] [ 35.751794] Code: 6d 0c 00 00 8b 84 24 88 00 00 00 41 3b 44 9c 20 0f 84 fc 07 00 00 48 83 c3 01 48 83 fb 06 75 b3 4c 8b 64 24 68 4c 8b 6c 24 40 <0f> 0b b8 06 00 00 00 49 8b 94 24 a0 49 00 00 89 c3 83 f8 07 0f 87 [ 35.751796] RSP: 0018:ffffbfa3805d7680 EFLAGS: 00010246 [ 35.751798] RAX: 0000000000010000 RBX: 0000000000000006 RCX: 0000000000000000 [ 35.751799] RDX: 0000000000000000 RSI: 0000000000000005 RDI: 0000000000000000 [ 35.751800] RBP: ffffbfa3805d78f0 R08: 0000000000000000 R09: 0000000000000000 [ 35.751801] R10: 0000000000000000 R11: 0000000000000000 R12: ffffbfa383249000 [ 35.751802] R13: ffffa0e68f280000 R14: ffffbfa383249658 R15: 0000000000000000 [ 35.751803] FS: 0000000000000000(0000) GS:ffffa0edbe580000(0000) knlGS:0000000000000000 [ 35.751804] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 35.751805] CR2: 00005d847ef96c58 CR3: 000000041de3e000 CR4: 0000000000f50ef0 [ 35.751806] PKRU: 55555554 [ 35.751807] Call Trace: [ 35.751810] <TASK> [ 35.751816] ? show_regs+0x6c/0x80 [ 35.751820] ? __warn+0x88/0x140 [ 35.751822] ? dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu] [ 35.751964] ? report_bug+0x182/0x1b0 [ 35.751969] ? handle_bug+0x6e/0xb0 [ 35.751972] ? exc_invalid_op+0x18/0x80 [ 35.751974] ? asm_exc_invalid_op+0x1b/0x20 [ 35.751978] ? dml2_map_dc_pipes+0x243d/0x3f40 [amdgpu] [ 35.752117] ? math_pow+0x48/0xa0 [amdgpu] [ 35.752256] ? srso_alias_return_thunk+0x5/0xfbef5 [ 35.752260] ? math_pow+0x48/0xa0 [amdgpu] [ 35.752400] ? srso_alias_return_thunk+0x5/0xfbef5 [ 35.752403] ? math_pow+0x11/0xa0 [amdgpu] [ 35.752524] ? srso_alias_return_thunk+0x5/0xfbef5 [ 35.752526] ? core_dcn4_mode_programming+0xe4d/0x20d0 [amdgpu] [ 35.752663] ? srso_alias_return_thunk+0x5/0xfbef5 [ 35.752669] dml21_validate+0x3d4/0x980 [amdgpu] (cherry picked from commit f8ad62c0a93e5dd94243e10f1b742232e4d6411e) | 2025-07-02 | not yet calculated | CVE-2025-38091 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: use list_first_entry_or_null for opinfo_get_list() The list_first_entry() macro never returns NULL. If the list is empty then it returns an invalid pointer. Use list_first_entry_or_null() to check if the list is empty. | 2025-07-02 | not yet calculated | CVE-2025-38092 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arm64: dts: qcom: x1e80100: Add GPU cooling Unlike the CPU, the GPU does not throttle its speed automatically when it reaches high temperatures. With certain high GPU loads it is possible to reach the critical hardware shutdown temperature of 120°C, endangering the hardware and making it impossible to run certain applications. Set up GPU cooling similar to the ACPI tables, by throttling the GPU speed when reaching 95°C and polling every 200ms. | 2025-07-02 | not yet calculated | CVE-2025-38093 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: cadence: macb: Fix a possible deadlock in macb_halt_tx. There is a situation where after THALT is set high, TGO stays high as well. Because jiffies are never updated, as we are in a context with interrupts disabled, we never exit that loop and have a deadlock. That deadlock was noticed on a sama5d4 device that stayed locked for days. Use retries instead of jiffies so that the timeout really works and we do not have a deadlock anymore. | 2025-07-03 | not yet calculated | CVE-2025-38094 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dma-buf: insert memory barrier before updating num_fences smp_store_mb() inserts memory barrier after storing operation. It is different with what the comment is originally aiming so Null pointer dereference can be happened if memory update is reordered. | 2025-07-03 | not yet calculated | CVE-2025-38095 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: don't warn when if there is a FW error iwl_trans_reclaim is warning if it is called when the FW is not alive. But if it is called when there is a pending restart, i.e. after a FW error, there is no need to warn, instead - return silently. | 2025-07-03 | not yet calculated | CVE-2025-38096 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: espintcp: remove encap socket caching to avoid reference leak The current scheme for caching the encap socket can lead to reference leaks when we try to delete the netns. The reference chain is: xfrm_state -> enacp_sk -> netns Since the encap socket is a userspace socket, it holds a reference on the netns. If we delete the espintcp state (through flush or individual delete) before removing the netns, the reference on the socket is dropped and the netns is correctly deleted. Otherwise, the netns may not be reachable anymore (if all processes within the ns have terminated), so we cannot delete the xfrm state to drop its reference on the socket. This patch results in a small (~2% in my tests) performance regression. A GC-type mechanism could be added for the socket cache, to clear references if the state hasn't been used "recently", but it's a lot more complex than just not caching the socket. | 2025-07-03 | not yet calculated | CVE-2025-38097 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Don't treat wb connector as physical in create_validate_stream_for_sink Don't try to operate on a drm_wb_connector as an amdgpu_dm_connector. While dereferencing aconnector->base will "work" it's wrong and might lead to unknown bad things. Just... don't. | 2025-07-03 | not yet calculated | CVE-2025-38098 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken A SCO connection without the proper voice_setting can cause the controller to lock up. | 2025-07-03 | not yet calculated | CVE-2025-38099 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: x86/iopl: Cure TIF_IO_BITMAP inconsistencies io_bitmap_exit() is invoked from exit_thread() when a task exists or when a fork fails. In the latter case the exit_thread() cleans up resources which were allocated during fork(). io_bitmap_exit() invokes task_update_io_bitmap(), which in turn ends up in tss_update_io_bitmap(). tss_update_io_bitmap() operates on the current task. If current has TIF_IO_BITMAP set, but no bitmap installed, tss_update_io_bitmap() crashes with a NULL pointer dereference. There are two issues, which lead to that problem: 1) io_bitmap_exit() should not invoke task_update_io_bitmap() when the task, which is cleaned up, is not the current task. That's a clear indicator for a cleanup after a failed fork(). 2) A task should not have TIF_IO_BITMAP set and neither a bitmap installed nor IOPL emulation level 3 activated. This happens when a kernel thread is created in the context of a user space thread, which has TIF_IO_BITMAP set as the thread flags are copied and the IO bitmap pointer is cleared. Other than in the failed fork() case this has no impact because kernel threads including IO workers never return to user space and therefore never invoke tss_update_io_bitmap(). Cure this by adding the missing cleanups and checks: 1) Prevent io_bitmap_exit() to invoke task_update_io_bitmap() if the to be cleaned up task is not the current task. 2) Clear TIF_IO_BITMAP in copy_thread() unconditionally. For user space forks it is set later, when the IO bitmap is inherited in io_bitmap_share(). For paranoia sake, add a warning into tss_update_io_bitmap() to catch the case, when that code is invoked with inconsistent state. | 2025-07-03 | not yet calculated | CVE-2025-38100 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set() Enlarge the critical section in ring_buffer_subbuf_order_set() to ensure that error handling takes place with per-buffer mutex held, thus preventing list corruption and other concurrency-related issues. | 2025-07-03 | not yet calculated | CVE-2025-38101 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify During our test, it is found that a warning can be trigger in try_grab_folio as follow: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1678 at mm/gup.c:147 try_grab_folio+0x106/0x130 Modules linked in: CPU: 0 UID: 0 PID: 1678 Comm: syz.3.31 Not tainted 6.15.0-rc5 #163 PREEMPT(undef) RIP: 0010:try_grab_folio+0x106/0x130 Call Trace: <TASK> follow_huge_pmd+0x240/0x8e0 follow_pmd_mask.constprop.0.isra.0+0x40b/0x5c0 follow_pud_mask.constprop.0.isra.0+0x14a/0x170 follow_page_mask+0x1c2/0x1f0 __get_user_pages+0x176/0x950 __gup_longterm_locked+0x15b/0x1060 ? gup_fast+0x120/0x1f0 gup_fast_fallback+0x17e/0x230 get_user_pages_fast+0x5f/0x80 vmci_host_unlocked_ioctl+0x21c/0xf80 RIP: 0033:0x54d2cd ---[ end trace 0000000000000000 ]--- Digging into the source, context->notify_page may init by get_user_pages_fast and can be seen in vmci_ctx_unset_notify which will try to put_page. However get_user_pages_fast is not finished here and lead to following try_grab_folio warning. The race condition is shown as follow: cpu0 cpu1 vmci_host_do_set_notify vmci_host_setup_notify get_user_pages_fast(uva, 1, FOLL_WRITE, &context->notify_page); lockless_pages_from_mm gup_pgd_range gup_huge_pmd // update &context->notify_page vmci_host_do_set_notify vmci_ctx_unset_notify notify_page = context->notify_page; if (notify_page) put_page(notify_page); // page is freed __gup_longterm_locked __get_user_pages follow_trans_huge_pmd try_grab_folio // warn here To slove this, use local variable page to make notify_page can be seen after finish get_user_pages_fast. | 2025-07-03 | not yet calculated | CVE-2025-38102 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() Update struct hid_descriptor to better reflect the mandatory and optional parts of the HID Descriptor as per USB HID 1.11 specification. Note: the kernel currently does not parse any optional HID class descriptors, only the mandatory report descriptor. Update all references to member element desc[0] to rpt_desc. Add test to verify bLength and bNumDescriptors values are valid. Replace the for loop with direct access to the mandatory HID class descriptor member for the report descriptor. This eliminates the possibility of getting an out-of-bounds fault. Add a warning message if the HID descriptor contains any unsupported optional HID class descriptors. | 2025-07-03 | not yet calculated | CVE-2025-38103 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Kill timer properly at removal The USB-audio MIDI code initializes the timer, but in a rare case, the driver might be freed without the disconnect call. This leaves the timer in an active state while the assigned object is released via snd_usbmidi_free(), which ends up with a kernel warning when the debug configuration is enabled, as spotted by fuzzer. For avoiding the problem, put timer_shutdown_sync() at snd_usbmidi_free(), so that the timer can be killed properly. While we're at it, replace the existing timer_delete_sync() at the disconnect callback with timer_shutdown_sync(), too. | 2025-07-03 | not yet calculated | CVE-2025-38105 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo() syzbot reports: BUG: KASAN: slab-use-after-free in getrusage+0x1109/0x1a60 Read of size 8 at addr ffff88810de2d2c8 by task a.out/304 CPU: 0 UID: 0 PID: 304 Comm: a.out Not tainted 6.16.0-rc1 #1 PREEMPT(voluntary) Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x53/0x70 print_report+0xd0/0x670 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? getrusage+0x1109/0x1a60 kasan_report+0xce/0x100 ? getrusage+0x1109/0x1a60 getrusage+0x1109/0x1a60 ? __pfx_getrusage+0x10/0x10 __io_uring_show_fdinfo+0x9fe/0x1790 ? ksys_read+0xf7/0x1c0 ? do_syscall_64+0xa4/0x260 ? vsnprintf+0x591/0x1100 ? __pfx___io_uring_show_fdinfo+0x10/0x10 ? __pfx_vsnprintf+0x10/0x10 ? mutex_trylock+0xcf/0x130 ? __pfx_mutex_trylock+0x10/0x10 ? __pfx_show_fd_locks+0x10/0x10 ? io_uring_show_fdinfo+0x57/0x80 io_uring_show_fdinfo+0x57/0x80 seq_show+0x38c/0x690 seq_read_iter+0x3f7/0x1180 ? inode_set_ctime_current+0x160/0x4b0 seq_read+0x271/0x3e0 ? __pfx_seq_read+0x10/0x10 ? __pfx__raw_spin_lock+0x10/0x10 ? __mark_inode_dirty+0x402/0x810 ? selinux_file_permission+0x368/0x500 ? file_update_time+0x10f/0x160 vfs_read+0x177/0xa40 ? __pfx___handle_mm_fault+0x10/0x10 ? __pfx_vfs_read+0x10/0x10 ? mutex_lock+0x81/0xe0 ? __pfx_mutex_lock+0x10/0x10 ? fdget_pos+0x24d/0x4b0 ksys_read+0xf7/0x1c0 ? __pfx_ksys_read+0x10/0x10 ? do_user_addr_fault+0x43b/0x9c0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0f74170fc9 Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 8 RSP: 002b:00007fffece049e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0f74170fc9 RDX: 0000000000001000 RSI: 00007fffece049f0 RDI: 0000000000000004 RBP: 00007fffece05ad0 R08: 0000000000000000 R09: 00007fffece04d90 R10: 0000000000000000 R11: 0000000000000206 R12: 00005651720a1100 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 298: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 __kasan_slab_alloc+0x6e/0x70 kmem_cache_alloc_node_noprof+0xe8/0x330 copy_process+0x376/0x5e00 create_io_thread+0xab/0xf0 io_sq_offload_create+0x9ed/0xf20 io_uring_setup+0x12b0/0x1cc0 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 22: kasan_save_stack+0x33/0x60 kasan_save_track+0x14/0x30 kasan_save_free_info+0x3b/0x60 __kasan_slab_free+0x37/0x50 kmem_cache_free+0xc4/0x360 rcu_core+0x5ff/0x19f0 handle_softirqs+0x18c/0x530 run_ksoftirqd+0x20/0x30 smpboot_thread_fn+0x287/0x6c0 kthread+0x30d/0x630 ret_from_fork+0xef/0x1a0 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x33/0x60 kasan_record_aux_stack+0x8c/0xa0 __call_rcu_common.constprop.0+0x68/0x940 __schedule+0xff2/0x2930 __cond_resched+0x4c/0x80 mutex_lock+0x5c/0xe0 io_uring_del_tctx_node+0xe1/0x2b0 io_uring_clean_tctx+0xb7/0x160 io_uring_cancel_generic+0x34e/0x760 do_exit+0x240/0x2350 do_group_exit+0xab/0x220 __x64_sys_exit_group+0x39/0x40 x64_sys_call+0x1243/0x1840 do_syscall_64+0xa4/0x260 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88810de2cb00 which belongs to the cache task_struct of size 3712 The buggy address is located 1992 bytes inside of freed 3712-byte region [ffff88810de2cb00, ffff88810de2d980) which is caused by the task_struct pointed to by sq->thread being released while it is being used in the function __io_uring_show_fdinfo(). Holding ctx->uring_lock does not prevent ehre relase or exit of sq->thread. Fix this by assigning and looking up ->thread under RCU, and grabbing a reference to the task_struct. This e ---truncated--- | 2025-07-03 | not yet calculated | CVE-2025-38106 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net_sched: ets: fix a race in ets_qdisc_change() Gerrard Tai reported a race condition in ETS, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock. | 2025-07-03 | not yet calculated | CVE-2025-38107 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net_sched: red: fix a race in __red_change() Gerrard Tai reported a race condition in RED, whenever SFQ perturb timer fires at the wrong time. The race is as follows: CPU 0 CPU 1 [1]: lock root [2]: qdisc_tree_flush_backlog() [3]: unlock root | | [5]: lock root | [6]: rehash | [7]: qdisc_tree_reduce_backlog() | [4]: qdisc_put() This can be abused to underflow a parent's qlen. Calling qdisc_purge_queue() instead of qdisc_tree_flush_backlog() should fix the race, because all packets will be purged from the qdisc before releasing the lock. | 2025-07-03 | not yet calculated | CVE-2025-38108 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix ECVF vports unload on shutdown flow Fix shutdown flow UAF when a virtual function is created on the embedded chip (ECVF) of a BlueField device. In such case the vport acl ingress table is not properly destroyed. ECVF functionality is independent of ecpf_vport_exists capability and thus functions mlx5_eswitch_(enable|disable)_pf_vf_vports() should not test it when enabling/disabling ECVF vports. kernel log: [] refcount_t: underflow; use-after-free. [] WARNING: CPU: 3 PID: 1 at lib/refcount.c:28 refcount_warn_saturate+0x124/0x220 ---------------- [] Call trace: [] refcount_warn_saturate+0x124/0x220 [] tree_put_node+0x164/0x1e0 [mlx5_core] [] mlx5_destroy_flow_table+0x98/0x2c0 [mlx5_core] [] esw_acl_ingress_table_destroy+0x28/0x40 [mlx5_core] [] esw_acl_ingress_lgcy_cleanup+0x80/0xf4 [mlx5_core] [] esw_legacy_vport_acl_cleanup+0x44/0x60 [mlx5_core] [] esw_vport_cleanup+0x64/0x90 [mlx5_core] [] mlx5_esw_vport_disable+0xc0/0x1d0 [mlx5_core] [] mlx5_eswitch_unload_ec_vf_vports+0xcc/0x150 [mlx5_core] [] mlx5_eswitch_disable_sriov+0x198/0x2a0 [mlx5_core] [] mlx5_device_disable_sriov+0xb8/0x1e0 [mlx5_core] [] mlx5_sriov_detach+0x40/0x50 [mlx5_core] [] mlx5_unload+0x40/0xc4 [mlx5_core] [] mlx5_unload_one_devl_locked+0x6c/0xe4 [mlx5_core] [] mlx5_unload_one+0x3c/0x60 [mlx5_core] [] shutdown+0x7c/0xa4 [mlx5_core] [] pci_device_shutdown+0x3c/0xa0 [] device_shutdown+0x170/0x340 [] __do_sys_reboot+0x1f4/0x2a0 [] __arm64_sys_reboot+0x2c/0x40 [] invoke_syscall+0x78/0x100 [] el0_svc_common.constprop.0+0x54/0x184 [] do_el0_svc+0x30/0xac [] el0_svc+0x48/0x160 [] el0t_64_sync_handler+0xa4/0x12c [] el0t_64_sync+0x1a4/0x1a8 [] --[ end trace 9c4601d68c70030e ]--- | 2025-07-03 | not yet calculated | CVE-2025-38109 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds clause 45 read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via C45 (clause 45) mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation should generally fail in this case, mdiobus provides stats array, where wrong address may allow out-of-bounds read/write. Fix that by adding address verification before C45 read/write operation. While this excludes this access from any statistics, it improves security of read/write operation. | 2025-07-03 | not yet calculated | CVE-2025-38110 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net/mdiobus: Fix potential out-of-bounds read/write access When using publicly available tools like 'mdio-tools' to read/write data from/to network interface and its PHY via mdiobus, there is no verification of parameters passed to the ioctl and it accepts any mdio address. Currently there is support for 32 addresses in kernel via PHY_MAX_ADDR define, but it is possible to pass higher value than that via ioctl. While read/write operation should generally fail in this case, mdiobus provides stats array, where wrong address may allow out-of-bounds read/write. Fix that by adding address verification before read/write operation. While this excludes this access from any statistics, it improves security of read/write operation. | 2025-07-03 | not yet calculated | CVE-2025-38111 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: Fix TOCTOU issue in sk_is_readable() sk->sk_prot->sock_is_readable is a valid function pointer when sk resides in a sockmap. After the last sk_psock_put() (which usually happens when socket is removed from sockmap), sk->sk_prot gets restored and sk->sk_prot->sock_is_readable becomes NULL. This makes sk_is_readable() racy, if the value of sk->sk_prot is reloaded after the initial check. Which in turn may lead to a null pointer dereference. Ensure the function pointer does not turn NULL after the check. | 2025-07-03 | not yet calculated | CVE-2025-38112 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC: Fix NULL pointer dereference when nosmp is used With nosmp in cmdline, other CPUs are not brought up, leaving their cpc_desc_ptr NULL. CPU0's iteration via for_each_possible_cpu() dereferences these NULL pointers, causing panic. Panic backtrace: [ 0.401123] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000b8 ... [ 0.403255] [<ffffffff809a5818>] cppc_allow_fast_switch+0x6a/0xd4 ... Kernel panic - not syncing: Attempted to kill init! [ rjw: New subject ] | 2025-07-03 | not yet calculated | CVE-2025-38113 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: e1000: Move cancel_work_sync to avoid deadlock Previously, e1000_down called cancel_work_sync for the e1000 reset task (via e1000_down_and_stop), which takes RTNL. As reported by users and syzbot, a deadlock is possible in the following scenario: CPU 0: - RTNL is held - e1000_close - e1000_down - cancel_work_sync (cancel / wait for e1000_reset_task()) CPU 1: - process_one_work - e1000_reset_task - take RTNL To remedy this, avoid calling cancel_work_sync from e1000_down (e1000_reset_task does nothing if the device is down anyway). Instead, call cancel_work_sync for e1000_reset_task when the device is being removed. | 2025-07-03 | not yet calculated | CVE-2025-38114 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: fix a potential crash on gso_skb handling SFQ has an assumption of always being able to queue at least one packet. However, after the blamed commit, sch->q.len can be inflated by packets in sch->gso_skb, and an enqueue() on an empty SFQ qdisc can be followed by an immediate drop. Fix sfq_drop() to properly clear q->tail in this situation. ip netns add lb ip link add dev to-lb type veth peer name in-lb netns lb ethtool -K to-lb tso off # force qdisc to requeue gso_skb ip netns exec lb ethtool -K in-lb gro on # enable NAPI ip link set dev to-lb up ip -netns lb link set dev in-lb up ip addr add dev to-lb 192.168.20.1/24 ip -netns lb addr add dev in-lb 192.168.20.2/24 tc qdisc replace dev to-lb root sfq limit 100 ip netns exec lb netserver netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 & netperf -H 192.168.20.2 -l 100 & | 2025-07-03 | not yet calculated | CVE-2025-38115 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix uaf in ath12k_core_init() When the execution of ath12k_core_hw_group_assign() or ath12k_core_hw_group_create() fails, the registered notifier chain is not unregistered properly. Its memory is freed after rmmod, which may trigger to a use-after-free (UAF) issue if there is a subsequent access to this notifier chain. Fixes the issue by calling ath12k_core_panic_notifier_unregister() in failure cases. Call trace: notifier_chain_register+0x4c/0x1f0 (P) atomic_notifier_chain_register+0x38/0x68 ath12k_core_init+0x50/0x4e8 [ath12k] ath12k_pci_probe+0x5f8/0xc28 [ath12k] pci_device_probe+0xbc/0x1a8 really_probe+0xc8/0x3a0 __driver_probe_device+0x84/0x1b0 driver_probe_device+0x44/0x130 __driver_attach+0xcc/0x208 bus_for_each_dev+0x84/0x100 driver_attach+0x2c/0x40 bus_add_driver+0x130/0x260 driver_register+0x70/0x138 __pci_register_driver+0x68/0x80 ath12k_pci_init+0x30/0x68 [ath12k] ath12k_init+0x28/0x78 [ath12k] Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 | 2025-07-03 | not yet calculated | CVE-2025-38116 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Protect mgmt_pending list with its own lock This uses a mutex to protect from concurrent access of mgmt_pending list which can cause crashes like: ================================================================== BUG: KASAN: slab-use-after-free in hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91 Read of size 2 at addr ffff0000c48885b2 by task syz.4.334/7318 CPU: 0 UID: 0 PID: 7318 Comm: syz.4.334 Not tainted 6.15.0-rc7-syzkaller-g187899f4124a #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x254 mm/kasan/report.c:408 print_report+0x68/0x84 mm/kasan/report.c:521 kasan_report+0xb0/0x110 mm/kasan/report.c:634 __asan_report_load2_noabort+0x20/0x2c mm/kasan/report_generic.c:379 hci_sock_get_channel+0x60/0x68 net/bluetooth/hci_sock.c:91 mgmt_pending_find+0x7c/0x140 net/bluetooth/mgmt_util.c:223 pending_find net/bluetooth/mgmt.c:947 [inline] remove_adv_monitor+0x44/0x1a4 net/bluetooth/mgmt.c:5445 hci_mgmt_cmd+0x780/0xc00 net/bluetooth/hci_sock.c:1712 hci_sock_sendmsg+0x544/0xbb0 net/bluetooth/hci_sock.c:1832 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg net/socket.c:727 [inline] sock_write_iter+0x25c/0x378 net/socket.c:1131 new_sync_write fs/read_write.c:591 [inline] vfs_write+0x62c/0x97c fs/read_write.c:684 ksys_write+0x120/0x210 fs/read_write.c:736 __do_sys_write fs/read_write.c:747 [inline] __se_sys_write fs/read_write.c:744 [inline] __arm64_sys_write+0x7c/0x90 fs/read_write.c:744 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Allocated by task 7037: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:562 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4327 [inline] __kmalloc_noprof+0x2fc/0x4c8 mm/slub.c:4339 kmalloc_noprof include/linux/slab.h:909 [inline] sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:2198 sk_alloc+0x44/0x3ac net/core/sock.c:2254 bt_sock_alloc+0x4c/0x300 net/bluetooth/af_bluetooth.c:148 hci_sock_create+0xa8/0x194 net/bluetooth/hci_sock.c:2202 bt_sock_create+0x14c/0x24c net/bluetooth/af_bluetooth.c:132 __sock_create+0x43c/0x91c net/socket.c:1541 sock_create net/socket.c:1599 [inline] __sys_socket_create net/socket.c:1636 [inline] __sys_socket+0xd4/0x1c0 net/socket.c:1683 __do_sys_socket net/socket.c:1697 [inline] __se_sys_socket net/socket.c:1695 [inline] __arm64_sys_socket+0x7c/0x94 net/socket.c:1695 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Freed by task 6607: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x68/0x88 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline ---truncated--- | 2025-07-03 | not yet calculated | CVE-2025-38117 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete This reworks MGMT_OP_REMOVE_ADV_MONITOR to not use mgmt_pending_add to avoid crashes like bellow: ================================================================== BUG: KASAN: slab-use-after-free in mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 Read of size 8 at addr ffff88801c53f318 by task kworker/u5:5/5341 CPU: 0 UID: 0 PID: 5341 Comm: kworker/u5:5 Not tainted 6.15.0-syzkaller-10402-g4cb6c8af8591 #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: <TASK> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xd2/0x2b0 mm/kasan/report.c:521 kasan_report+0x118/0x150 mm/kasan/report.c:634 mgmt_remove_adv_monitor_complete+0xe5/0x540 net/bluetooth/mgmt.c:5406 hci_cmd_sync_work+0x261/0x3a0 net/bluetooth/hci_sync.c:334 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3321 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3402 kthread+0x711/0x8a0 kernel/kthread.c:464 ret_from_fork+0x3fc/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 5987: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __kmalloc_cache_noprof+0x230/0x3d0 mm/slub.c:4358 kmalloc_noprof include/linux/slab.h:905 [inline] kzalloc_noprof include/linux/slab.h:1039 [inline] mgmt_pending_new+0x65/0x240 net/bluetooth/mgmt_util.c:252 mgmt_pending_add+0x34/0x120 net/bluetooth/mgmt_util.c:279 remove_adv_monitor+0x103/0x1b0 net/bluetooth/mgmt.c:5454 hci_mgmt_cmd+0x9c9/0xef0 net/bluetooth/hci_sock.c:1719 hci_sock_sendmsg+0x6ca/0xef0 net/bluetooth/hci_sock.c:1839 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x219/0x270 net/socket.c:727 sock_write_iter+0x258/0x330 net/socket.c:1131 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x548/0xa90 fs/read_write.c:686 ksys_write+0x145/0x250 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 5989: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:576 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x62/0x70 mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:233 [inline] slab_free_hook mm/slub.c:2380 [inline] slab_free mm/slub.c:4642 [inline] kfree+0x18e/0x440 mm/slub.c:4841 mgmt_pending_foreach+0xc9/0x120 net/bluetooth/mgmt_util.c:242 mgmt_index_removed+0x10d/0x2f0 net/bluetooth/mgmt.c:9366 hci_sock_bind+0xbe9/0x1000 net/bluetooth/hci_sock.c:1314 __sys_bind_socket net/socket.c:1810 [inline] __sys_bind+0x2c3/0x3e0 net/socket.c:1841 __do_sys_bind net/socket.c:1846 [inline] __se_sys_bind net/socket.c:1844 [inline] __x64_sys_bind+0x7a/0x90 net/socket.c:1844 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xfa/0x3b0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f | 2025-07-03 | not yet calculated | CVE-2025-38118 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: core: ufs: Fix a hang in the error handler ufshcd_err_handling_prepare() calls ufshcd_rpm_get_sync(). The latter function can only succeed if UFSHCD_EH_IN_PROGRESS is not set because resuming involves submitting a SCSI command and ufshcd_queuecommand() returns SCSI_MLQUEUE_HOST_BUSY if UFSHCD_EH_IN_PROGRESS is set. Fix this hang by setting UFSHCD_EH_IN_PROGRESS after ufshcd_rpm_get_sync() has been called instead of before. Backtrace: __switch_to+0x174/0x338 __schedule+0x600/0x9e4 schedule+0x7c/0xe8 schedule_timeout+0xa4/0x1c8 io_schedule_timeout+0x48/0x70 wait_for_common_io+0xa8/0x160 //waiting on START_STOP wait_for_completion_io_timeout+0x10/0x20 blk_execute_rq+0xe4/0x1e4 scsi_execute_cmd+0x108/0x244 ufshcd_set_dev_pwr_mode+0xe8/0x250 __ufshcd_wl_resume+0x94/0x354 ufshcd_wl_runtime_resume+0x3c/0x174 scsi_runtime_resume+0x64/0xa4 rpm_resume+0x15c/0xa1c __pm_runtime_resume+0x4c/0x90 // Runtime resume ongoing ufshcd_err_handler+0x1a0/0xd08 process_one_work+0x174/0x808 worker_thread+0x15c/0x490 kthread+0xf4/0x1ec ret_from_fork+0x10/0x20 [ bvanassche: rewrote patch description ] | 2025-07-03 | not yet calculated | CVE-2025-38119 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_set_pipapo_avx2: fix initial map fill If the first field doesn't cover the entire start map, then we must zero out the remainder, else we leak those bits into the next match round map. The early fix was incomplete and did only fix up the generic C implementation. A followup patch adds a test case to nft_concat_range.sh. | 2025-07-03 | not yet calculated | CVE-2025-38120 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mld: avoid panic on init failure In case of an error during init, in_hw_restart will be set, but it will never get cleared. Instead, we will retry to init again, and then we will act like we are in a restart when we are actually not. This causes (among others) to a NULL pointer dereference when canceling rx_omi::finished_work, that was not even initialized, because we thought that we are in hw_restart. Set in_hw_restart to true only if the fw is running, then we know that FW was loaded successfully and we are not going to the retry loop. | 2025-07-03 | not yet calculated | CVE-2025-38121 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO gve_alloc_pending_packet() can return NULL, but gve_tx_add_skb_dqo() did not check for this case before dereferencing the returned pointer. Add a missing NULL check to prevent a potential NULL pointer dereference when allocation fails. This improves robustness in low-memory scenarios. | 2025-07-03 | not yet calculated | CVE-2025-38122 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: Fix napi rx poll issue When driver handles the napi rx polling requests, the netdev might have been released by the dellink logic triggered by the disconnect operation on user plane. However, in the logic of processing skb in polling, an invalid netdev is still being used, which causes a panic. BUG: kernel NULL pointer dereference, address: 00000000000000f1 Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:dev_gro_receive+0x3a/0x620 [...] Call Trace: <IRQ> ? __die_body+0x68/0xb0 ? page_fault_oops+0x379/0x3e0 ? exc_page_fault+0x4f/0xa0 ? asm_exc_page_fault+0x22/0x30 ? __pfx_t7xx_ccmni_recv_skb+0x10/0x10 [mtk_t7xx (HASH:1400 7)] ? dev_gro_receive+0x3a/0x620 napi_gro_receive+0xad/0x170 t7xx_ccmni_recv_skb+0x48/0x70 [mtk_t7xx (HASH:1400 7)] t7xx_dpmaif_napi_rx_poll+0x590/0x800 [mtk_t7xx (HASH:1400 7)] net_rx_action+0x103/0x470 irq_exit_rcu+0x13a/0x310 sysvec_apic_timer_interrupt+0x56/0x90 </IRQ> | 2025-07-03 | not yet calculated | CVE-2025-38123 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: fix udp gso skb_segment after pull from frag_list Commit a1e40ac5b5e9 ("net: gso: fix udp gso fraglist segmentation after pull from frag_list") detected invalid geometry in frag_list skbs and redirects them from skb_segment_list to more robust skb_segment. But some packets with modified geometry can also hit bugs in that code. We don't know how many such cases exist. Addressing each one by one also requires touching the complex skb_segment code, which risks introducing bugs for other types of skbs. Instead, linearize all these packets that fail the basic invariants on gso fraglist skbs. That is more robust. If only part of the fraglist payload is pulled into head_skb, it will always cause exception when splitting skbs by skb_segment. For detailed call stack information, see below. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify fraglist skbs, breaking these invariants. In extreme cases they pull one part of data into skb linear. For UDP, this causes three payloads with lengths of (11,11,10) bytes were pulled tail to become (12,10,10) bytes. The skbs no longer meets the above SKB_GSO_FRAGLIST conditions because payload was pulled into head_skb, it needs to be linearized before pass to regular skb_segment. skb_segment+0xcd0/0xd14 __udp_gso_segment+0x334/0x5f4 udp4_ufo_fragment+0x118/0x15c inet_gso_segment+0x164/0x338 skb_mac_gso_segment+0xc4/0x13c __skb_gso_segment+0xc4/0x124 validate_xmit_skb+0x9c/0x2c0 validate_xmit_skb_list+0x4c/0x80 sch_direct_xmit+0x70/0x404 __dev_queue_xmit+0x64c/0xe5c neigh_resolve_output+0x178/0x1c4 ip_finish_output2+0x37c/0x47c __ip_finish_output+0x194/0x240 ip_finish_output+0x20/0xf4 ip_output+0x100/0x1a0 NF_HOOK+0xc4/0x16c ip_forward+0x314/0x32c ip_rcv+0x90/0x118 __netif_receive_skb+0x74/0x124 process_backlog+0xe8/0x1a4 __napi_poll+0x5c/0x1f8 net_rx_action+0x154/0x314 handle_softirqs+0x154/0x4b8 [118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278! [118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000 [118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000 [118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO) [118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14 [118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14 [118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770 | 2025-07-03 | not yet calculated | CVE-2025-38124 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: stmmac: make sure that ptp_rate is not 0 before configuring EST If the ptp_rate recorded earlier in the driver happens to be 0, this bogus value will propagate up to EST configuration, where it will trigger a division by 0. Prevent this division by 0 by adding the corresponding check and error code. | 2025-07-03 | not yet calculated | CVE-2025-38125 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping The stmmac platform drivers that do not open-code the clk_ptp_rate value after having retrieved the default one from the device-tree can end up with 0 in clk_ptp_rate (as clk_get_rate can return 0). It will eventually propagate up to PTP initialization when bringing up the interface, leading to a divide by 0: Division by zero in kernel. CPU: 1 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.12.30-00001-g48313bd5768a #22 Hardware name: STM32 (Device Tree Support) Call trace: unwind_backtrace from show_stack+0x18/0x1c show_stack from dump_stack_lvl+0x6c/0x8c dump_stack_lvl from Ldiv0_64+0x8/0x18 Ldiv0_64 from stmmac_init_tstamp_counter+0x190/0x1a4 stmmac_init_tstamp_counter from stmmac_hw_setup+0xc1c/0x111c stmmac_hw_setup from __stmmac_open+0x18c/0x434 __stmmac_open from stmmac_open+0x3c/0xbc stmmac_open from __dev_open+0xf4/0x1ac __dev_open from __dev_change_flags+0x1cc/0x224 __dev_change_flags from dev_change_flags+0x24/0x60 dev_change_flags from ip_auto_config+0x2e8/0x11a0 ip_auto_config from do_one_initcall+0x84/0x33c do_one_initcall from kernel_init_freeable+0x1b8/0x214 kernel_init_freeable from kernel_init+0x24/0x140 kernel_init from ret_from_fork+0x14/0x28 Exception stack(0xe0815fb0 to 0xe0815ff8) Prevent this division by 0 by adding an explicit check and error log about the actual issue. While at it, remove the same check from stmmac_ptp_register, which then becomes duplicate | 2025-07-03 | not yet calculated | CVE-2025-38126 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ice: fix Tx scheduler error handling in XDP callback When the XDP program is loaded, the XDP callback adds new Tx queues. This means that the callback must update the Tx scheduler with the new queue number. In the event of a Tx scheduler failure, the XDP callback should also fail and roll back any changes previously made for XDP preparation. The previous implementation had a bug that not all changes made by the XDP callback were rolled back. This caused the crash with the following call trace: [ +9.549584] ice 0000:ca:00.0: Failed VSI LAN queue config for XDP, error: -5 [ +0.382335] Oops: general protection fault, probably for non-canonical address 0x50a2250a90495525: 0000 [#1] SMP NOPTI [ +0.010710] CPU: 103 UID: 0 PID: 0 Comm: swapper/103 Not tainted 6.14.0-net-next-mar-31+ #14 PREEMPT(voluntary) [ +0.010175] Hardware name: Intel Corporation M50CYP2SBSTD/M50CYP2SBSTD, BIOS SE5C620.86B.01.01.0005.2202160810 02/16/2022 [ +0.010946] RIP: 0010:__ice_update_sample+0x39/0xe0 [ice] [...] [ +0.002715] Call Trace: [ +0.002452] <IRQ> [ +0.002021] ? __die_body.cold+0x19/0x29 [ +0.003922] ? die_addr+0x3c/0x60 [ +0.003319] ? exc_general_protection+0x17c/0x400 [ +0.004707] ? asm_exc_general_protection+0x26/0x30 [ +0.004879] ? __ice_update_sample+0x39/0xe0 [ice] [ +0.004835] ice_napi_poll+0x665/0x680 [ice] [ +0.004320] __napi_poll+0x28/0x190 [ +0.003500] net_rx_action+0x198/0x360 [ +0.003752] ? update_rq_clock+0x39/0x220 [ +0.004013] handle_softirqs+0xf1/0x340 [ +0.003840] ? sched_clock_cpu+0xf/0x1f0 [ +0.003925] __irq_exit_rcu+0xc2/0xe0 [ +0.003665] common_interrupt+0x85/0xa0 [ +0.003839] </IRQ> [ +0.002098] <TASK> [ +0.002106] asm_common_interrupt+0x26/0x40 [ +0.004184] RIP: 0010:cpuidle_enter_state+0xd3/0x690 Fix this by performing the missing unmapping of XDP queues from q_vectors and setting the XDP rings pointer back to NULL after all those queues are released. Also, add an immediate exit from the XDP callback in case of ring preparation failure. | 2025-07-03 | not yet calculated | CVE-2025-38127 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: reject malformed HCI_CMD_SYNC commands In 'mgmt_hci_cmd_sync()', check whether the size of parameters passed in 'struct mgmt_cp_hci_cmd_sync' matches the total size of the data (i.e. 'sizeof(struct mgmt_cp_hci_cmd_sync)' plus trailing bytes). Otherwise, large invalid 'params_len' will cause 'hci_cmd_sync_alloc()' to do 'skb_put_data()' from an area beyond the one actually passed to 'mgmt_hci_cmd_sync()'. | 2025-07-03 | not yet calculated | CVE-2025-38128 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: page_pool: Fix use-after-free in page_pool_recycle_in_ring syzbot reported a uaf in page_pool_recycle_in_ring: BUG: KASAN: slab-use-after-free in lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 Read of size 8 at addr ffff8880286045a0 by task syz.0.284/6943 CPU: 0 UID: 0 PID: 6943 Comm: syz.0.284 Not tainted 6.13.0-rc3-syzkaller-gdfa94ce54f41 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 lock_release+0x151/0xa30 kernel/locking/lockdep.c:5862 __raw_spin_unlock_bh include/linux/spinlock_api_smp.h:165 [inline] _raw_spin_unlock_bh+0x1b/0x40 kernel/locking/spinlock.c:210 spin_unlock_bh include/linux/spinlock.h:396 [inline] ptr_ring_produce_bh include/linux/ptr_ring.h:164 [inline] page_pool_recycle_in_ring net/core/page_pool.c:707 [inline] page_pool_put_unrefed_netmem+0x748/0xb00 net/core/page_pool.c:826 page_pool_put_netmem include/net/page_pool/helpers.h:323 [inline] page_pool_put_full_netmem include/net/page_pool/helpers.h:353 [inline] napi_pp_put_page+0x149/0x2b0 net/core/skbuff.c:1036 skb_pp_recycle net/core/skbuff.c:1047 [inline] skb_free_head net/core/skbuff.c:1094 [inline] skb_release_data+0x6c4/0x8a0 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] sk_skb_reason_drop+0x1c9/0x380 net/core/skbuff.c:1242 kfree_skb_reason include/linux/skbuff.h:1263 [inline] __skb_queue_purge_reason include/linux/skbuff.h:3343 [inline] root cause is: page_pool_recycle_in_ring ptr_ring_produce spin_lock(&r->producer_lock); WRITE_ONCE(r->queue[r->producer++], ptr) //recycle last page to pool page_pool_release page_pool_scrub page_pool_empty_ring ptr_ring_consume page_pool_return_page //release all page __page_pool_destroy free_percpu(pool->recycle_stats); free(pool) //free spin_unlock(&r->producer_lock); //pool->ring uaf read recycle_stat_inc(pool, ring); page_pool can be free while page pool recycle the last page in ring. Add producer-lock barrier to page_pool_release to prevent the page pool from being free before all pages have been recycled. recycle_stat_inc() is empty when CONFIG_PAGE_POOL_STATS is not enabled, which will trigger Wempty-body build warning. Add definition for pool stat macro to fix warning. | 2025-07-03 | not yet calculated | CVE-2025-38129 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/connector: only call HDMI audio helper plugged cb if non-null On driver remove, sound/soc/codecs/hdmi-codec.c calls the plugged_cb with NULL as the callback function and codec_dev, as seen in its hdmi_remove function. The HDMI audio helper then happily tries calling said null function pointer, and produces an Oops as a result. Fix this by only executing the callback if fn is non-null. This means the .plugged_cb and .plugged_cb_dev members still get appropriately cleared. | 2025-07-03 | not yet calculated | CVE-2025-38130 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: coresight: prevent deactivate active config while enabling the config While enable active config via cscfg_csdev_enable_active_config(), active config could be deactivated via configfs' sysfs interface. This could make UAF issue in below scenario: CPU0 CPU1 (sysfs enable) load module cscfg_load_config_sets() activate config. // sysfs (sys_active_cnt == 1) ... cscfg_csdev_enable_active_config() lock(csdev->cscfg_csdev_lock) // here load config activate by CPU1 unlock(csdev->cscfg_csdev_lock) deactivate config // sysfs (sys_activec_cnt == 0) cscfg_unload_config_sets() unload module // access to config_desc which freed // while unloading module. cscfg_csdev_enable_config To address this, use cscfg_config_desc's active_cnt as a reference count which will be holded when - activate the config. - enable the activated config. and put the module reference when config_active_cnt == 0. | 2025-07-03 | not yet calculated | CVE-2025-38131 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: coresight: holding cscfg_csdev_lock while removing cscfg from csdev There'll be possible race scenario for coresight config: CPU0 CPU1 (perf enable) load module cscfg_load_config_sets() activate config. // sysfs (sys_active_cnt == 1) ... cscfg_csdev_enable_active_config() lock(csdev->cscfg_csdev_lock) deactivate config // sysfs (sys_activec_cnt == 0) cscfg_unload_config_sets() <iterating config_csdev_list> cscfg_remove_owned_csdev_configs() // here load config activate by CPU1 unlock(csdev->cscfg_csdev_lock) iterating config_csdev_list could be raced with config_csdev_list's entry delete. To resolve this race , hold csdev->cscfg_csdev_lock() while cscfg_remove_owned_csdev_configs() | 2025-07-03 | not yet calculated | CVE-2025-38132 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad4851: fix ad4858 chan pointer handling The pointer returned from ad4851_parse_channels_common() is incremented internally as each channel is populated. In ad4858_parse_channels(), the same pointer was further incremented while setting ext_scan_type fields for each channel. This resulted in indio_dev->channels being set to a pointer past the end of the allocated array, potentially causing memory corruption or undefined behavior. Fix this by iterating over the channels using an explicit index instead of incrementing the pointer. This preserves the original base pointer and ensures all channel metadata is set correctly. | 2025-07-03 | not yet calculated | CVE-2025-38133 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: acpi: Prevent null pointer dereference in usb_acpi_add_usb4_devlink() As demonstrated by the fix for update_port_device_state, commit 12783c0b9e2c ("usb: core: Prevent null pointer dereference in update_port_device_state"), usb_hub_to_struct_hub() can return NULL in certain scenarios, such as during hub driver unbind or teardown race conditions, even if the underlying usb_device structure exists. Plus, all other places that call usb_hub_to_struct_hub() in the same file do check for NULL return values. If usb_hub_to_struct_hub() returns NULL, the subsequent access to hub->ports[udev->portnum - 1] will cause a null pointer dereference. | 2025-07-03 | not yet calculated | CVE-2025-38134 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: serial: Fix potential null-ptr-deref in mlb_usio_probe() devm_ioremap() can return NULL on error. Currently, mlb_usio_probe() does not check for this case, which could result in a NULL pointer dereference. Add NULL check after devm_ioremap() to prevent this issue. | 2025-07-03 | not yet calculated | CVE-2025-38135 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Reorder clock handling and power management in probe Reorder the initialization sequence in `usbhs_probe()` to enable runtime PM before accessing registers, preventing potential crashes due to uninitialized clocks. Currently, in the probe path, registers are accessed before enabling the clocks, leading to a synchronous external abort on the RZ/V2H SoC. The problematic call flow is as follows: usbhs_probe() usbhs_sys_clock_ctrl() usbhs_bset() usbhs_write() iowrite16() <-- Register access before enabling clocks Since `iowrite16()` is performed without ensuring the required clocks are enabled, this can lead to access errors. To fix this, enable PM runtime early in the probe function and ensure clocks are acquired before register access, preventing crashes like the following on RZ/V2H: [13.272640] Internal error: synchronous external abort: 0000000096000010 [#1] PREEMPT SMP [13.280814] Modules linked in: cec renesas_usbhs(+) drm_kms_helper fuse drm backlight ipv6 [13.289088] CPU: 1 UID: 0 PID: 195 Comm: (udev-worker) Not tainted 6.14.0-rc7+ #98 [13.296640] Hardware name: Renesas RZ/V2H EVK Board based on r9a09g057h44 (DT) [13.303834] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [13.310770] pc : usbhs_bset+0x14/0x4c [renesas_usbhs] [13.315831] lr : usbhs_probe+0x2e4/0x5ac [renesas_usbhs] [13.321138] sp : ffff8000827e3850 [13.324438] x29: ffff8000827e3860 x28: 0000000000000000 x27: ffff8000827e3ca0 [13.331554] x26: ffff8000827e3ba0 x25: ffff800081729668 x24: 0000000000000025 [13.338670] x23: ffff0000c0f08000 x22: 0000000000000000 x21: ffff0000c0f08010 [13.345783] x20: 0000000000000000 x19: ffff0000c3b52080 x18: 00000000ffffffff [13.352895] x17: 0000000000000000 x16: 0000000000000000 x15: ffff8000827e36ce [13.360009] x14: 00000000000003d7 x13: 00000000000003d7 x12: 0000000000000000 [13.367122] x11: 0000000000000000 x10: 0000000000000aa0 x9 : ffff8000827e3750 [13.374235] x8 : ffff0000c1850b00 x7 : 0000000003826060 x6 : 000000000000001c [13.381347] x5 : 000000030d5fcc00 x4 : ffff8000825c0000 x3 : 0000000000000000 [13.388459] x2 : 0000000000000400 x1 : 0000000000000000 x0 : ffff0000c3b52080 [13.395574] Call trace: [13.398013] usbhs_bset+0x14/0x4c [renesas_usbhs] (P) [13.403076] platform_probe+0x68/0xdc [13.406738] really_probe+0xbc/0x2c0 [13.410306] __driver_probe_device+0x78/0x120 [13.414653] driver_probe_device+0x3c/0x154 [13.418825] __driver_attach+0x90/0x1a0 [13.422647] bus_for_each_dev+0x7c/0xe0 [13.426470] driver_attach+0x24/0x30 [13.430032] bus_add_driver+0xe4/0x208 [13.433766] driver_register+0x68/0x130 [13.437587] __platform_driver_register+0x24/0x30 [13.442273] renesas_usbhs_driver_init+0x20/0x1000 [renesas_usbhs] [13.448450] do_one_initcall+0x60/0x1d4 [13.452276] do_init_module+0x54/0x1f8 [13.456014] load_module+0x1754/0x1c98 [13.459750] init_module_from_file+0x88/0xcc [13.464004] __arm64_sys_finit_module+0x1c4/0x328 [13.468689] invoke_syscall+0x48/0x104 [13.472426] el0_svc_common.constprop.0+0xc0/0xe0 [13.477113] do_el0_svc+0x1c/0x28 [13.480415] el0_svc+0x30/0xcc [13.483460] el0t_64_sync_handler+0x10c/0x138 [13.487800] el0t_64_sync+0x198/0x19c [13.491453] Code: 2a0103e1 12003c42 12003c63 8b010084 (79400084) [13.497522] ---[ end trace 0000000000000000 ]--- | 2025-07-03 | not yet calculated | CVE-2025-38136 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: PCI/pwrctrl: Cancel outstanding rescan work when unregistering It's possible to trigger use-after-free here by: (a) forcing rescan_work_func() to take a long time and (b) utilizing a pwrctrl driver that may be unloaded for some reason Cancel outstanding work to ensure it is finished before we allow our data structures to be cleaned up. [bhelgaas: tidy commit log] | 2025-07-03 | not yet calculated | CVE-2025-38137 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: Add NULL check in udma_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, udma_probe() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. | 2025-07-03 | not yet calculated | CVE-2025-38138 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfs: Fix oops in write-retry from mis-resetting the subreq iterator Fix the resetting of the subrequest iterator in netfs_retry_write_stream() to use the iterator-reset function as the iterator may have been shortened by a previous retry. In such a case, the amount of data to be written by the subrequest is not "subreq->len" but "subreq->len - subreq->transferred". Without this, KASAN may see an error in iov_iter_revert(): BUG: KASAN: slab-out-of-bounds in iov_iter_revert lib/iov_iter.c:633 [inline] BUG: KASAN: slab-out-of-bounds in iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611 Read of size 4 at addr ffff88802912a0b8 by task kworker/u32:7/1147 CPU: 1 UID: 0 PID: 1147 Comm: kworker/u32:7 Not tainted 6.15.0-rc6-syzkaller-00052-g9f35e33144ae #0 PREEMPT(full) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: events_unbound netfs_write_collection_worker Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xe0/0x110 mm/kasan/report.c:634 iov_iter_revert lib/iov_iter.c:633 [inline] iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611 netfs_retry_write_stream fs/netfs/write_retry.c:44 [inline] netfs_retry_writes+0x166d/0x1a50 fs/netfs/write_retry.c:231 netfs_collect_write_results fs/netfs/write_collect.c:352 [inline] netfs_write_collection_worker+0x23fd/0x3830 fs/netfs/write_collect.c:374 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 kthread+0x3c2/0x780 kernel/kthread.c:464 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> | 2025-07-03 | not yet calculated | CVE-2025-38139 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm: limit swapping tables for devices with zone write plugs dm_revalidate_zones() only allowed new or previously unzoned devices to call blk_revalidate_disk_zones(). If the device was already zoned, disk->nr_zones would always equal md->nr_zones, so dm_revalidate_zones() returned without doing any work. This would make the zoned settings for the device not match the new table. If the device had zone write plug resources, it could run into errors like bdev_zone_is_seq() reading invalid memory because disk->conv_zones_bitmap was the wrong size. If the device doesn't have any zone write plug resources, calling blk_revalidate_disk_zones() will always correctly update device. If blk_revalidate_disk_zones() fails, it can still overwrite or clear the current disk->nr_zones value. In this case, DM must restore the previous value of disk->nr_zones, so that the zoned settings will continue to match the previous value that it fell back to. If the device already has zone write plug resources, blk_revalidate_disk_zones() will not correctly update them, if it is called for arbitrary zoned device changes. Since there is not much need for this ability, the easiest solution is to disallow any table reloads that change the zoned settings, for devices that already have zone plug resources. Specifically, if a device already has zone plug resources allocated, it can only switch to another zoned table that also emulates zone append. Also, it cannot change the device size or the zone size. A device can switch to an error target. | 2025-07-03 | not yet calculated | CVE-2025-38140 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: dm: fix dm_blk_report_zones If dm_get_live_table() returned NULL, dm_put_live_table() was never called. Also, it is possible that md->zone_revalidate_map will change while calling this function. Only read it once, so that we are always using the same value. Otherwise we might miss a call to dm_put_live_table(). Finally, while md->zone_revalidate_map is set and a process is calling blk_revalidate_disk_zones() to set up the zone append emulation resources, it is possible that another process, perhaps triggered by blkdev_report_zones_ioctl(), will call dm_blk_report_zones(). If blk_revalidate_disk_zones() fails, these resources can be freed while the other process is still using them, causing a use-after-free error. blk_revalidate_disk_zones() will only ever be called when initially setting up the zone append emulation resources, such as when setting up a zoned dm-crypt table for the first time. Further table swaps will not set md->zone_revalidate_map or call blk_revalidate_disk_zones(). However it must be called using the new table (referenced by md->zone_revalidate_map) and the new queue limits while the DM device is suspended. dm_blk_report_zones() needs some way to distinguish between a call from blk_revalidate_disk_zones(), which must be allowed to use md->zone_revalidate_map to access this not yet activated table, and all other calls to dm_blk_report_zones(), which should not be allowed while the device is suspended and cannot use md->zone_revalidate_map, since the zone resources might be freed by the process currently calling blk_revalidate_disk_zones(). Solve this by tracking the process that sets md->zone_revalidate_map in dm_revalidate_zones() and only allowing that process to make use of it in dm_blk_report_zones(). | 2025-07-03 | not yet calculated | CVE-2025-38141 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (asus-ec-sensors) check sensor index in read_string() Prevent a potential invalid memory access when the requested sensor is not found. find_ec_sensor_index() may return a negative value (e.g. -ENOENT), but its result was used without checking, which could lead to undefined behavior when passed to get_sensor_info(). Add a proper check to return -EINVAL if sensor_index is negative. Found by Linux Verification Center (linuxtesting.org) with SVACE. [groeck: Return error code returned from find_ec_sensor_index] | 2025-07-03 | not yet calculated | CVE-2025-38142 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: backlight: pm8941: Add NULL check in wled_configure() devm_kasprintf() returns NULL when memory allocation fails. Currently, wled_configure() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. | 2025-07-03 | not yet calculated | CVE-2025-38143 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: watchdog: lenovo_se30_wdt: Fix possible devm_ioremap() NULL pointer dereference in lenovo_se30_wdt_probe() devm_ioremap() returns NULL on error. Currently, lenovo_se30_wdt_probe() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_ioremap() to prevent this issue. | 2025-07-03 | not yet calculated | CVE-2025-38144 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() devm_kasprintf() returns NULL when memory allocation fails. Currently, aspeed_lpc_enable_snoop() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. [arj: Fix Fixes: tag to use subject from 3772e5da4454] | 2025-07-03 | not yet calculated | CVE-2025-38145 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: Fix the dead loop of MPLS parse The unexpected MPLS packet may not end with the bottom label stack. When there are many stacks, The label count value has wrapped around. A dead loop occurs, soft lockup/CPU stuck finally. stack backtrace: UBSAN: array-index-out-of-bounds in /build/linux-0Pa0xK/linux-5.15.0/net/openvswitch/flow.c:662:26 index -1 is out of range for type '__be32 [3]' CPU: 34 PID: 0 Comm: swapper/34 Kdump: loaded Tainted: G OE 5.15.0-121-generic #131-Ubuntu Hardware name: Dell Inc. PowerEdge C6420/0JP9TF, BIOS 2.12.2 07/14/2021 Call Trace: <IRQ> show_stack+0x52/0x5c dump_stack_lvl+0x4a/0x63 dump_stack+0x10/0x16 ubsan_epilogue+0x9/0x36 __ubsan_handle_out_of_bounds.cold+0x44/0x49 key_extract_l3l4+0x82a/0x840 [openvswitch] ? kfree_skbmem+0x52/0xa0 key_extract+0x9c/0x2b0 [openvswitch] ovs_flow_key_extract+0x124/0x350 [openvswitch] ovs_vport_receive+0x61/0xd0 [openvswitch] ? kernel_init_free_pages.part.0+0x4a/0x70 ? get_page_from_freelist+0x353/0x540 netdev_port_receive+0xc4/0x180 [openvswitch] ? netdev_port_receive+0x180/0x180 [openvswitch] netdev_frame_hook+0x1f/0x40 [openvswitch] __netif_receive_skb_core.constprop.0+0x23a/0xf00 __netif_receive_skb_list_core+0xfa/0x240 netif_receive_skb_list_internal+0x18e/0x2a0 napi_complete_done+0x7a/0x1c0 bnxt_poll+0x155/0x1c0 [bnxt_en] __napi_poll+0x30/0x180 net_rx_action+0x126/0x280 ? bnxt_msix+0x67/0x80 [bnxt_en] handle_softirqs+0xda/0x2d0 irq_exit_rcu+0x96/0xc0 common_interrupt+0x8e/0xa0 </IRQ> | 2025-07-03 | not yet calculated | CVE-2025-38146 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: calipso: Don't call calipso functions for AF_INET sk. syzkaller reported a null-ptr-deref in txopt_get(). [0] The offset 0x70 was of struct ipv6_txoptions in struct ipv6_pinfo, so struct ipv6_pinfo was NULL there. However, this never happens for IPv6 sockets as inet_sk(sk)->pinet6 is always set in inet6_create(), meaning the socket was not IPv6 one. The root cause is missing validation in netlbl_conn_setattr(). netlbl_conn_setattr() switches branches based on struct sockaddr.sa_family, which is passed from userspace. However, netlbl_conn_setattr() does not check if the address family matches the socket. The syzkaller must have called connect() for an IPv6 address on an IPv4 socket. We have a proper validation in tcp_v[46]_connect(), but security_socket_connect() is called in the earlier stage. Let's copy the validation to netlbl_conn_setattr(). [0]: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000e: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077] CPU: 2 UID: 0 PID: 12928 Comm: syz.9.1677 Not tainted 6.12.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 RIP: 0010:txopt_get include/net/ipv6.h:390 [inline] RIP: 0010: Code: 02 00 00 49 8b ac 24 f8 02 00 00 e8 84 69 2a fd e8 ff 00 16 fd 48 8d 7d 70 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 53 02 00 00 48 8b 6d 70 48 85 ed 0f 84 ab 01 00 RSP: 0018:ffff88811b8afc48 EFLAGS: 00010212 RAX: dffffc0000000000 RBX: 1ffff11023715f8a RCX: ffffffff841ab00c RDX: 000000000000000e RSI: ffffc90007d9e000 RDI: 0000000000000070 RBP: 0000000000000000 R08: ffffed1023715f9d R09: ffffed1023715f9e R10: ffffed1023715f9d R11: 0000000000000003 R12: ffff888123075f00 R13: ffff88810245bd80 R14: ffff888113646780 R15: ffff888100578a80 FS: 00007f9019bd7640(0000) GS:ffff8882d2d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f901b927bac CR3: 0000000104788003 CR4: 0000000000770ef0 PKRU: 80000000 Call Trace: <TASK> calipso_sock_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:557 netlbl_conn_setattr+0x10c/0x280 net/netlabel/netlabel_kapi.c:1177 selinux_netlbl_socket_connect_helper+0xd3/0x1b0 security/selinux/netlabel.c:569 selinux_netlbl_socket_connect_locked security/selinux/netlabel.c:597 [inline] selinux_netlbl_socket_connect+0xb6/0x100 security/selinux/netlabel.c:615 selinux_socket_connect+0x5f/0x80 security/selinux/hooks.c:4931 security_socket_connect+0x50/0xa0 security/security.c:4598 __sys_connect_file+0xa4/0x190 net/socket.c:2067 __sys_connect+0x12c/0x170 net/socket.c:2088 __do_sys_connect net/socket.c:2098 [inline] __se_sys_connect net/socket.c:2095 [inline] __x64_sys_connect+0x73/0xb0 net/socket.c:2095 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xaa/0x1b0 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f901b61a12d Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f9019bd6fa8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: 00007f901b925fa0 RCX: 00007f901b61a12d RDX: 000000000000001c RSI: 0000200000000140 RDI: 0000000000000003 RBP: 00007f901b701505 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f901b5b62a0 R15: 00007f9019bb7000 </TASK> Modules linked in: | 2025-07-03 | not yet calculated | CVE-2025-38147 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: phy: mscc: Fix memory leak when using one step timestamping Fix memory leak when running one-step timestamping. When running one-step sync timestamping, the HW is configured to insert the TX time into the frame, so there is no reason to keep the skb anymore. As in this case the HW will never generate an interrupt to say that the frame was timestamped, then the frame will never released. Fix this by freeing the frame in case of one-step timestamping. | 2025-07-03 | not yet calculated | CVE-2025-38148 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: phy: clear phydev->devlink when the link is deleted There is a potential crash issue when disabling and re-enabling the network port. When disabling the network port, phy_detach() calls device_link_del() to remove the device link, but it does not clear phydev->devlink, so phydev->devlink is not a NULL pointer. Then the network port is re-enabled, but if phy_attach_direct() fails before calling device_link_add(), the code jumps to the "error" label and calls phy_detach(). Since phydev->devlink retains the old value from the previous attach/detach cycle, device_link_del() uses the old value, which accesses a NULL pointer and causes a crash. The simplified crash log is as follows. [ 24.702421] Call trace: [ 24.704856] device_link_put_kref+0x20/0x120 [ 24.709124] device_link_del+0x30/0x48 [ 24.712864] phy_detach+0x24/0x168 [ 24.716261] phy_attach_direct+0x168/0x3a4 [ 24.720352] phylink_fwnode_phy_connect+0xc8/0x14c [ 24.725140] phylink_of_phy_connect+0x1c/0x34 Therefore, phydev->devlink needs to be cleared when the device link is deleted. | 2025-07-03 | not yet calculated | CVE-2025-38149 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: af_packet: move notifier's packet_dev_mc out of rcu critical section Syzkaller reports the following issue: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:578 __mutex_lock+0x106/0xe80 kernel/locking/mutex.c:746 team_change_rx_flags+0x38/0x220 drivers/net/team/team_core.c:1781 dev_change_rx_flags net/core/dev.c:9145 [inline] __dev_set_promiscuity+0x3f8/0x590 net/core/dev.c:9189 netif_set_promiscuity+0x50/0xe0 net/core/dev.c:9201 dev_set_promiscuity+0x126/0x260 net/core/dev_api.c:286 packet_dev_mc net/packet/af_packet.c:3698 [inline] packet_dev_mclist_delete net/packet/af_packet.c:3722 [inline] packet_notifier+0x292/0xa60 net/packet/af_packet.c:4247 notifier_call_chain+0x1b3/0x3e0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2214 [inline] call_netdevice_notifiers net/core/dev.c:2228 [inline] unregister_netdevice_many_notify+0x15d8/0x2330 net/core/dev.c:11972 rtnl_delete_link net/core/rtnetlink.c:3522 [inline] rtnl_dellink+0x488/0x710 net/core/rtnetlink.c:3564 rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6955 netlink_rcv_skb+0x219/0x490 net/netlink/af_netlink.c:2534 Calling `PACKET_ADD_MEMBERSHIP` on an ops-locked device can trigger the `NETDEV_UNREGISTER` notifier, which may require disabling promiscuous and/or allmulti mode. Both of these operations require acquiring the netdev instance lock. Move the call to `packet_dev_mc` outside of the RCU critical section. The `mclist` modifications (add, del, flush, unregister) are protected by the RTNL, not the RCU. The RCU only protects the `sklist` and its associated `sks`. The delayed operation on the `mclist` entry remains within the RTNL. | 2025-07-03 | not yet calculated | CVE-2025-38150 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work The cited commit fixed a crash when cma_netevent_callback was called for a cma_id while work on that id from a previous call had not yet started. The work item was re-initialized in the second call, which corrupted the work item currently in the work queue. However, it left a problem when queue_work fails (because the item is still pending in the work queue from a previous call). In this case, cma_id_put (which is called in the work handler) is therefore not called. This results in a userspace process hang (zombie process). Fix this by calling cma_id_put() if queue_work fails. | 2025-07-03 | not yet calculated | CVE-2025-38151 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: fix error handling of usbnet read calls Syzkaller, courtesy of syzbot, identified an error (see report [1]) in aqc111 driver, caused by incomplete sanitation of usb read calls' results. This problem is quite similar to the one fixed in commit 920a9fa27e78 ("net: asix: add proper error handling of usb read errors"). For instance, usbnet_read_cmd() may read fewer than 'size' bytes, even if the caller expected the full amount, and aqc111_read_cmd() will not check its result properly. As [1] shows, this may lead to MAC address in aqc111_bind() being only partly initialized, triggering KMSAN warnings. Fix the issue by verifying that the number of bytes read is as expected and not less. [1] Partial syzbot report: BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:208 [inline] BUG: KMSAN: uninit-value in usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 is_valid_ether_addr include/linux/etherdevice.h:208 [inline] usbnet_probe+0x2e57/0x4390 drivers/net/usb/usbnet.c:1830 usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x4d1/0xd90 drivers/base/dd.c:658 __driver_probe_device+0x268/0x380 drivers/base/dd.c:800 ... Uninit was stored to memory at: dev_addr_mod+0xb0/0x550 net/core/dev_addr_lists.c:582 __dev_addr_set include/linux/netdevice.h:4874 [inline] eth_hw_addr_set include/linux/etherdevice.h:325 [inline] aqc111_bind+0x35f/0x1150 drivers/net/usb/aqc111.c:717 usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 ... Uninit was stored to memory at: ether_addr_copy include/linux/etherdevice.h:305 [inline] aqc111_read_perm_mac drivers/net/usb/aqc111.c:663 [inline] aqc111_bind+0x794/0x1150 drivers/net/usb/aqc111.c:713 usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 usb_probe_interface+0xd01/0x1310 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] ... Local variable buf.i created at: aqc111_read_perm_mac drivers/net/usb/aqc111.c:656 [inline] aqc111_bind+0x221/0x1150 drivers/net/usb/aqc111.c:713 usbnet_probe+0xbe6/0x4390 drivers/net/usb/usbnet.c:1772 | 2025-07-03 | not yet calculated | CVE-2025-38153 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Avoid using sk_socket after free when sending The sk->sk_socket is not locked or referenced in backlog thread, and during the call to skb_send_sock(), there is a race condition with the release of sk_socket. All types of sockets(tcp/udp/unix/vsock) will be affected. Race conditions: ''' CPU0 CPU1 backlog::skb_send_sock sendmsg_unlocked sock_sendmsg sock_sendmsg_nosec close(fd): ... ops->release() -> sock_map_close() sk_socket->ops = NULL free(socket) sock->ops->sendmsg ^ panic here ''' The ref of psock become 0 after sock_map_close() executed. ''' void sock_map_close() { ... if (likely(psock)) { ... // !! here we remove psock and the ref of psock become 0 sock_map_remove_links(sk, psock) psock = sk_psock_get(sk); if (unlikely(!psock)) goto no_psock; <=== Control jumps here via goto ... cancel_delayed_work_sync(&psock->work); <=== not executed sk_psock_put(sk, psock); ... } ''' Based on the fact that we already wait for the workqueue to finish in sock_map_close() if psock is held, we simply increase the psock reference count to avoid race conditions. With this patch, if the backlog thread is running, sock_map_close() will wait for the backlog thread to complete and cancel all pending work. If no backlog running, any pending work that hasn't started by then will fail when invoked by sk_psock_get(), as the psock reference count have been zeroed, and sk_psock_drop() will cancel all jobs via cancel_delayed_work_sync(). In summary, we require synchronization to coordinate the backlog thread and close() thread. The panic I catched: ''' Workqueue: events sk_psock_backlog RIP: 0010:sock_sendmsg+0x21d/0x440 RAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001 ... Call Trace: <TASK> ? die_addr+0x40/0xa0 ? exc_general_protection+0x14c/0x230 ? asm_exc_general_protection+0x26/0x30 ? sock_sendmsg+0x21d/0x440 ? sock_sendmsg+0x3e0/0x440 ? __pfx_sock_sendmsg+0x10/0x10 __skb_send_sock+0x543/0xb70 sk_psock_backlog+0x247/0xb80 ... ''' | 2025-07-03 | not yet calculated | CVE-2025-38154 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() devm_ioremap() returns NULL on error. Currently, mt7915_mmio_wed_init() does not check for this case, which results in a NULL pointer dereference. Prevent null pointer dereference in mt7915_mmio_wed_init(). | 2025-07-03 | not yet calculated | CVE-2025-38155 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Fix null-ptr-deref in mt7996_mmio_wed_init() devm_ioremap() returns NULL on error. Currently, mt7996_mmio_wed_init() does not check for this case, which results in a NULL pointer dereference. Prevent null pointer dereference in mt7996_mmio_wed_init() | 2025-07-03 | not yet calculated | CVE-2025-38156 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k_htc: Abort software beacon handling if disabled A malicious USB device can send a WMI_SWBA_EVENTID event from an ath9k_htc-managed device before beaconing has been enabled. This causes a device-by-zero error in the driver, leading to either a crash or an out of bounds read. Prevent this by aborting the handling in ath9k_htc_swba() if beacons are not enabled. | 2025-07-03 | not yet calculated | CVE-2025-38157 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: fix XQE dma address error The dma addresses of EQE and AEQE are wrong after migration and results in guest kernel-mode encryption services failure. Comparing the definition of hardware registers, we found that there was an error when the data read from the register was combined into an address. Therefore, the address combination sequence needs to be corrected. Even after fixing the above problem, we still have an issue where the Guest from an old kernel can get migrated to new kernel and may result in wrong data. In order to ensure that the address is correct after migration, if an old magic number is detected, the dma address needs to be updated. | 2025-07-03 | not yet calculated | CVE-2025-38158 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds Set the size to 6 instead of 2, since 'para' array is passed to 'rtw_fw_bt_wifi_control(rtwdev, para[0], ¶[1])', which reads 5 bytes: void rtw_fw_bt_wifi_control(struct rtw_dev *rtwdev, u8 op_code, u8 *data) { ... SET_BT_WIFI_CONTROL_DATA1(h2c_pkt, *data); SET_BT_WIFI_CONTROL_DATA2(h2c_pkt, *(data + 1)); ... SET_BT_WIFI_CONTROL_DATA5(h2c_pkt, *(data + 4)); Detected using the static analysis tool - Svace. | 2025-07-03 | not yet calculated | CVE-2025-38159 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() devm_kasprintf() returns NULL when memory allocation fails. Currently, raspberrypi_clk_register() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. | 2025-07-03 | not yet calculated | CVE-2025-38160 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction Upon RQ destruction if the firmware command fails which is the last resource to be destroyed some SW resources were already cleaned regardless of the failure. Now properly rollback the object to its original state upon such failure. In order to avoid a use-after free in case someone tries to destroy the object again, which results in the following kernel trace: refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 37589 at lib/refcount.c:28 refcount_warn_saturate+0xf4/0x148 Modules linked in: rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) mlx5_ib(OE) rfkill mlx5_core(OE) mlxdevm(OE) ib_uverbs(OE) ib_core(OE) psample mlxfw(OE) mlx_compat(OE) macsec tls pci_hyperv_intf sunrpc vfat fat virtio_net net_failover failover fuse loop nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce virtio_console virtio_gpu virtio_blk virtio_dma_buf virtio_mmio dm_mirror dm_region_hash dm_log dm_mod xpmem(OE) CPU: 0 UID: 0 PID: 37589 Comm: python3 Kdump: loaded Tainted: G OE ------- --- 6.12.0-54.el10.aarch64 #1 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : refcount_warn_saturate+0xf4/0x148 lr : refcount_warn_saturate+0xf4/0x148 sp : ffff80008b81b7e0 x29: ffff80008b81b7e0 x28: ffff000133d51600 x27: 0000000000000001 x26: 0000000000000000 x25: 00000000ffffffea x24: ffff00010ae80f00 x23: ffff00010ae80f80 x22: ffff0000c66e5d08 x21: 0000000000000000 x20: ffff0000c66e0000 x19: ffff00010ae80340 x18: 0000000000000006 x17: 0000000000000000 x16: 0000000000000020 x15: ffff80008b81b37f x14: 0000000000000000 x13: 2e656572662d7265 x12: ffff80008283ef78 x11: ffff80008257efd0 x10: ffff80008283efd0 x9 : ffff80008021ed90 x8 : 0000000000000001 x7 : 00000000000bffe8 x6 : c0000000ffff7fff x5 : ffff0001fb8e3408 x4 : 0000000000000000 x3 : ffff800179993000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000133d51600 Call trace: refcount_warn_saturate+0xf4/0x148 mlx5_core_put_rsc+0x88/0xa0 [mlx5_ib] mlx5_core_destroy_rq_tracked+0x64/0x98 [mlx5_ib] mlx5_ib_destroy_wq+0x34/0x80 [mlx5_ib] ib_destroy_wq_user+0x30/0xc0 [ib_core] uverbs_free_wq+0x28/0x58 [ib_uverbs] destroy_hw_idr_uobject+0x34/0x78 [ib_uverbs] uverbs_destroy_uobject+0x48/0x240 [ib_uverbs] __uverbs_cleanup_ufile+0xd4/0x1a8 [ib_uverbs] uverbs_destroy_ufile_hw+0x48/0x120 [ib_uverbs] ib_uverbs_close+0x2c/0x100 [ib_uverbs] __fput+0xd8/0x2f0 __fput_sync+0x50/0x70 __arm64_sys_close+0x40/0x90 invoke_syscall.constprop.0+0x74/0xd0 do_el0_svc+0x48/0xe8 el0_svc+0x44/0x1d0 el0t_64_sync_handler+0x120/0x130 el0t_64_sync+0x1a4/0x1a8 | 2025-07-03 | not yet calculated | CVE-2025-38161 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: prevent overflow in lookup table allocation When calculating the lookup table size, ensure the following multiplication does not overflow: - desc->field_len[] maximum value is U8_MAX multiplied by NFT_PIPAPO_GROUPS_PER_BYTE(f) that can be 2, worst case. - NFT_PIPAPO_BUCKETS(f->bb) is 2^8, worst case. - sizeof(unsigned long), from sizeof(*f->lt), lt in struct nft_pipapo_field. Then, use check_mul_overflow() to multiply by bucket size and then use check_add_overflow() to the alignment for avx2 (if needed). Finally, add lt_size_check_overflow() helper and use it to consolidate this. While at it, replace leftover allocation using the GFP_KERNEL to GFP_KERNEL_ACCOUNT for consistency, in pipapo_resize(). | 2025-07-03 | not yet calculated | CVE-2025-38162 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on sbi->total_valid_block_count syzbot reported a f2fs bug as below: ------------[ cut here ]------------ kernel BUG at fs/f2fs/f2fs.h:2521! RIP: 0010:dec_valid_block_count+0x3b2/0x3c0 fs/f2fs/f2fs.h:2521 Call Trace: f2fs_truncate_data_blocks_range+0xc8c/0x11a0 fs/f2fs/file.c:695 truncate_dnode+0x417/0x740 fs/f2fs/node.c:973 truncate_nodes+0x3ec/0xf50 fs/f2fs/node.c:1014 f2fs_truncate_inode_blocks+0x8e3/0x1370 fs/f2fs/node.c:1197 f2fs_do_truncate_blocks+0x840/0x12b0 fs/f2fs/file.c:810 f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:838 f2fs_truncate+0x417/0x720 fs/f2fs/file.c:888 f2fs_setattr+0xc4f/0x12f0 fs/f2fs/file.c:1112 notify_change+0xbca/0xe90 fs/attr.c:552 do_truncate+0x222/0x310 fs/open.c:65 handle_truncate fs/namei.c:3466 [inline] do_open fs/namei.c:3849 [inline] path_openat+0x2e4f/0x35d0 fs/namei.c:4004 do_filp_open+0x284/0x4e0 fs/namei.c:4031 do_sys_openat2+0x12b/0x1d0 fs/open.c:1429 do_sys_open fs/open.c:1444 [inline] __do_sys_creat fs/open.c:1522 [inline] __se_sys_creat fs/open.c:1516 [inline] __x64_sys_creat+0x124/0x170 fs/open.c:1516 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/syscall_64.c:94 The reason is: in fuzzed image, sbi->total_valid_block_count is inconsistent w/ mapped blocks indexed by inode, so, we should not trigger panic for such case, instead, let's print log and set fsck flag. | 2025-07-03 | not yet calculated | CVE-2025-38163 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: zone: fix to avoid inconsistence in between SIT and SSA w/ below testcase, it will cause inconsistence in between SIT and SSA. create_null_blk 512 2 1024 1024 mkfs.f2fs -m /dev/nullb0 mount /dev/nullb0 /mnt/f2fs/ touch /mnt/f2fs/file f2fs_io pinfile set /mnt/f2fs/file fallocate -l 4GiB /mnt/f2fs/file F2FS-fs (nullb0): Inconsistent segment (0) type [1, 0] in SSA and SIT CPU: 5 UID: 0 PID: 2398 Comm: fallocate Tainted: G O 6.13.0-rc1 #84 Tainted: [O]=OOT_MODULE Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 Call Trace: <TASK> dump_stack_lvl+0xb3/0xd0 dump_stack+0x14/0x20 f2fs_handle_critical_error+0x18c/0x220 [f2fs] f2fs_stop_checkpoint+0x38/0x50 [f2fs] do_garbage_collect+0x674/0x6e0 [f2fs] f2fs_gc_range+0x12b/0x230 [f2fs] f2fs_allocate_pinning_section+0x5c/0x150 [f2fs] f2fs_expand_inode_data+0x1cc/0x3c0 [f2fs] f2fs_fallocate+0x3c3/0x410 [f2fs] vfs_fallocate+0x15f/0x4b0 __x64_sys_fallocate+0x4a/0x80 x64_sys_call+0x15e8/0x1b80 do_syscall_64+0x68/0x130 entry_SYSCALL_64_after_hwframe+0x67/0x6f RIP: 0033:0x7f9dba5197ca F2FS-fs (nullb0): Stopped filesystem due to reason: 4 The reason is f2fs_gc_range() may try to migrate block in curseg, however, its SSA block is not uptodate due to the last summary block data is still in cache of curseg. In this patch, we add a condition in f2fs_gc_range() to check whether section is opened or not, and skip block migration for opened section. | 2025-07-03 | not yet calculated | CVE-2025-38164 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix panic when calling skb_linearize The panic can be reproduced by executing the command: ./bench sockmap -c 2 -p 1 -a --rx-verdict-ingress --rx-strp 100000 Then a kernel panic was captured: ''' [ 657.460555] kernel BUG at net/core/skbuff.c:2178! [ 657.462680] Tainted: [W]=WARN [ 657.463287] Workqueue: events sk_psock_backlog ... [ 657.469610] <TASK> [ 657.469738] ? die+0x36/0x90 [ 657.469916] ? do_trap+0x1d0/0x270 [ 657.470118] ? pskb_expand_head+0x612/0xf40 [ 657.470376] ? pskb_expand_head+0x612/0xf40 [ 657.470620] ? do_error_trap+0xa3/0x170 [ 657.470846] ? pskb_expand_head+0x612/0xf40 [ 657.471092] ? handle_invalid_op+0x2c/0x40 [ 657.471335] ? pskb_expand_head+0x612/0xf40 [ 657.471579] ? exc_invalid_op+0x2d/0x40 [ 657.471805] ? asm_exc_invalid_op+0x1a/0x20 [ 657.472052] ? pskb_expand_head+0xd1/0xf40 [ 657.472292] ? pskb_expand_head+0x612/0xf40 [ 657.472540] ? lock_acquire+0x18f/0x4e0 [ 657.472766] ? find_held_lock+0x2d/0x110 [ 657.472999] ? __pfx_pskb_expand_head+0x10/0x10 [ 657.473263] ? __kmalloc_cache_noprof+0x5b/0x470 [ 657.473537] ? __pfx___lock_release.isra.0+0x10/0x10 [ 657.473826] __pskb_pull_tail+0xfd/0x1d20 [ 657.474062] ? __kasan_slab_alloc+0x4e/0x90 [ 657.474707] sk_psock_skb_ingress_enqueue+0x3bf/0x510 [ 657.475392] ? __kasan_kmalloc+0xaa/0xb0 [ 657.476010] sk_psock_backlog+0x5cf/0xd70 [ 657.476637] process_one_work+0x858/0x1a20 ''' The panic originates from the assertion BUG_ON(skb_shared(skb)) in skb_linearize(). A previous commit(see Fixes tag) introduced skb_get() to avoid race conditions between skb operations in the backlog and skb release in the recvmsg path. However, this caused the panic to always occur when skb_linearize is executed. The "--rx-strp 100000" parameter forces the RX path to use the strparser module which aggregates data until it reaches 100KB before calling sockmap logic. The 100KB payload exceeds MAX_MSG_FRAGS, triggering skb_linearize. To fix this issue, just move skb_get into sk_psock_skb_ingress_enqueue. ''' sk_psock_backlog: sk_psock_handle_skb skb_get(skb) <== we move it into 'sk_psock_skb_ingress_enqueue' sk_psock_skb_ingress____________ ↓ | | → sk_psock_skb_ingress_self | sk_psock_skb_ingress_enqueue sk_psock_verdict_apply_________________↑ skb_linearize ''' Note that for verdict_apply path, the skb_get operation is unnecessary so we add 'take_ref' param to control it's behavior. | 2025-07-03 | not yet calculated | CVE-2025-38165 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: fix ktls panic with sockmap [ 2172.936997] ------------[ cut here ]------------ [ 2172.936999] kernel BUG at lib/iov_iter.c:629! ...... [ 2172.944996] PKRU: 55555554 [ 2172.945155] Call Trace: [ 2172.945299] <TASK> [ 2172.945428] ? die+0x36/0x90 [ 2172.945601] ? do_trap+0xdd/0x100 [ 2172.945795] ? iov_iter_revert+0x178/0x180 [ 2172.946031] ? iov_iter_revert+0x178/0x180 [ 2172.946267] ? do_error_trap+0x7d/0x110 [ 2172.946499] ? iov_iter_revert+0x178/0x180 [ 2172.946736] ? exc_invalid_op+0x50/0x70 [ 2172.946961] ? iov_iter_revert+0x178/0x180 [ 2172.947197] ? asm_exc_invalid_op+0x1a/0x20 [ 2172.947446] ? iov_iter_revert+0x178/0x180 [ 2172.947683] ? iov_iter_revert+0x5c/0x180 [ 2172.947913] tls_sw_sendmsg_locked.isra.0+0x794/0x840 [ 2172.948206] tls_sw_sendmsg+0x52/0x80 [ 2172.948420] ? inet_sendmsg+0x1f/0x70 [ 2172.948634] __sys_sendto+0x1cd/0x200 [ 2172.948848] ? find_held_lock+0x2b/0x80 [ 2172.949072] ? syscall_trace_enter+0x140/0x270 [ 2172.949330] ? __lock_release.isra.0+0x5e/0x170 [ 2172.949595] ? find_held_lock+0x2b/0x80 [ 2172.949817] ? syscall_trace_enter+0x140/0x270 [ 2172.950211] ? lockdep_hardirqs_on_prepare+0xda/0x190 [ 2172.950632] ? ktime_get_coarse_real_ts64+0xc2/0xd0 [ 2172.951036] __x64_sys_sendto+0x24/0x30 [ 2172.951382] do_syscall_64+0x90/0x170 ...... After calling bpf_exec_tx_verdict(), the size of msg_pl->sg may increase, e.g., when the BPF program executes bpf_msg_push_data(). If the BPF program sets cork_bytes and sg.size is smaller than cork_bytes, it will return -ENOSPC and attempt to roll back to the non-zero copy logic. However, during rollback, msg->msg_iter is reset, but since msg_pl->sg.size has been increased, subsequent executions will exceed the actual size of msg_iter. ''' iov_iter_revert(&msg->msg_iter, msg_pl->sg.size - orig_size); ''' The changes in this commit are based on the following considerations: 1. When cork_bytes is set, rolling back to non-zero copy logic is pointless and can directly go to zero-copy logic. 2. We can not calculate the correct number of bytes to revert msg_iter. Assume the original data is "abcdefgh" (8 bytes), and after 3 pushes by the BPF program, it becomes 11-byte data: "abc?de?fgh?". Then, we set cork_bytes to 6, which means the first 6 bytes have been processed, and the remaining 5 bytes "?fgh?" will be cached until the length meets the cork_bytes requirement. However, some data in "?fgh?" is not within 'sg->msg_iter' (but in msg_pl instead), especially the data "?" we pushed. So it doesn't seem as simple as just reverting through an offset of msg_iter. 3. For non-TLS sockets in tcp_bpf_sendmsg, when a "cork" situation occurs, the user-space send() doesn't return an error, and the returned length is the same as the input length parameter, even if some data is cached. Additionally, I saw that the current non-zero-copy logic for handling corking is written as: ''' line 1177 else if (ret != -EAGAIN) { if (ret == -ENOSPC) ret = 0; goto send_end; ''' So it's ok to just return 'copied' without error when a "cork" situation occurs. | 2025-07-03 | not yet calculated | CVE-2025-38166 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: handle hdr_first_de() return value The hdr_first_de() function returns a pointer to a struct NTFS_DE. This pointer may be NULL. To handle the NULL error effectively, it is important to implement an error handler. This will help manage potential errors consistently. Additionally, error handling for the return value already exists at other points where this function is called. Found by Linux Verification Center (linuxtesting.org) with SVACE. | 2025-07-03 | not yet calculated | CVE-2025-38167 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: perf: arm-ni: Unregister PMUs on probe failure When a resource allocation fails in one clock domain of an NI device, we need to properly roll back all previously registered perf PMUs in other clock domains of the same device. Otherwise, it can lead to kernel panics. Calling arm_ni_init+0x0/0xff8 [arm_ni] @ 2374 arm-ni ARMHCB70:00: Failed to request PMU region 0x1f3c13000 arm-ni ARMHCB70:00: probe with driver arm-ni failed with error -16 list_add corruption: next->prev should be prev (fffffd01e9698a18), but was 0000000000000000. (next=ffff10001a0decc8). pstate: 6340009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : list_add_valid_or_report+0x7c/0xb8 lr : list_add_valid_or_report+0x7c/0xb8 Call trace: __list_add_valid_or_report+0x7c/0xb8 perf_pmu_register+0x22c/0x3a0 arm_ni_probe+0x554/0x70c [arm_ni] platform_probe+0x70/0xe8 really_probe+0xc6/0x4d8 driver_probe_device+0x48/0x170 __driver_attach+0x8e/0x1c0 bus_for_each_dev+0x64/0xf0 driver_add+0x138/0x260 bus_add_driver+0x68/0x138 __platform_driver_register+0x2c/0x40 arm_ni_init+0x14/0x2a [arm_ni] do_init_module+0x36/0x298 ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Oops - BUG: Fatal exception SMP: stopping secondary CPUs | 2025-07-03 | not yet calculated | CVE-2025-38168 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: Avoid clobbering kernel FPSIMD state with SMSTOP On system with SME, a thread's kernel FPSIMD state may be erroneously clobbered during a context switch immediately after that state is restored. Systems without SME are unaffected. If the CPU happens to be in streaming SVE mode before a context switch to a thread with kernel FPSIMD state, fpsimd_thread_switch() will restore the kernel FPSIMD state using fpsimd_load_kernel_state() while the CPU is still in streaming SVE mode. When fpsimd_thread_switch() subsequently calls fpsimd_flush_cpu_state(), this will execute an SMSTOP, causing an exit from streaming SVE mode. The exit from streaming SVE mode will cause the hardware to reset a number of FPSIMD/SVE/SME registers, clobbering the FPSIMD state. Fix this by calling fpsimd_flush_cpu_state() before restoring the kernel FPSIMD state. | 2025-07-03 | not yet calculated | CVE-2025-38169 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: Discard stale CPU state when handling SME traps The logic for handling SME traps manipulates saved FPSIMD/SVE/SME state incorrectly, and a race with preemption can result in a task having TIF_SME set and TIF_FOREIGN_FPSTATE clear even though the live CPU state is stale (e.g. with SME traps enabled). This can result in warnings from do_sme_acc() where SME traps are not expected while TIF_SME is set: | /* With TIF_SME userspace shouldn't generate any traps */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); This is very similar to the SVE issue we fixed in commit: 751ecf6afd6568ad ("arm64/sve: Discard stale CPU state when handling SVE traps") The race can occur when the SME trap handler is preempted before and after manipulating the saved FPSIMD/SVE/SME state, starting and ending on the same CPU, e.g. | void do_sme_acc(unsigned long esr, struct pt_regs *regs) | { | // Trap on CPU 0 with TIF_SME clear, SME traps enabled | // task->fpsimd_cpu is 0. | // per_cpu_ptr(&fpsimd_last_state, 0) is task. | | ... | | // Preempted; migrated from CPU 0 to CPU 1. | // TIF_FOREIGN_FPSTATE is set. | | get_cpu_fpsimd_context(); | | /* With TIF_SME userspace shouldn't generate any traps */ | if (test_and_set_thread_flag(TIF_SME)) | WARN_ON(1); | | if (!test_thread_flag(TIF_FOREIGN_FPSTATE)) { | unsigned long vq_minus_one = | sve_vq_from_vl(task_get_sme_vl(current)) - 1; | sme_set_vq(vq_minus_one); | | fpsimd_bind_task_to_cpu(); | } | | put_cpu_fpsimd_context(); | | // Preempted; migrated from CPU 1 to CPU 0. | // task->fpsimd_cpu is still 0 | // If per_cpu_ptr(&fpsimd_last_state, 0) is still task then: | // - Stale HW state is reused (with SME traps enabled) | // - TIF_FOREIGN_FPSTATE is cleared | // - A return to userspace skips HW state restore | } Fix the case where the state is not live and TIF_FOREIGN_FPSTATE is set by calling fpsimd_flush_task_state() to detach from the saved CPU state. This ensures that a subsequent context switch will not reuse the stale CPU state, and will instead set TIF_FOREIGN_FPSTATE, forcing the new state to be reloaded from memory prior to a return to userspace. Note: this was originallly posted as [1]. [ Rutland: rewrite commit message ] | 2025-07-03 | not yet calculated | CVE-2025-38170 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: power: supply: max77705: Fix workqueue error handling in probe The create_singlethread_workqueue() doesn't return error pointers, it returns NULL. Also cleanup the workqueue on the error paths. | 2025-07-03 | not yet calculated | CVE-2025-38171 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: erofs: avoid using multiple devices with different type For multiple devices, both primary and extra devices should be the same type. `erofs_init_device` has already guaranteed that if the primary is a file-backed device, extra devices should also be regular files. However, if the primary is a block device while the extra device is a file-backed device, `erofs_init_device` will get an ENOTBLK, which is not treated as an error in `erofs_fc_get_tree`, and that leads to an UAF: erofs_fc_get_tree get_tree_bdev_flags(erofs_fc_fill_super) erofs_read_superblock erofs_init_device // sbi->dif0 is not inited yet, // return -ENOTBLK deactivate_locked_super free(sbi) if (err is -ENOTBLK) sbi->dif0.file = filp_open() // sbi UAF So if -ENOTBLK is hitted in `erofs_init_device`, it means the primary device must be a block device, and the extra device is not a block device. The error can be converted to -EINVAL. | 2025-07-03 | not yet calculated | CVE-2025-38172 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: marvell/cesa - Handle zero-length skcipher requests Do not access random memory for zero-length skcipher requests. Just return 0. | 2025-07-03 | not yet calculated | CVE-2025-38173 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: thunderbolt: Do not double dequeue a configuration request Some of our devices crash in tb_cfg_request_dequeue(): general protection fault, probably for non-canonical address 0xdead000000000122 CPU: 6 PID: 91007 Comm: kworker/6:2 Tainted: G U W 6.6.65 RIP: 0010:tb_cfg_request_dequeue+0x2d/0xa0 Call Trace: <TASK> ? tb_cfg_request_dequeue+0x2d/0xa0 tb_cfg_request_work+0x33/0x80 worker_thread+0x386/0x8f0 kthread+0xed/0x110 ret_from_fork+0x38/0x50 ret_from_fork_asm+0x1b/0x30 The circumstances are unclear, however, the theory is that tb_cfg_request_work() can be scheduled twice for a request: first time via frame.callback from ring_work() and second time from tb_cfg_request(). Both times kworkers will execute tb_cfg_request_dequeue(), which results in double list_del() from the ctl->request_queue (the list poison deference hints at it: 0xdead000000000122). Do not dequeue requests that don't have TB_CFG_REQUEST_ACTIVE bit set. | 2025-07-04 | not yet calculated | CVE-2025-38174 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: binder: fix yet another UAF in binder_devices Commit e77aff5528a18 ("binderfs: fix use-after-free in binder_devices") addressed a use-after-free where devices could be released without first being removed from the binder_devices list. However, there is a similar path in binder_free_proc() that was missed: ================================================================== BUG: KASAN: slab-use-after-free in binder_remove_device+0xd4/0x100 Write of size 8 at addr ffff0000c773b900 by task umount/467 CPU: 12 UID: 0 PID: 467 Comm: umount Not tainted 6.15.0-rc7-00138-g57483a362741 #9 PREEMPT Hardware name: linux,dummy-virt (DT) Call trace: binder_remove_device+0xd4/0x100 binderfs_evict_inode+0x230/0x2f0 evict+0x25c/0x5dc iput+0x304/0x480 dentry_unlink_inode+0x208/0x46c __dentry_kill+0x154/0x530 [...] Allocated by task 463: __kmalloc_cache_noprof+0x13c/0x324 binderfs_binder_device_create.isra.0+0x138/0xa60 binder_ctl_ioctl+0x1ac/0x230 [...] Freed by task 215: kfree+0x184/0x31c binder_proc_dec_tmpref+0x33c/0x4ac binder_deferred_func+0xc10/0x1108 process_one_work+0x520/0xba4 [...] ================================================================== Call binder_remove_device() within binder_free_proc() to ensure the device is removed from the binder_devices list before being kfreed. | 2025-07-04 | not yet calculated | CVE-2025-38175 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: binder: fix use-after-free in binderfs_evict_inode() Running 'stress-ng --binderfs 16 --timeout 300' under KASAN-enabled kernel, I've noticed the following: BUG: KASAN: slab-use-after-free in binderfs_evict_inode+0x1de/0x2d0 Write of size 8 at addr ffff88807379bc08 by task stress-ng-binde/1699 CPU: 0 UID: 0 PID: 1699 Comm: stress-ng-binde Not tainted 6.14.0-rc7-g586de92313fc-dirty #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x1c2/0x2a0 ? __pfx_dump_stack_lvl+0x10/0x10 ? __pfx__printk+0x10/0x10 ? __pfx_lock_release+0x10/0x10 ? __virt_addr_valid+0x18c/0x540 ? __virt_addr_valid+0x469/0x540 print_report+0x155/0x840 ? __virt_addr_valid+0x18c/0x540 ? __virt_addr_valid+0x469/0x540 ? __phys_addr+0xba/0x170 ? binderfs_evict_inode+0x1de/0x2d0 kasan_report+0x147/0x180 ? binderfs_evict_inode+0x1de/0x2d0 binderfs_evict_inode+0x1de/0x2d0 ? __pfx_binderfs_evict_inode+0x10/0x10 evict+0x524/0x9f0 ? __pfx_lock_release+0x10/0x10 ? __pfx_evict+0x10/0x10 ? do_raw_spin_unlock+0x4d/0x210 ? _raw_spin_unlock+0x28/0x50 ? iput+0x697/0x9b0 __dentry_kill+0x209/0x660 ? shrink_kill+0x8d/0x2c0 shrink_kill+0xa9/0x2c0 shrink_dentry_list+0x2e0/0x5e0 shrink_dcache_parent+0xa2/0x2c0 ? __pfx_shrink_dcache_parent+0x10/0x10 ? __pfx_lock_release+0x10/0x10 ? __pfx_do_raw_spin_lock+0x10/0x10 do_one_tree+0x23/0xe0 shrink_dcache_for_umount+0xa0/0x170 generic_shutdown_super+0x67/0x390 kill_litter_super+0x76/0xb0 binderfs_kill_super+0x44/0x90 deactivate_locked_super+0xb9/0x130 cleanup_mnt+0x422/0x4c0 ? lockdep_hardirqs_on+0x9d/0x150 task_work_run+0x1d2/0x260 ? __pfx_task_work_run+0x10/0x10 resume_user_mode_work+0x52/0x60 syscall_exit_to_user_mode+0x9a/0x120 do_syscall_64+0x103/0x210 ? asm_sysvec_apic_timer_interrupt+0x1a/0x20 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0xcac57b Code: c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 31 f6 e9 05 00 00 00 0f 1f 44 00 00 f3 0f 1e fa b8 RSP: 002b:00007ffecf4226a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 RAX: 0000000000000000 RBX: 00007ffecf422720 RCX: 0000000000cac57b RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00007ffecf422850 RBP: 00007ffecf422850 R08: 0000000028d06ab1 R09: 7fffffffffffffff R10: 3fffffffffffffff R11: 0000000000000246 R12: 00007ffecf422718 R13: 00007ffecf422710 R14: 00007f478f87b658 R15: 00007ffecf422830 </TASK> Allocated by task 1705: kasan_save_track+0x3e/0x80 __kasan_kmalloc+0x8f/0xa0 __kmalloc_cache_noprof+0x213/0x3e0 binderfs_binder_device_create+0x183/0xa80 binder_ctl_ioctl+0x138/0x190 __x64_sys_ioctl+0x120/0x1b0 do_syscall_64+0xf6/0x210 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 1705: kasan_save_track+0x3e/0x80 kasan_save_free_info+0x46/0x50 __kasan_slab_free+0x62/0x70 kfree+0x194/0x440 evict+0x524/0x9f0 do_unlinkat+0x390/0x5b0 __x64_sys_unlink+0x47/0x50 do_syscall_64+0xf6/0x210 entry_SYSCALL_64_after_hwframe+0x77/0x7f This 'stress-ng' workload causes the concurrent deletions from 'binder_devices' and so requires full-featured synchronization to prevent list corruption. I've found this issue independently but pretty sure that syzbot did the same, so Reported-by: and Closes: should be applicable here as well. | 2025-07-04 | not yet calculated | CVE-2025-38176 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: make hfsc_qlen_notify() idempotent hfsc_qlen_notify() is not idempotent either and not friendly to its callers, like fq_codel_dequeue(). Let's make it idempotent to ease qdisc_tree_reduce_backlog() callers' life: 1. update_vf() decreases cl->cl_nactive, so we can check whether it is non-zero before calling it. 2. eltree_remove() always removes RB node cl->el_node, but we can use RB_EMPTY_NODE() + RB_CLEAR_NODE() to make it safe. | 2025-07-04 | not yet calculated | CVE-2025-38177 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: EDAC/igen6: Fix NULL pointer dereference A kernel panic was reported with the following kernel log: EDAC igen6: Expected 2 mcs, but only 1 detected. BUG: unable to handle page fault for address: 000000000000d570 ... Hardware name: Notebook V54x_6x_TU/V54x_6x_TU, BIOS Dasharo (coreboot+UEFI) v0.9.0 07/17/2024 RIP: e030:ecclog_handler+0x7e/0xf0 [igen6_edac] ... igen6_probe+0x2a0/0x343 [igen6_edac] ... igen6_init+0xc5/0xff0 [igen6_edac] ... This issue occurred because one memory controller was disabled by the BIOS but the igen6_edac driver still checked all the memory controllers, including this absent one, to identify the source of the error. Accessing the null MMIO for the absent memory controller resulted in the oops above. Fix this issue by reverting the configuration structure to non-const and updating the field 'res_cfg->num_imc' to reflect the number of detected memory controllers. | 2025-07-04 | not yet calculated | CVE-2025-38178 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix max_sge overflow in smb_extract_folioq_to_rdma() This fixes the following problem: [ 749.901015] [ T8673] run fstests cifs/001 at 2025-06-17 09:40:30 [ 750.346409] [ T9870] ================================================================== [ 750.346814] [ T9870] BUG: KASAN: slab-out-of-bounds in smb_set_sge+0x2cc/0x3b0 [cifs] [ 750.347330] [ T9870] Write of size 8 at addr ffff888011082890 by task xfs_io/9870 [ 750.347705] [ T9870] [ 750.348077] [ T9870] CPU: 0 UID: 0 PID: 9870 Comm: xfs_io Kdump: loaded Not tainted 6.16.0-rc2-metze.02+ #1 PREEMPT(voluntary) [ 750.348082] [ T9870] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 750.348085] [ T9870] Call Trace: [ 750.348086] [ T9870] <TASK> [ 750.348088] [ T9870] dump_stack_lvl+0x76/0xa0 [ 750.348106] [ T9870] print_report+0xd1/0x640 [ 750.348116] [ T9870] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 750.348120] [ T9870] ? kasan_complete_mode_report_info+0x26/0x210 [ 750.348124] [ T9870] kasan_report+0xe7/0x130 [ 750.348128] [ T9870] ? smb_set_sge+0x2cc/0x3b0 [cifs] [ 750.348262] [ T9870] ? smb_set_sge+0x2cc/0x3b0 [cifs] [ 750.348377] [ T9870] __asan_report_store8_noabort+0x17/0x30 [ 750.348381] [ T9870] smb_set_sge+0x2cc/0x3b0 [cifs] [ 750.348496] [ T9870] smbd_post_send_iter+0x1990/0x3070 [cifs] [ 750.348625] [ T9870] ? __pfx_smbd_post_send_iter+0x10/0x10 [cifs] [ 750.348741] [ T9870] ? update_stack_state+0x2a0/0x670 [ 750.348749] [ T9870] ? cifs_flush+0x153/0x320 [cifs] [ 750.348870] [ T9870] ? cifs_flush+0x153/0x320 [cifs] [ 750.348990] [ T9870] ? update_stack_state+0x2a0/0x670 [ 750.348995] [ T9870] smbd_send+0x58c/0x9c0 [cifs] [ 750.349117] [ T9870] ? __pfx_smbd_send+0x10/0x10 [cifs] [ 750.349231] [ T9870] ? unwind_get_return_address+0x65/0xb0 [ 750.349235] [ T9870] ? __pfx_stack_trace_consume_entry+0x10/0x10 [ 750.349242] [ T9870] ? arch_stack_walk+0xa7/0x100 [ 750.349250] [ T9870] ? stack_trace_save+0x92/0xd0 [ 750.349254] [ T9870] __smb_send_rqst+0x931/0xec0 [cifs] [ 750.349374] [ T9870] ? kernel_text_address+0x173/0x190 [ 750.349379] [ T9870] ? kasan_save_stack+0x39/0x70 [ 750.349382] [ T9870] ? kasan_save_track+0x18/0x70 [ 750.349385] [ T9870] ? __kasan_slab_alloc+0x9d/0xa0 [ 750.349389] [ T9870] ? __pfx___smb_send_rqst+0x10/0x10 [cifs] [ 750.349508] [ T9870] ? smb2_mid_entry_alloc+0xb4/0x7e0 [cifs] [ 750.349626] [ T9870] ? cifs_call_async+0x277/0xb00 [cifs] [ 750.349746] [ T9870] ? cifs_issue_write+0x256/0x610 [cifs] [ 750.349867] [ T9870] ? netfs_do_issue_write+0xc2/0x340 [netfs] [ 750.349900] [ T9870] ? netfs_advance_write+0x45b/0x1270 [netfs] [ 750.349929] [ T9870] ? netfs_write_folio+0xd6c/0x1be0 [netfs] [ 750.349958] [ T9870] ? netfs_writepages+0x2e9/0xa80 [netfs] [ 750.349987] [ T9870] ? do_writepages+0x21f/0x590 [ 750.349993] [ T9870] ? filemap_fdatawrite_wbc+0xe1/0x140 [ 750.349997] [ T9870] ? entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 750.350002] [ T9870] smb_send_rqst+0x22e/0x2f0 [cifs] [ 750.350131] [ T9870] ? __pfx_smb_send_rqst+0x10/0x10 [cifs] [ 750.350255] [ T9870] ? local_clock_noinstr+0xe/0xd0 [ 750.350261] [ T9870] ? kasan_save_alloc_info+0x37/0x60 [ 750.350268] [ T9870] ? __kasan_check_write+0x14/0x30 [ 750.350271] [ T9870] ? _raw_spin_lock+0x81/0xf0 [ 750.350275] [ T9870] ? __pfx__raw_spin_lock+0x10/0x10 [ 750.350278] [ T9870] ? smb2_setup_async_request+0x293/0x580 [cifs] [ 750.350398] [ T9870] cifs_call_async+0x477/0xb00 [cifs] [ 750.350518] [ T9870] ? __pfx_smb2_writev_callback+0x10/0x10 [cifs] [ 750.350636] [ T9870] ? __pfx_cifs_call_async+0x10/0x10 [cifs] [ 750.350756] [ T9870] ? __pfx__raw_spin_lock+0x10/0x10 [ 750.350760] [ T9870] ? __kasan_check_write+0x14/0x30 [ 750.350763] [ T98 ---truncated--- | 2025-07-04 | not yet calculated | CVE-2025-38179 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: atm: fix /proc/net/atm/lec handling /proc/net/atm/lec must ensure safety against dev_lec[] changes. It appears it had dev_put() calls without prior dev_hold(), leading to imbalance and UAF. | 2025-07-04 | not yet calculated | CVE-2025-38180 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). syzkaller reported a null-ptr-deref in sock_omalloc() while allocating a CALIPSO option. [0] The NULL is of struct sock, which was fetched by sk_to_full_sk() in calipso_req_setattr(). Since commit a1a5344ddbe8 ("tcp: avoid two atomic ops for syncookies"), reqsk->rsk_listener could be NULL when SYN Cookie is returned to its client, as hinted by the leading SYN Cookie log. Here are 3 options to fix the bug: 1) Return 0 in calipso_req_setattr() 2) Return an error in calipso_req_setattr() 3) Alaways set rsk_listener 1) is no go as it bypasses LSM, but 2) effectively disables SYN Cookie for CALIPSO. 3) is also no go as there have been many efforts to reduce atomic ops and make TCP robust against DDoS. See also commit 3b24d854cb35 ("tcp/dccp: do not touch listener sk_refcnt under synflood"). As of the blamed commit, SYN Cookie already did not need refcounting, and no one has stumbled on the bug for 9 years, so no CALIPSO user will care about SYN Cookie. Let's return an error in calipso_req_setattr() and calipso_req_delattr() in the SYN Cookie case. This can be reproduced by [1] on Fedora and now connect() of nc times out. [0]: TCP: request_sock_TCPv6: Possible SYN flooding on port [::]:20002. Sending cookies. Oops: general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] CPU: 3 UID: 0 PID: 12262 Comm: syz.1.2611 Not tainted 6.14.0 #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 RIP: 0010:read_pnet include/net/net_namespace.h:406 [inline] RIP: 0010:sock_net include/net/sock.h:655 [inline] RIP: 0010:sock_kmalloc+0x35/0x170 net/core/sock.c:2806 Code: 89 d5 41 54 55 89 f5 53 48 89 fb e8 25 e3 c6 fd e8 f0 91 e3 00 48 8d 7b 30 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 26 01 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b RSP: 0018:ffff88811af89038 EFLAGS: 00010216 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffff888105266400 RDX: 0000000000000006 RSI: ffff88800c890000 RDI: 0000000000000030 RBP: 0000000000000050 R08: 0000000000000000 R09: ffff88810526640e R10: ffffed1020a4cc81 R11: ffff88810526640f R12: 0000000000000000 R13: 0000000000000820 R14: ffff888105266400 R15: 0000000000000050 FS: 00007f0653a07640(0000) GS:ffff88811af80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f863ba096f4 CR3: 00000000163c0005 CR4: 0000000000770ef0 PKRU: 80000000 Call Trace: <IRQ> ipv6_renew_options+0x279/0x950 net/ipv6/exthdrs.c:1288 calipso_req_setattr+0x181/0x340 net/ipv6/calipso.c:1204 calipso_req_setattr+0x56/0x80 net/netlabel/netlabel_calipso.c:597 netlbl_req_setattr+0x18a/0x440 net/netlabel/netlabel_kapi.c:1249 selinux_netlbl_inet_conn_request+0x1fb/0x320 security/selinux/netlabel.c:342 selinux_inet_conn_request+0x1eb/0x2c0 security/selinux/hooks.c:5551 security_inet_conn_request+0x50/0xa0 security/security.c:4945 tcp_v6_route_req+0x22c/0x550 net/ipv6/tcp_ipv6.c:825 tcp_conn_request+0xec8/0x2b70 net/ipv4/tcp_input.c:7275 tcp_v6_conn_request+0x1e3/0x440 net/ipv6/tcp_ipv6.c:1328 tcp_rcv_state_process+0xafa/0x52b0 net/ipv4/tcp_input.c:6781 tcp_v6_do_rcv+0x8a6/0x1a40 net/ipv6/tcp_ipv6.c:1667 tcp_v6_rcv+0x505e/0x5b50 net/ipv6/tcp_ipv6.c:1904 ip6_protocol_deliver_rcu+0x17c/0x1da0 net/ipv6/ip6_input.c:436 ip6_input_finish+0x103/0x180 net/ipv6/ip6_input.c:480 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] ip6_input+0x13c/0x6b0 net/ipv6/ip6_input.c:491 dst_input include/net/dst.h:469 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline] ip6_rcv_finish+0xb6/0x490 net/ipv6/ip6_input.c:69 NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netf ---truncated--- | 2025-07-04 | not yet calculated | CVE-2025-38181 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ublk: santizize the arguments from userspace when adding a device Sanity check the values for queue depth and number of queues we get from userspace when adding a device. | 2025-07-04 | not yet calculated | CVE-2025-38182 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get() Before calling lan743x_ptp_io_event_clock_get(), the 'channel' value is checked against the maximum value of PCI11X1X_PTP_IO_MAX_CHANNELS(8). This seems correct and aligns with the PTP interrupt status register (PTP_INT_STS) specifications. However, lan743x_ptp_io_event_clock_get() writes to ptp->extts[] with only LAN743X_PTP_N_EXTTS(4) elements, using channel as an index: lan743x_ptp_io_event_clock_get(..., u8 channel,...) { ... /* Update Local timestamp */ extts = &ptp->extts[channel]; extts->ts.tv_sec = sec; ... } To avoid an out-of-bounds write and utilize all the supported GPIO inputs, set LAN743X_PTP_N_EXTTS to 8. Detected using the static analysis tool - Svace. | 2025-07-04 | not yet calculated | CVE-2025-38183 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer The reproduction steps: 1. create a tun interface 2. enable l2 bearer 3. TIPC_NL_UDP_GET_REMOTEIP with media name set to tun tipc: Started in network mode tipc: Node identity 8af312d38a21, cluster identity 4711 tipc: Enabled bearer <eth:syz_tun>, priority 1 Oops: general protection fault KASAN: null-ptr-deref in range CPU: 1 UID: 1000 PID: 559 Comm: poc Not tainted 6.16.0-rc1+ #117 PREEMPT Hardware name: QEMU Ubuntu 24.04 PC RIP: 0010:tipc_udp_nl_dump_remoteip+0x4a4/0x8f0 the ub was in fact a struct dev. when bid != 0 && skip_cnt != 0, bearer_list[bid] may be NULL or other media when other thread changes it. fix this by checking media_id. | 2025-07-04 | not yet calculated | CVE-2025-38184 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Free invalid length skb in atmtcp_c_send(). syzbot reported the splat below. [0] vcc_sendmsg() copies data passed from userspace to skb and passes it to vcc->dev->ops->send(). atmtcp_c_send() accesses skb->data as struct atmtcp_hdr after checking if skb->len is 0, but it's not enough. Also, when skb->len == 0, skb and sk (vcc) were leaked because dev_kfree_skb() is not called and sk_wmem_alloc adjustment is missing to revert atm_account_tx() in vcc_sendmsg(), which is expected to be done in atm_pop_raw(). Let's properly free skb with an invalid length in atmtcp_c_send(). [0]: BUG: KMSAN: uninit-value in atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294 atmtcp_c_send+0x255/0xed0 drivers/atm/atmtcp.c:294 vcc_sendmsg+0xd7c/0xff0 net/atm/common.c:644 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:727 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620 __sys_sendmsg net/socket.c:2652 [inline] __do_sys_sendmsg net/socket.c:2657 [inline] __se_sys_sendmsg net/socket.c:2655 [inline] __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655 x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4154 [inline] slab_alloc_node mm/slub.c:4197 [inline] kmem_cache_alloc_node_noprof+0x818/0xf00 mm/slub.c:4249 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:579 __alloc_skb+0x347/0x7d0 net/core/skbuff.c:670 alloc_skb include/linux/skbuff.h:1336 [inline] vcc_sendmsg+0xb40/0xff0 net/atm/common.c:628 sock_sendmsg_nosec net/socket.c:712 [inline] __sock_sendmsg+0x330/0x3d0 net/socket.c:727 ____sys_sendmsg+0x7e0/0xd80 net/socket.c:2566 ___sys_sendmsg+0x271/0x3b0 net/socket.c:2620 __sys_sendmsg net/socket.c:2652 [inline] __do_sys_sendmsg net/socket.c:2657 [inline] __se_sys_sendmsg net/socket.c:2655 [inline] __x64_sys_sendmsg+0x211/0x3e0 net/socket.c:2655 x64_sys_call+0x32fb/0x3db0 arch/x86/include/generated/asm/syscalls_64.h:47 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd9/0x210 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 1 UID: 0 PID: 5798 Comm: syz-executor192 Not tainted 6.16.0-rc1-syzkaller-00010-g2c4a1f3fe03e #0 PREEMPT(undef) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 | 2025-07-04 | not yet calculated | CVE-2025-38185 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix double invocation of bnxt_ulp_stop()/bnxt_ulp_start() Before the commit under the Fixes tag below, bnxt_ulp_stop() and bnxt_ulp_start() were always invoked in pairs. After that commit, the new bnxt_ulp_restart() can be invoked after bnxt_ulp_stop() has been called. This may result in the RoCE driver's aux driver .suspend() method being invoked twice. The 2nd bnxt_re_suspend() call will crash when it dereferences a NULL pointer: (NULL ib_device): Handle device suspend call BUG: kernel NULL pointer dereference, address: 0000000000000b78 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 20 UID: 0 PID: 181 Comm: kworker/u96:5 Tainted: G S 6.15.0-rc1 #4 PREEMPT(voluntary) Tainted: [S]=CPU_OUT_OF_SPEC Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/17/2017 Workqueue: bnxt_pf_wq bnxt_sp_task [bnxt_en] RIP: 0010:bnxt_re_suspend+0x45/0x1f0 [bnxt_re] Code: 8b 05 a7 3c 5b f5 48 89 44 24 18 31 c0 49 8b 5c 24 08 4d 8b 2c 24 e8 ea 06 0a f4 48 c7 c6 04 60 52 c0 48 89 df e8 1b ce f9 ff <48> 8b 83 78 0b 00 00 48 8b 80 38 03 00 00 a8 40 0f 85 b5 00 00 00 RSP: 0018:ffffa2e84084fd88 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001 RDX: 0000000000000000 RSI: ffffffffb4b6b934 RDI: 00000000ffffffff RBP: ffffa1760954c9c0 R08: 0000000000000000 R09: c0000000ffffdfff R10: 0000000000000001 R11: ffffa2e84084fb50 R12: ffffa176031ef070 R13: ffffa17609775000 R14: ffffa17603adc180 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffffa17daa397000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000b78 CR3: 00000004aaa30003 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> bnxt_ulp_stop+0x69/0x90 [bnxt_en] bnxt_sp_task+0x678/0x920 [bnxt_en] ? __schedule+0x514/0xf50 process_scheduled_works+0x9d/0x400 worker_thread+0x11c/0x260 ? __pfx_worker_thread+0x10/0x10 kthread+0xfe/0x1e0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2b/0x40 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 Check the BNXT_EN_FLAG_ULP_STOPPED flag and do not proceed if the flag is already set. This will preserve the original symmetrical bnxt_ulp_stop() and bnxt_ulp_start(). Also, inside bnxt_ulp_start(), clear the BNXT_EN_FLAG_ULP_STOPPED flag after taking the mutex to avoid any race condition. And for symmetry, only proceed in bnxt_ulp_start() if the BNXT_EN_FLAG_ULP_STOPPED is set. | 2025-07-04 | not yet calculated | CVE-2025-38186 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix a use-after-free in r535_gsp_rpc_push() The RPC container is released after being passed to r535_gsp_rpc_send(). When sending the initial fragment of a large RPC and passing the caller's RPC container, the container will be freed prematurely. Subsequent attempts to send remaining fragments will therefore result in a use-after-free. Allocate a temporary RPC container for holding the initial fragment of a large RPC when sending. Free the caller's container when all fragments are successfully sent. [ Rebase onto Blackwell changes. - Danilo ] | 2025-07-04 | not yet calculated | CVE-2025-38187 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/msm/a7xx: Call CP_RESET_CONTEXT_STATE Calling this packet is necessary when we switch contexts because there are various pieces of state used by userspace to synchronize between BR and BV that are persistent across submits and we need to make sure that they are in a "safe" state when switching contexts. Otherwise a userspace submission in one context could cause another context to function incorrectly and hang, effectively a denial of service (although without leaking data). This was missed during initial a7xx bringup. Patchwork: https://patchwork.freedesktop.org/patch/654924/ | 2025-07-04 | not yet calculated | CVE-2025-38188 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Avoid NULL pointer dereference in `v3d_job_update_stats()` The following kernel Oops was recently reported by Mesa CI: [ 800.139824] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000588 [ 800.148619] Mem abort info: [ 800.151402] ESR = 0x0000000096000005 [ 800.155141] EC = 0x25: DABT (current EL), IL = 32 bits [ 800.160444] SET = 0, FnV = 0 [ 800.163488] EA = 0, S1PTW = 0 [ 800.166619] FSC = 0x05: level 1 translation fault [ 800.171487] Data abort info: [ 800.174357] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 800.179832] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 800.184873] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 800.190176] user pgtable: 4k pages, 39-bit VAs, pgdp=00000001014c2000 [ 800.196607] [0000000000000588] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000 [ 800.205305] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP [ 800.211564] Modules linked in: vc4 snd_soc_hdmi_codec drm_display_helper v3d cec gpu_sched drm_dma_helper drm_shmem_helper drm_kms_helper drm drm_panel_orientation_quirks snd_soc_core snd_compress snd_pcm_dmaengine snd_pcm i2c_brcmstb snd_timer snd backlight [ 800.234448] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.12.25+rpt-rpi-v8 #1 Debian 1:6.12.25-1+rpt1 [ 800.244182] Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT) [ 800.250005] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 800.256959] pc : v3d_job_update_stats+0x60/0x130 [v3d] [ 800.262112] lr : v3d_job_update_stats+0x48/0x130 [v3d] [ 800.267251] sp : ffffffc080003e60 [ 800.270555] x29: ffffffc080003e60 x28: ffffffd842784980 x27: 0224012000000000 [ 800.277687] x26: ffffffd84277f630 x25: ffffff81012fd800 x24: 0000000000000020 [ 800.284818] x23: ffffff8040238b08 x22: 0000000000000570 x21: 0000000000000158 [ 800.291948] x20: 0000000000000000 x19: ffffff8040238000 x18: 0000000000000000 [ 800.299078] x17: ffffffa8c1bd2000 x16: ffffffc080000000 x15: 0000000000000000 [ 800.306208] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 [ 800.313338] x11: 0000000000000040 x10: 0000000000001a40 x9 : ffffffd83b39757c [ 800.320468] x8 : ffffffd842786420 x7 : 7fffffffffffffff x6 : 0000000000ef32b0 [ 800.327598] x5 : 00ffffffffffffff x4 : 0000000000000015 x3 : ffffffd842784980 [ 800.334728] x2 : 0000000000000004 x1 : 0000000000010002 x0 : 000000ba4c0ca382 [ 800.341859] Call trace: [ 800.344294] v3d_job_update_stats+0x60/0x130 [v3d] [ 800.349086] v3d_irq+0x124/0x2e0 [v3d] [ 800.352835] __handle_irq_event_percpu+0x58/0x218 [ 800.357539] handle_irq_event+0x54/0xb8 [ 800.361369] handle_fasteoi_irq+0xac/0x240 [ 800.365458] handle_irq_desc+0x48/0x68 [ 800.369200] generic_handle_domain_irq+0x24/0x38 [ 800.373810] gic_handle_irq+0x48/0xd8 [ 800.377464] call_on_irq_stack+0x24/0x58 [ 800.381379] do_interrupt_handler+0x88/0x98 [ 800.385554] el1_interrupt+0x34/0x68 [ 800.389123] el1h_64_irq_handler+0x18/0x28 [ 800.393211] el1h_64_irq+0x64/0x68 [ 800.396603] default_idle_call+0x3c/0x168 [ 800.400606] do_idle+0x1fc/0x230 [ 800.403827] cpu_startup_entry+0x40/0x50 [ 800.407742] rest_init+0xe4/0xf0 [ 800.410962] start_kernel+0x5e8/0x790 [ 800.414616] __primary_switched+0x80/0x90 [ 800.418622] Code: 8b170277 8b160296 11000421 b9000861 (b9401ac1) [ 800.424707] ---[ end trace 0000000000000000 ]--- [ 800.457313] ---[ end Kernel panic - not syncing: Oops: Fatal exception in interrupt ]--- This issue happens when the file descriptor is closed before the jobs submitted by it are completed. When the job completes, we update the global GPU stats and the per-fd GPU stats, which are exposed through fdinfo. If the file descriptor was closed, then the struct `v3d_file_priv` and its stats were already freed and we can't update the per-fd stats. Therefore, if the file descriptor was already closed, don't u ---truncated--- | 2025-07-04 | not yet calculated | CVE-2025-38189 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: atm: Revert atm_account_tx() if copy_from_iter_full() fails. In vcc_sendmsg(), we account skb->truesize to sk->sk_wmem_alloc by atm_account_tx(). It is expected to be reverted by atm_pop_raw() later called by vcc->dev->ops->send(vcc, skb). However, vcc_sendmsg() misses the same revert when copy_from_iter_full() fails, and then we will leak a socket. Let's factorise the revert part as atm_return_tx() and call it in the failure path. Note that the corresponding sk_wmem_alloc operation can be found in alloc_tx() as of the blamed commit. $ git blame -L:alloc_tx net/atm/common.c c55fa3cccbc2c~ | 2025-07-04 | not yet calculated | CVE-2025-38190 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix null pointer dereference in destroy_previous_session If client set ->PreviousSessionId on kerberos session setup stage, NULL pointer dereference error will happen. Since sess->user is not set yet, It can pass the user argument as NULL to destroy_previous_session. sess->user will be set in ksmbd_krb5_authenticate(). So this patch move calling destroy_previous_session() after ksmbd_krb5_authenticate(). | 2025-07-04 | not yet calculated | CVE-2025-38191 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: clear the dst when changing skb protocol A not-so-careful NAT46 BPF program can crash the kernel if it indiscriminately flips ingress packets from v4 to v6: BUG: kernel NULL pointer dereference, address: 0000000000000000 ip6_rcv_core (net/ipv6/ip6_input.c:190:20) ipv6_rcv (net/ipv6/ip6_input.c:306:8) process_backlog (net/core/dev.c:6186:4) napi_poll (net/core/dev.c:6906:9) net_rx_action (net/core/dev.c:7028:13) do_softirq (kernel/softirq.c:462:3) netif_rx (net/core/dev.c:5326:3) dev_loopback_xmit (net/core/dev.c:4015:2) ip_mc_finish_output (net/ipv4/ip_output.c:363:8) NF_HOOK (./include/linux/netfilter.h:314:9) ip_mc_output (net/ipv4/ip_output.c:400:5) dst_output (./include/net/dst.h:459:9) ip_local_out (net/ipv4/ip_output.c:130:9) ip_send_skb (net/ipv4/ip_output.c:1496:8) udp_send_skb (net/ipv4/udp.c:1040:8) udp_sendmsg (net/ipv4/udp.c:1328:10) The output interface has a 4->6 program attached at ingress. We try to loop the multicast skb back to the sending socket. Ingress BPF runs as part of netif_rx(), pushes a valid v6 hdr and changes skb->protocol to v6. We enter ip6_rcv_core which tries to use skb_dst(). But the dst is still an IPv4 one left after IPv4 mcast output. Clear the dst in all BPF helpers which change the protocol. Try to preserve metadata dsts, those may carry non-routing metadata. | 2025-07-04 | not yet calculated | CVE-2025-38192 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: reject invalid perturb period Gerrard Tai reported that SFQ perturb_period has no range check yet, and this can be used to trigger a race condition fixed in a separate patch. We want to make sure ctl->perturb_period * HZ will not overflow and is positive. tc qd add dev lo root sfq perturb -10 # negative value : error Error: sch_sfq: invalid perturb period. tc qd add dev lo root sfq perturb 1000000000 # too big : error Error: sch_sfq: invalid perturb period. tc qd add dev lo root sfq perturb 2000000 # acceptable value tc -s -d qd sh dev lo qdisc sfq 8005: root refcnt 2 limit 127p quantum 64Kb depth 127 flows 128 divisor 1024 perturb 2000000sec Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0 | 2025-07-04 | not yet calculated | CVE-2025-38193 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: jffs2: check that raw node were preallocated before writing summary Syzkaller detected a kernel bug in jffs2_link_node_ref, caused by fault injection in jffs2_prealloc_raw_node_refs. jffs2_sum_write_sumnode doesn't check return value of jffs2_prealloc_raw_node_refs and simply lets any error propagate into jffs2_sum_write_data, which eventually calls jffs2_link_node_ref in order to link the summary to an expectedly allocated node. kernel BUG at fs/jffs2/nodelist.c:592! invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 1 PID: 31277 Comm: syz-executor.7 Not tainted 6.1.128-syzkaller-00139-ge10f83ca10a1 #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:jffs2_link_node_ref+0x570/0x690 fs/jffs2/nodelist.c:592 Call Trace: <TASK> jffs2_sum_write_data fs/jffs2/summary.c:841 [inline] jffs2_sum_write_sumnode+0xd1a/0x1da0 fs/jffs2/summary.c:874 jffs2_do_reserve_space+0xa18/0xd60 fs/jffs2/nodemgmt.c:388 jffs2_reserve_space+0x55f/0xaa0 fs/jffs2/nodemgmt.c:197 jffs2_write_inode_range+0x246/0xb50 fs/jffs2/write.c:362 jffs2_write_end+0x726/0x15d0 fs/jffs2/file.c:301 generic_perform_write+0x314/0x5d0 mm/filemap.c:3856 __generic_file_write_iter+0x2ae/0x4d0 mm/filemap.c:3973 generic_file_write_iter+0xe3/0x350 mm/filemap.c:4005 call_write_iter include/linux/fs.h:2265 [inline] do_iter_readv_writev+0x20f/0x3c0 fs/read_write.c:735 do_iter_write+0x186/0x710 fs/read_write.c:861 vfs_iter_write+0x70/0xa0 fs/read_write.c:902 iter_file_splice_write+0x73b/0xc90 fs/splice.c:685 do_splice_from fs/splice.c:763 [inline] direct_splice_actor+0x10c/0x170 fs/splice.c:950 splice_direct_to_actor+0x337/0xa10 fs/splice.c:896 do_splice_direct+0x1a9/0x280 fs/splice.c:1002 do_sendfile+0xb13/0x12c0 fs/read_write.c:1255 __do_sys_sendfile64 fs/read_write.c:1323 [inline] __se_sys_sendfile64 fs/read_write.c:1309 [inline] __x64_sys_sendfile64+0x1cf/0x210 fs/read_write.c:1309 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Fix this issue by checking return value of jffs2_prealloc_raw_node_refs before calling jffs2_sum_write_data. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2025-07-04 | not yet calculated | CVE-2025-38194 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: Fix panic caused by NULL-PMD in huge_pte_offset() ERROR INFO: CPU 25 Unable to handle kernel paging request at virtual address 0x0 ... Call Trace: [<900000000023c30c>] huge_pte_offset+0x3c/0x58 [<900000000057fd4c>] hugetlb_follow_page_mask+0x74/0x438 [<900000000051fee8>] __get_user_pages+0xe0/0x4c8 [<9000000000522414>] faultin_page_range+0x84/0x380 [<9000000000564e8c>] madvise_vma_behavior+0x534/0xa48 [<900000000056689c>] do_madvise+0x1bc/0x3e8 [<9000000000566df4>] sys_madvise+0x24/0x38 [<90000000015b9e88>] do_syscall+0x78/0x98 [<9000000000221f18>] handle_syscall+0xb8/0x158 In some cases, pmd may be NULL and rely on NULL as the return value for processing, so it is necessary to determine this situation here. | 2025-07-04 | not yet calculated | CVE-2025-38195 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: validate buffer count with offset for cloning syzbot reports that it can trigger a WARN_ON() for kmalloc() attempt that's too big: WARNING: CPU: 0 PID: 6488 at mm/slub.c:5024 __kvmalloc_node_noprof+0x520/0x640 mm/slub.c:5024 Modules linked in: CPU: 0 UID: 0 PID: 6488 Comm: syz-executor312 Not tainted 6.15.0-rc7-syzkaller-gd7fa1af5b33e #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __kvmalloc_node_noprof+0x520/0x640 mm/slub.c:5024 lr : __do_kmalloc_node mm/slub.c:-1 [inline] lr : __kvmalloc_node_noprof+0x3b4/0x640 mm/slub.c:5012 sp : ffff80009cfd7a90 x29: ffff80009cfd7ac0 x28: ffff0000dd52a120 x27: 0000000000412dc0 x26: 0000000000000178 x25: ffff7000139faf70 x24: 0000000000000000 x23: ffff800082f4cea8 x22: 00000000ffffffff x21: 000000010cd004a8 x20: ffff0000d75816c0 x19: ffff0000dd52a000 x18: 00000000ffffffff x17: ffff800092f39000 x16: ffff80008adbe9e4 x15: 0000000000000005 x14: 1ffff000139faf1c x13: 0000000000000000 x12: 0000000000000000 x11: ffff7000139faf21 x10: 0000000000000003 x9 : ffff80008f27b938 x8 : 0000000000000002 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 00000000ffffffff x4 : 0000000000400dc0 x3 : 0000000200000000 x2 : 000000010cd004a8 x1 : ffff80008b3ebc40 x0 : 0000000000000001 Call trace: __kvmalloc_node_noprof+0x520/0x640 mm/slub.c:5024 (P) kvmalloc_array_node_noprof include/linux/slab.h:1065 [inline] io_rsrc_data_alloc io_uring/rsrc.c:206 [inline] io_clone_buffers io_uring/rsrc.c:1178 [inline] io_register_clone_buffers+0x484/0xa14 io_uring/rsrc.c:1287 __io_uring_register io_uring/register.c:815 [inline] __do_sys_io_uring_register io_uring/register.c:926 [inline] __se_sys_io_uring_register io_uring/register.c:903 [inline] __arm64_sys_io_uring_register+0x42c/0xea8 io_uring/register.c:903 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x58/0x17c arch/arm64/kernel/entry-common.c:767 el0t_64_sync_handler+0x78/0x108 arch/arm64/kernel/entry-common.c:786 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 which is due to offset + buffer_count being too large. The registration code checks only the total count of buffers, but given that the indexing is an array, it should also check offset + count. That can't exceed IORING_MAX_REG_BUFFERS either, as there's no way to reach buffers beyond that limit. There's no issue with registrering a table this large, outside of the fact that it's pointless to register buffers that cannot be reached, and that it can trigger this kmalloc() warning for attempting an allocation that is too large. | 2025-07-04 | not yet calculated | CVE-2025-38196 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell_rbu: Fix list usage Pass the correct list head to list_for_each_entry*() when looping through the packet list. Without this patch, reading the packet data via sysfs will show the data incorrectly (because it starts at the wrong packet), and clearing the packet list will result in a NULL pointer dereference. | 2025-07-04 | not yet calculated | CVE-2025-38197 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbcon: Make sure modelist not set on unregistered console It looks like attempting to write to the "store_modes" sysfs node will run afoul of unregistered consoles: UBSAN: array-index-out-of-bounds in drivers/video/fbdev/core/fbcon.c:122:28 index -1 is out of range for type 'fb_info *[32]' ... fbcon_info_from_console+0x192/0x1a0 drivers/video/fbdev/core/fbcon.c:122 fbcon_new_modelist+0xbf/0x2d0 drivers/video/fbdev/core/fbcon.c:3048 fb_new_modelist+0x328/0x440 drivers/video/fbdev/core/fbmem.c:673 store_modes+0x1c9/0x3e0 drivers/video/fbdev/core/fbsysfs.c:113 dev_attr_store+0x55/0x80 drivers/base/core.c:2439 static struct fb_info *fbcon_registered_fb[FB_MAX]; ... static signed char con2fb_map[MAX_NR_CONSOLES]; ... static struct fb_info *fbcon_info_from_console(int console) ... return fbcon_registered_fb[con2fb_map[console]]; If con2fb_map contains a -1 things go wrong here. Instead, return NULL, as callers of fbcon_info_from_console() are trying to compare against existing "info" pointers, so error handling should kick in correctly. | 2025-07-04 | not yet calculated | CVE-2025-38198 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix memory leak due to multiple rx_stats allocation rx_stats for each arsta is allocated when adding a station. arsta->rx_stats will be freed when a station is removed. Redundant allocations are occurring when the same station is added multiple times. This causes ath12k_mac_station_add() to be called multiple times, and rx_stats is allocated each time. As a result there is memory leaks. Prevent multiple allocations of rx_stats when ath12k_mac_station_add() is called repeatedly by checking if rx_stats is already allocated before allocating again. Allocate arsta->rx_stats if arsta->rx_stats is NULL respectively. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 | 2025-07-04 | not yet calculated | CVE-2025-38199 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: i40e: fix MMIO write access to an invalid page in i40e_clear_hw When the device sends a specific input, an integer underflow can occur, leading to MMIO write access to an invalid page. Prevent the integer underflow by changing the type of related variables. | 2025-07-04 | not yet calculated | CVE-2025-38200 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof() when resizing hashtable because __GFP_NOWARN is unset. Similar to: b541ba7d1f5a ("netfilter: conntrack: clamp maximum hashtable size to INT_MAX") | 2025-07-04 | not yet calculated | CVE-2025-38201 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() bpf_map_lookup_percpu_elem() helper is also available for sleepable bpf program. When BPF JIT is disabled or under 32-bit host, bpf_map_lookup_percpu_elem() will not be inlined. Using it in a sleepable bpf program will trigger the warning in bpf_map_lookup_percpu_elem(), because the bpf program only holds rcu_read_lock_trace lock. Therefore, add the missed check. | 2025-07-04 | not yet calculated | CVE-2025-38202 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: jfs: Fix null-ptr-deref in jfs_ioc_trim [ Syzkaller Report ] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000087: 0000 [#1 KASAN: null-ptr-deref in range [0x0000000000000438-0x000000000000043f] CPU: 2 UID: 0 PID: 10614 Comm: syz-executor.0 Not tainted 6.13.0-rc6-gfbfd64d25c7a-dirty #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Sched_ext: serialise (enabled+all), task: runnable_at=-30ms RIP: 0010:jfs_ioc_trim+0x34b/0x8f0 Code: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93 90 82 fe ff 4c 89 ff 31 f6 RSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206 RAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001 RBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000 R10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438 FS: 00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ? __die_body+0x61/0xb0 ? die_addr+0xb1/0xe0 ? exc_general_protection+0x333/0x510 ? asm_exc_general_protection+0x26/0x30 ? jfs_ioc_trim+0x34b/0x8f0 jfs_ioctl+0x3c8/0x4f0 ? __pfx_jfs_ioctl+0x10/0x10 ? __pfx_jfs_ioctl+0x10/0x10 __se_sys_ioctl+0x269/0x350 ? __pfx___se_sys_ioctl+0x10/0x10 ? do_syscall_64+0xfb/0x210 do_syscall_64+0xee/0x210 ? syscall_exit_to_user_mode+0x1e0/0x330 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe51f4903ad Code: c3 e8 a7 2b 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d RSP: 002b:00007fe5202250c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fe51f5cbf80 RCX: 00007fe51f4903ad RDX: 0000000020000680 RSI: 00000000c0185879 RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe520225640 R13: 000000000000000e R14: 00007fe51f44fca0 R15: 00007fe52021d000 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:jfs_ioc_trim+0x34b/0x8f0 Code: e7 e8 59 a4 87 fe 4d 8b 24 24 4d 8d bc 24 38 04 00 00 48 8d 93 90 82 fe ff 4c 89 ff 31 f6 RSP: 0018:ffffc900055f7cd0 EFLAGS: 00010206 RAX: 0000000000000087 RBX: 00005866a9e67ff8 RCX: 000000000000000a RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000000001 RBP: dffffc0000000000 R08: ffff88807c180003 R09: 1ffff1100f830000 R10: dffffc0000000000 R11: ffffed100f830001 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000438 FS: 00007fe520225640(0000) GS:ffff8880b7e80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005593c91b2c88 CR3: 000000014927c000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Kernel panic - not syncing: Fatal exception [ Analysis ] We believe that we have found a concurrency bug in the `fs/jfs` module that results in a null pointer dereference. There is a closely related issue which has been fixed: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234 ... but, unfortunately, the accepted patch appears to still be susceptible to a null pointer dereference under some interleavings. To trigger the bug, we think that `JFS_SBI(ipbmap->i_sb)->bmap` is set to NULL in `dbFreeBits` and then dereferenced in `jfs_ioc_trim`. This bug manifests quite rarely under normal circumstances, but is triggereable from a syz-program. | 2025-07-04 | not yet calculated | CVE-2025-38203 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: jfs: fix array-index-out-of-bounds read in add_missing_indices stbl is s8 but it must contain offsets into slot which can go from 0 to 127. Added a bound check for that error and return -EIO if the check fails. Also make jfs_readdir return with error if add_missing_indices returns with an error. | 2025-07-04 | not yet calculated | CVE-2025-38204 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1 [Why] If the dummy values in `populate_dummy_dml_surface_cfg()` aren't updated then they can lead to a divide by zero in downstream callers like CalculateVMAndRowBytes() [How] Initialize dummy value to a value to avoid divide by zero. | 2025-07-04 | not yet calculated | CVE-2025-38205 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: exfat: fix double free in delayed_free The double free could happen in the following path. exfat_create_upcase_table() exfat_create_upcase_table() : return error exfat_free_upcase_table() : free ->vol_utbl exfat_load_default_upcase_table : return error exfat_kill_sb() delayed_free() exfat_free_upcase_table() <--------- double free This patch set ->vol_util as NULL after freeing it. | 2025-07-04 | not yet calculated | CVE-2025-38206 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm: fix uprobe pte be overwritten when expanding vma Patch series "Fix uprobe pte be overwritten when expanding vma". This patch (of 4): We encountered a BUG alert triggered by Syzkaller as follows: BUG: Bad rss-counter state mm:00000000b4a60fca type:MM_ANONPAGES val:1 And we can reproduce it with the following steps: 1. register uprobe on file at zero offset 2. mmap the file at zero offset: addr1 = mmap(NULL, 2 * 4096, PROT_NONE, MAP_PRIVATE, fd, 0); 3. mremap part of vma1 to new vma2: addr2 = mremap(addr1, 4096, 2 * 4096, MREMAP_MAYMOVE); 4. mremap back to orig addr1: mremap(addr2, 4096, 4096, MREMAP_MAYMOVE | MREMAP_FIXED, addr1); In step 3, the vma1 range [addr1, addr1 + 4096] will be remap to new vma2 with range [addr2, addr2 + 8192], and remap uprobe anon page from the vma1 to vma2, then unmap the vma1 range [addr1, addr1 + 4096]. In step 4, the vma2 range [addr2, addr2 + 4096] will be remap back to the addr range [addr1, addr1 + 4096]. Since the addr range [addr1 + 4096, addr1 + 8192] still maps the file, it will take vma_merge_new_range to expand the range, and then do uprobe_mmap in vma_complete. Since the merged vma pgoff is also zero offset, it will install uprobe anon page to the merged vma. However, the upcomming move_page_tables step, which use set_pte_at to remap the vma2 uprobe pte to the merged vma, will overwrite the newly uprobe pte in the merged vma, and lead that pte to be orphan. Since the uprobe pte will be remapped to the merged vma, we can remove the unnecessary uprobe_mmap upon merged vma. This problem was first found in linux-6.6.y and also exists in the community syzkaller: https://lore.kernel.org/all/000000000000ada39605a5e71711@google.com/T/ | 2025-07-04 | not yet calculated | CVE-2025-38207 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: smb: client: add NULL check in automount_fullpath page is checked for null in __build_path_from_dentry_optional_prefix when tcon->origin_fullpath is not set. However, the check is missing when it is set. Add a check to prevent a potential NULL pointer dereference. | 2025-07-04 | not yet calculated | CVE-2025-38208 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: remove tag set when second admin queue config fails Commit 104d0e2f6222 ("nvme-fabrics: reset admin connection for secure concatenation") modified nvme_tcp_setup_ctrl() to call nvme_tcp_configure_admin_queue() twice. The first call prepares for DH-CHAP negotitation, and the second call is required for secure concatenation. However, this change triggered BUG KASAN slab-use-after- free in blk_mq_queue_tag_busy_iter(). This BUG can be recreated by repeating the blktests test case nvme/063 a few times [1]. When the BUG happens, nvme_tcp_create_ctrl() fails in the call chain below: nvme_tcp_create_ctrl() nvme_tcp_alloc_ctrl() new=true ... Alloc nvme_tcp_ctrl and admin_tag_set nvme_tcp_setup_ctrl() new=true nvme_tcp_configure_admin_queue() new=true ... Succeed nvme_alloc_admin_tag_set() ... Alloc the tag set for admin_tag_set nvme_stop_keep_alive() nvme_tcp_teardown_admin_queue() remove=false nvme_tcp_configure_admin_queue() new=false nvme_tcp_alloc_admin_queue() ... Fail, but do not call nvme_remove_admin_tag_set() nvme_uninit_ctrl() nvme_put_ctrl() ... Free up the nvme_tcp_ctrl and admin_tag_set The first call of nvme_tcp_configure_admin_queue() succeeds with new=true argument. The second call fails with new=false argument. This second call does not call nvme_remove_admin_tag_set() on failure, due to the new=false argument. Then the admin tag set is not removed. However, nvme_tcp_create_ctrl() assumes that nvme_tcp_setup_ctrl() would call nvme_remove_admin_tag_set(). Then it frees up struct nvme_tcp_ctrl which has admin_tag_set field. Later on, the timeout handler accesses the admin_tag_set field and causes the BUG KASAN slab-use-after-free. To not leave the admin tag set, call nvme_remove_admin_tag_set() when the second nvme_tcp_configure_admin_queue() call fails. Do not return from nvme_tcp_setup_ctrl() on failure. Instead, jump to "destroy_admin" go-to label to call nvme_tcp_teardown_admin_queue() which calls nvme_remove_admin_tag_set(). | 2025-07-04 | not yet calculated | CVE-2025-38209 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: configfs-tsm-report: Fix NULL dereference of tsm_ops Unlike sysfs, the lifetime of configfs objects is controlled by userspace. There is no mechanism for the kernel to find and delete all created config-items. Instead, the configfs-tsm-report mechanism has an expectation that tsm_unregister() can happen at any time and cause established config-item access to start failing. That expectation is not fully satisfied. While tsm_report_read(), tsm_report_{is,is_bin}_visible(), and tsm_report_make_item() safely fail if tsm_ops have been unregistered, tsm_report_privlevel_store() tsm_report_provider_show() fail to check for ops registration. Add the missing checks for tsm_ops having been removed. Now, in supporting the ability for tsm_unregister() to always succeed, it leaves the problem of what to do with lingering config-items. The expectation is that the admin that arranges for the ->remove() (unbind) of the ${tsm_arch}-guest driver is also responsible for deletion of all open config-items. Until that deletion happens, ->probe() (reload / bind) of the ${tsm_arch}-guest driver fails. This allows for emergency shutdown / revocation of attestation interfaces, and requires coordinated restart. | 2025-07-04 | not yet calculated | CVE-2025-38210 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction The commit 59c68ac31e15 ("iw_cm: free cm_id resources on the last deref") simplified cm_id resource management by freeing cm_id once all references to the cm_id were removed. The references are removed either upon completion of iw_cm event handlers or when the application destroys the cm_id. This commit introduced the use-after-free condition where cm_id_private object could still be in use by event handler works during the destruction of cm_id. The commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs") addressed this use-after- free by flushing all pending works at the cm_id destruction. However, still another use-after-free possibility remained. It happens with the work objects allocated for each cm_id_priv within alloc_work_entries() during cm_id creation, and subsequently freed in dealloc_work_entries() once all references to the cm_id are removed. If the cm_id's last reference is decremented in the event handler work, the work object for the work itself gets removed, and causes the use- after-free BUG below: BUG: KASAN: slab-use-after-free in __pwq_activate_work+0x1ff/0x250 Read of size 8 at addr ffff88811f9cf800 by task kworker/u16:1/147091 CPU: 2 UID: 0 PID: 147091 Comm: kworker/u16:1 Not tainted 6.15.0-rc2+ #27 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-3.fc41 04/01/2014 Workqueue: 0x0 (iw_cm_wq) Call Trace: <TASK> dump_stack_lvl+0x6a/0x90 print_report+0x174/0x554 ? __virt_addr_valid+0x208/0x430 ? __pwq_activate_work+0x1ff/0x250 kasan_report+0xae/0x170 ? __pwq_activate_work+0x1ff/0x250 __pwq_activate_work+0x1ff/0x250 pwq_dec_nr_in_flight+0x8c5/0xfb0 process_one_work+0xc11/0x1460 ? __pfx_process_one_work+0x10/0x10 ? assign_work+0x16c/0x240 worker_thread+0x5ef/0xfd0 ? __pfx_worker_thread+0x10/0x10 kthread+0x3b0/0x770 ? __pfx_kthread+0x10/0x10 ? rcu_is_watching+0x11/0xb0 ? _raw_spin_unlock_irq+0x24/0x50 ? rcu_is_watching+0x11/0xb0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x70 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 147416: kasan_save_stack+0x2c/0x50 kasan_save_track+0x10/0x30 __kasan_kmalloc+0xa6/0xb0 alloc_work_entries+0xa9/0x260 [iw_cm] iw_cm_connect+0x23/0x4a0 [iw_cm] rdma_connect_locked+0xbfd/0x1920 [rdma_cm] nvme_rdma_cm_handler+0x8e5/0x1b60 [nvme_rdma] cma_cm_event_handler+0xae/0x320 [rdma_cm] cma_work_handler+0x106/0x1b0 [rdma_cm] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Freed by task 147091: kasan_save_stack+0x2c/0x50 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kfree+0x13a/0x4b0 dealloc_work_entries+0x125/0x1f0 [iw_cm] iwcm_deref_id+0x6f/0xa0 [iw_cm] cm_work_handler+0x136/0x1ba0 [iw_cm] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 Last potentially related work creation: kasan_save_stack+0x2c/0x50 kasan_record_aux_stack+0xa3/0xb0 __queue_work+0x2ff/0x1390 queue_work_on+0x67/0xc0 cm_event_handler+0x46a/0x820 [iw_cm] siw_cm_upcall+0x330/0x650 [siw] siw_cm_work_handler+0x6b9/0x2b20 [siw] process_one_work+0x84f/0x1460 worker_thread+0x5ef/0xfd0 kthread+0x3b0/0x770 ret_from_fork+0x30/0x70 ret_from_fork_asm+0x1a/0x30 This BUG is reproducible by repeating the blktests test case nvme/061 for the rdma transport and the siw driver. To avoid the use-after-free of cm_id_private work objects, ensure that the last reference to the cm_id is decremented not in the event handler works, but in the cm_id destruction context. For that purpose, mo ---truncated--- | 2025-07-04 | not yet calculated | CVE-2025-38211 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ipc: fix to protect IPCS lookups using RCU syzbot reported that it discovered a use-after-free vulnerability, [0] [0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/ idr_for_each() is protected by rwsem, but this is not enough. If it is not protected by RCU read-critical region, when idr_for_each() calls radix_tree_node_free() through call_rcu() to free the radix_tree_node structure, the node will be freed immediately, and when reading the next node in radix_tree_for_each_slot(), the already freed memory may be read. Therefore, we need to add code to make sure that idr_for_each() is protected within the RCU read-critical region when we call it in shm_destroy_orphaned(). | 2025-07-04 | not yet calculated | CVE-2025-38212 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: vgacon: Add check for vc_origin address range in vgacon_scroll() Our in-house Syzkaller reported the following BUG (twice), which we believed was the same issue with [1]: ================================================================== BUG: KASAN: slab-out-of-bounds in vcs_scr_readw+0xc2/0xd0 drivers/tty/vt/vt.c:4740 Read of size 2 at addr ffff88800f5bef60 by task syz.7.2620/12393 ... Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x72/0xa0 lib/dump_stack.c:106 print_address_description.constprop.0+0x6b/0x3d0 mm/kasan/report.c:364 print_report+0xba/0x280 mm/kasan/report.c:475 kasan_report+0xa9/0xe0 mm/kasan/report.c:588 vcs_scr_readw+0xc2/0xd0 drivers/tty/vt/vt.c:4740 vcs_write_buf_noattr drivers/tty/vt/vc_screen.c:493 [inline] vcs_write+0x586/0x840 drivers/tty/vt/vc_screen.c:690 vfs_write+0x219/0x960 fs/read_write.c:584 ksys_write+0x12e/0x260 fs/read_write.c:639 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x78/0xe2 ... </TASK> Allocated by task 5614: kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:383 kasan_kmalloc include/linux/kasan.h:201 [inline] __do_kmalloc_node mm/slab_common.c:1007 [inline] __kmalloc+0x62/0x140 mm/slab_common.c:1020 kmalloc include/linux/slab.h:604 [inline] kzalloc include/linux/slab.h:721 [inline] vc_do_resize+0x235/0xf40 drivers/tty/vt/vt.c:1193 vgacon_adjust_height+0x2d4/0x350 drivers/video/console/vgacon.c:1007 vgacon_font_set+0x1f7/0x240 drivers/video/console/vgacon.c:1031 con_font_set drivers/tty/vt/vt.c:4628 [inline] con_font_op+0x4da/0xa20 drivers/tty/vt/vt.c:4675 vt_k_ioctl+0xa10/0xb30 drivers/tty/vt/vt_ioctl.c:474 vt_ioctl+0x14c/0x1870 drivers/tty/vt/vt_ioctl.c:752 tty_ioctl+0x655/0x1510 drivers/tty/tty_io.c:2779 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:871 [inline] __se_sys_ioctl+0x12d/0x190 fs/ioctl.c:857 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x78/0xe2 Last potentially related work creation: kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0x94/0xa0 mm/kasan/generic.c:492 __call_rcu_common.constprop.0+0xc3/0xa10 kernel/rcu/tree.c:2713 netlink_release+0x620/0xc20 net/netlink/af_netlink.c:802 __sock_release+0xb5/0x270 net/socket.c:663 sock_close+0x1e/0x30 net/socket.c:1425 __fput+0x408/0xab0 fs/file_table.c:384 __fput_sync+0x4c/0x60 fs/file_table.c:465 __do_sys_close fs/open.c:1580 [inline] __se_sys_close+0x68/0xd0 fs/open.c:1565 do_syscall_x64 arch/x86/entry/common.c:51 [inline] do_syscall_64+0x59/0x110 arch/x86/entry/common.c:81 entry_SYSCALL_64_after_hwframe+0x78/0xe2 Second to last potentially related work creation: kasan_save_stack+0x20/0x40 mm/kasan/common.c:45 __kasan_record_aux_stack+0x94/0xa0 mm/kasan/generic.c:492 __call_rcu_common.constprop.0+0xc3/0xa10 kernel/rcu/tree.c:2713 netlink_release+0x620/0xc20 net/netlink/af_netlink.c:802 __sock_release+0xb5/0x270 net/socket.c:663 sock_close+0x1e/0x30 net/socket.c:1425 __fput+0x408/0xab0 fs/file_table.c:384 task_work_run+0x154/0x240 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:45 [inline] do_exit+0x8e5/0x1320 kernel/exit.c:874 do_group_exit+0xcd/0x280 kernel/exit.c:1023 get_signal+0x1675/0x1850 kernel/signal.c:2905 arch_do_signal_or_restart+0x80/0x3b0 arch/x86/kernel/signal.c:310 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x1b3/0x1e0 kernel/entry/common.c:218 do_syscall_64+0x66/0x110 arch/x86/ent ---truncated--- | 2025-07-04 | not yet calculated | CVE-2025-38213 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var If fb_add_videomode() in fb_set_var() fails to allocate memory for fb_videomode, later it may lead to a null-ptr dereference in fb_videomode_to_var(), as the fb_info is registered while not having the mode in modelist that is expected to be there, i.e. the one that is described in fb_info->var. ================================================================ general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:fb_videomode_to_var+0x24/0x610 drivers/video/fbdev/core/modedb.c:901 Call Trace: display_to_var+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929 fbcon_resize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071 resize_screen drivers/tty/vt/vt.c:1176 [inline] vc_do_resize+0x53a/0x1170 drivers/tty/vt/vt.c:1263 fbcon_modechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720 fbcon_update_vcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776 do_fb_ioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 ================================================================ The reason is that fb_info->var is being modified in fb_set_var(), and then fb_videomode_to_var() is called. If it fails to add the mode to fb_info->modelist, fb_set_var() returns error, but does not restore the old value of fb_info->var. Restore fb_info->var on failure the same way it is done earlier in the function. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2025-07-04 | not yet calculated | CVE-2025-38214 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var If fb_add_videomode() in do_register_framebuffer() fails to allocate memory for fb_videomode, it will later lead to a null-ptr dereference in fb_videomode_to_var(), as the fb_info is registered while not having the mode in modelist that is expected to be there, i.e. the one that is described in fb_info->var. ================================================================ general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 PID: 30371 Comm: syz-executor.1 Not tainted 5.10.226-syzkaller #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 RIP: 0010:fb_videomode_to_var+0x24/0x610 drivers/video/fbdev/core/modedb.c:901 Call Trace: display_to_var+0x3a/0x7c0 drivers/video/fbdev/core/fbcon.c:929 fbcon_resize+0x3e2/0x8f0 drivers/video/fbdev/core/fbcon.c:2071 resize_screen drivers/tty/vt/vt.c:1176 [inline] vc_do_resize+0x53a/0x1170 drivers/tty/vt/vt.c:1263 fbcon_modechanged+0x3ac/0x6e0 drivers/video/fbdev/core/fbcon.c:2720 fbcon_update_vcs+0x43/0x60 drivers/video/fbdev/core/fbcon.c:2776 do_fb_ioctl+0x6d2/0x740 drivers/video/fbdev/core/fbmem.c:1128 fb_ioctl+0xe7/0x150 drivers/video/fbdev/core/fbmem.c:1203 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:739 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 ================================================================ Even though fbcon_init() checks beforehand if fb_match_mode() in var_to_display() fails, it can not prevent the panic because fbcon_init() does not return error code. Considering this and the comment in the code about fb_match_mode() returning NULL - "This should not happen" - it is better to prevent registering the fb_info if its mode was not set successfully. Also move fb_add_videomode() closer to the beginning of do_register_framebuffer() to avoid having to do the cleanup on fail. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2025-07-04 | not yet calculated | CVE-2025-38215 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Restore context entry setup order for aliased devices Commit 2031c469f816 ("iommu/vt-d: Add support for static identity domain") changed the context entry setup during domain attachment from a set-and-check policy to a clear-and-reset approach. This inadvertently introduced a regression affecting PCI aliased devices behind PCIe-to-PCI bridges. Specifically, keyboard and touchpad stopped working on several Apple Macbooks with below messages: kernel: platform pxa2xx-spi.3: Adding to iommu group 20 kernel: input: Apple SPI Keyboard as /devices/pci0000:00/0000:00:1e.3/pxa2xx-spi.3/spi_master/spi2/spi-APP000D:00/input/input0 kernel: DMAR: DRHD: handling fault status reg 3 kernel: DMAR: [DMA Read NO_PASID] Request device [00:1e.3] fault addr 0xffffa000 [fault reason 0x06] PTE Read access is not set kernel: DMAR: DRHD: handling fault status reg 3 kernel: DMAR: [DMA Read NO_PASID] Request device [00:1e.3] fault addr 0xffffa000 [fault reason 0x06] PTE Read access is not set kernel: applespi spi-APP000D:00: Error writing to device: 01 0e 00 00 kernel: DMAR: DRHD: handling fault status reg 3 kernel: DMAR: [DMA Read NO_PASID] Request device [00:1e.3] fault addr 0xffffa000 [fault reason 0x06] PTE Read access is not set kernel: DMAR: DRHD: handling fault status reg 3 kernel: applespi spi-APP000D:00: Error writing to device: 01 0e 00 00 Fix this by restoring the previous context setup order. | 2025-07-04 | not yet calculated | CVE-2025-38216 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: hwmon: (ftsteutates) Fix TOCTOU race in fts_read() In the fts_read() function, when handling hwmon_pwm_auto_channels_temp, the code accesses the shared variable data->fan_source[channel] twice without holding any locks. It is first checked against FTS_FAN_SOURCE_INVALID, and if the check passes, it is read again when used as an argument to the BIT() macro. This creates a Time-of-Check to Time-of-Use (TOCTOU) race condition. Another thread executing fts_update_device() can modify the value of data->fan_source[channel] between the check and its use. If the value is changed to FTS_FAN_SOURCE_INVALID (0xff) during this window, the BIT() macro will be called with a large shift value (BIT(255)). A bit shift by a value greater than or equal to the type width is undefined behavior and can lead to a crash or incorrect values being returned to userspace. Fix this by reading data->fan_source[channel] into a local variable once, eliminating the race condition. Additionally, add a bounds check to ensure the value is less than BITS_PER_LONG before passing it to the BIT() macro, making the code more robust against undefined behavior. This possible bug was found by an experimental static analysis tool developed by our team. | 2025-07-04 | not yet calculated | CVE-2025-38217 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on sit_bitmap_size w/ below testcase, resize will generate a corrupted image which contains inconsistent metadata, so when mounting such image, it will trigger kernel panic: touch img truncate -s $((512*1024*1024*1024)) img mkfs.f2fs -f img $((256*1024*1024)) resize.f2fs -s -i img -t $((1024*1024*1024)) mount img /mnt/f2fs ------------[ cut here ]------------ kernel BUG at fs/f2fs/segment.h:863! Oops: invalid opcode: 0000 [#1] SMP PTI CPU: 11 UID: 0 PID: 3922 Comm: mount Not tainted 6.15.0-rc1+ #191 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:f2fs_ra_meta_pages+0x47c/0x490 Call Trace: f2fs_build_segment_manager+0x11c3/0x2600 f2fs_fill_super+0xe97/0x2840 mount_bdev+0xf4/0x140 legacy_get_tree+0x2b/0x50 vfs_get_tree+0x29/0xd0 path_mount+0x487/0xaf0 __x64_sys_mount+0x116/0x150 do_syscall_64+0x82/0x190 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fdbfde1bcfe The reaseon is: sit_i->bitmap_size is 192, so size of sit bitmap is 192*8=1536, at maximum there are 1536 sit blocks, however MAIN_SEGS is 261893, so that sit_blk_cnt is 4762, build_sit_entries() -> current_sit_addr() tries to access out-of-boundary in sit_bitmap at offset from [1536, 4762), once sit_bitmap and sit_bitmap_mirror is not the same, it will trigger f2fs_bug_on(). Let's add sanity check in f2fs_sanity_check_ckpt() to avoid panic. | 2025-07-04 | not yet calculated | CVE-2025-38218 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: f2fs: prevent kernel warning due to negative i_nlink from corrupted image WARNING: CPU: 1 PID: 9426 at fs/inode.c:417 drop_nlink+0xac/0xd0 home/cc/linux/fs/inode.c:417 Modules linked in: CPU: 1 UID: 0 PID: 9426 Comm: syz-executor568 Not tainted 6.14.0-12627-g94d471a4f428 #2 PREEMPT(full) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:drop_nlink+0xac/0xd0 home/cc/linux/fs/inode.c:417 Code: 48 8b 5d 28 be 08 00 00 00 48 8d bb 70 07 00 00 e8 f9 67 e6 ff f0 48 ff 83 70 07 00 00 5b 5d e9 9a 12 82 ff e8 95 12 82 ff 90 <0f> 0b 90 c7 45 48 ff ff ff ff 5b 5d e9 83 12 82 ff e8 fe 5f e6 ff RSP: 0018:ffffc900026b7c28 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8239710f RDX: ffff888041345a00 RSI: ffffffff8239717b RDI: 0000000000000005 RBP: ffff888054509ad0 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: ffffffff9ab36f08 R12: ffff88804bb40000 R13: ffff8880545091e0 R14: 0000000000008000 R15: ffff8880545091e0 FS: 000055555d0c5880(0000) GS:ffff8880eb3e3000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f915c55b178 CR3: 0000000050d20000 CR4: 0000000000352ef0 Call Trace: <task> f2fs_i_links_write home/cc/linux/fs/f2fs/f2fs.h:3194 [inline] f2fs_drop_nlink+0xd1/0x3c0 home/cc/linux/fs/f2fs/dir.c:845 f2fs_delete_entry+0x542/0x1450 home/cc/linux/fs/f2fs/dir.c:909 f2fs_unlink+0x45c/0x890 home/cc/linux/fs/f2fs/namei.c:581 vfs_unlink+0x2fb/0x9b0 home/cc/linux/fs/namei.c:4544 do_unlinkat+0x4c5/0x6a0 home/cc/linux/fs/namei.c:4608 __do_sys_unlink home/cc/linux/fs/namei.c:4654 [inline] __se_sys_unlink home/cc/linux/fs/namei.c:4652 [inline] __x64_sys_unlink+0xc5/0x110 home/cc/linux/fs/namei.c:4652 do_syscall_x64 home/cc/linux/arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xc7/0x250 home/cc/linux/arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fb3d092324b Code: 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 57 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffdc232d938 EFLAGS: 00000206 ORIG_RAX: 0000000000000057 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fb3d092324b RDX: 00007ffdc232d960 RSI: 00007ffdc232d960 RDI: 00007ffdc232d9f0 RBP: 00007ffdc232d9f0 R08: 0000000000000001 R09: 00007ffdc232d7c0 R10: 00000000fffffffd R11: 0000000000000206 R12: 00007ffdc232eaf0 R13: 000055555d0cebb0 R14: 00007ffdc232d958 R15: 0000000000000001 </task> | 2025-07-04 | not yet calculated | CVE-2025-38219 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: only dirty folios when data journaling regular files fstest generic/388 occasionally reproduces a crash that looks as follows: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... Call Trace: <TASK> ext4_block_zero_page_range+0x30c/0x380 [ext4] ext4_truncate+0x436/0x440 [ext4] ext4_process_orphan+0x5d/0x110 [ext4] ext4_orphan_cleanup+0x124/0x4f0 [ext4] ext4_fill_super+0x262d/0x3110 [ext4] get_tree_bdev_flags+0x132/0x1d0 vfs_get_tree+0x26/0xd0 vfs_cmd_create+0x59/0xe0 __do_sys_fsconfig+0x4ed/0x6b0 do_syscall_64+0x82/0x170 ... This occurs when processing a symlink inode from the orphan list. The partial block zeroing code in the truncate path calls ext4_dirty_journalled_data() -> folio_mark_dirty(). The latter calls mapping->a_ops->dirty_folio(), but symlink inodes are not assigned an a_ops vector in ext4, hence the crash. To avoid this problem, update the ext4_dirty_journalled_data() helper to only mark the folio dirty on regular files (for which a_ops is assigned). This also matches the journaling logic in the ext4_symlink() creation path, where ext4_handle_dirty_metadata() is called directly. | 2025-07-04 | not yet calculated | CVE-2025-38220 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: fix out of bounds punch offset Punching a hole with a start offset that exceeds max_end is not permitted and will result in a negative length in the truncate_inode_partial_folio() function while truncating the page cache, potentially leading to undesirable consequences. A simple reproducer: truncate -s 9895604649994 /mnt/foo xfs_io -c "pwrite 8796093022208 4096" /mnt/foo xfs_io -c "fpunch 8796093022213 25769803777" /mnt/foo kernel BUG at include/linux/highmem.h:275! Oops: invalid opcode: 0000 [#1] SMP PTI CPU: 3 UID: 0 PID: 710 Comm: xfs_io Not tainted 6.15.0-rc3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:zero_user_segments.constprop.0+0xd7/0x110 RSP: 0018:ffffc90001cf3b38 EFLAGS: 00010287 RAX: 0000000000000005 RBX: ffffea0001485e40 RCX: 0000000000001000 RDX: 000000000040b000 RSI: 0000000000000005 RDI: 000000000040b000 RBP: 000000000040affb R08: ffff888000000000 R09: ffffea0000000000 R10: 0000000000000003 R11: 00000000fffc7fc5 R12: 0000000000000005 R13: 000000000040affb R14: ffffea0001485e40 R15: ffff888031cd3000 FS: 00007f4f63d0b780(0000) GS:ffff8880d337d000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000001ae0b038 CR3: 00000000536aa000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> truncate_inode_partial_folio+0x3dd/0x620 truncate_inode_pages_range+0x226/0x720 ? bdev_getblk+0x52/0x3e0 ? ext4_get_group_desc+0x78/0x150 ? crc32c_arch+0xfd/0x180 ? __ext4_get_inode_loc+0x18c/0x840 ? ext4_inode_csum+0x117/0x160 ? jbd2_journal_dirty_metadata+0x61/0x390 ? __ext4_handle_dirty_metadata+0xa0/0x2b0 ? kmem_cache_free+0x90/0x5a0 ? jbd2_journal_stop+0x1d5/0x550 ? __ext4_journal_stop+0x49/0x100 truncate_pagecache_range+0x50/0x80 ext4_truncate_page_cache_block_range+0x57/0x3a0 ext4_punch_hole+0x1fe/0x670 ext4_fallocate+0x792/0x17d0 ? __count_memcg_events+0x175/0x2a0 vfs_fallocate+0x121/0x560 ksys_fallocate+0x51/0xc0 __x64_sys_fallocate+0x24/0x40 x64_sys_call+0x18d2/0x4170 do_syscall_64+0xa7/0x220 entry_SYSCALL_64_after_hwframe+0x76/0x7e Fix this by filtering out cases where the punching start offset exceeds max_end. | 2025-07-04 | not yet calculated | CVE-2025-38221 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ext4: inline: fix len overflow in ext4_prepare_inline_data When running the following code on an ext4 filesystem with inline_data feature enabled, it will lead to the bug below. fd = open("file1", O_RDWR | O_CREAT | O_TRUNC, 0666); ftruncate(fd, 30); pwrite(fd, "a", 1, (1UL << 40) + 5UL); That happens because write_begin will succeed as when ext4_generic_write_inline_data calls ext4_prepare_inline_data, pos + len will be truncated, leading to ext4_prepare_inline_data parameter to be 6 instead of 0x10000000006. Then, later when write_end is called, we hit: BUG_ON(pos + len > EXT4_I(inode)->i_inline_size); at ext4_write_inline_data. Fix it by using a loff_t type for the len parameter in ext4_prepare_inline_data instead of an unsigned int. [ 44.545164] ------------[ cut here ]------------ [ 44.545530] kernel BUG at fs/ext4/inline.c:240! [ 44.545834] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 44.546172] CPU: 3 UID: 0 PID: 343 Comm: test Not tainted 6.15.0-rc2-00003-g9080916f4863 #45 PREEMPT(full) 112853fcebfdb93254270a7959841d2c6aa2c8bb [ 44.546523] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 44.546523] RIP: 0010:ext4_write_inline_data+0xfe/0x100 [ 44.546523] Code: 3c 0e 48 83 c7 48 48 89 de 5b 41 5c 41 5d 41 5e 41 5f 5d e9 e4 fa 43 01 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc cc 0f 0b <0f> 0b 0f 1f 44 00 00 55 41 57 41 56 41 55 41 54 53 48 83 ec 20 49 [ 44.546523] RSP: 0018:ffffb342008b79a8 EFLAGS: 00010216 [ 44.546523] RAX: 0000000000000001 RBX: ffff9329c579c000 RCX: 0000010000000006 [ 44.546523] RDX: 000000000000003c RSI: ffffb342008b79f0 RDI: ffff9329c158e738 [ 44.546523] RBP: 0000000000000001 R08: 0000000000000001 R09: 0000000000000000 [ 44.546523] R10: 00007ffffffff000 R11: ffffffff9bd0d910 R12: 0000006210000000 [ 44.546523] R13: fffffc7e4015e700 R14: 0000010000000005 R15: ffff9329c158e738 [ 44.546523] FS: 00007f4299934740(0000) GS:ffff932a60179000(0000) knlGS:0000000000000000 [ 44.546523] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 44.546523] CR2: 00007f4299a1ec90 CR3: 0000000002886002 CR4: 0000000000770eb0 [ 44.546523] PKRU: 55555554 [ 44.546523] Call Trace: [ 44.546523] <TASK> [ 44.546523] ext4_write_inline_data_end+0x126/0x2d0 [ 44.546523] generic_perform_write+0x17e/0x270 [ 44.546523] ext4_buffered_write_iter+0xc8/0x170 [ 44.546523] vfs_write+0x2be/0x3e0 [ 44.546523] __x64_sys_pwrite64+0x6d/0xc0 [ 44.546523] do_syscall_64+0x6a/0xf0 [ 44.546523] ? __wake_up+0x89/0xb0 [ 44.546523] ? xas_find+0x72/0x1c0 [ 44.546523] ? next_uptodate_folio+0x317/0x330 [ 44.546523] ? set_pte_range+0x1a6/0x270 [ 44.546523] ? filemap_map_pages+0x6ee/0x840 [ 44.546523] ? ext4_setattr+0x2fa/0x750 [ 44.546523] ? do_pte_missing+0x128/0xf70 [ 44.546523] ? security_inode_post_setattr+0x3e/0xd0 [ 44.546523] ? ___pte_offset_map+0x19/0x100 [ 44.546523] ? handle_mm_fault+0x721/0xa10 [ 44.546523] ? do_user_addr_fault+0x197/0x730 [ 44.546523] ? do_syscall_64+0x76/0xf0 [ 44.546523] ? arch_exit_to_user_mode_prepare+0x1e/0x60 [ 44.546523] ? irqentry_exit_to_user_mode+0x79/0x90 [ 44.546523] entry_SYSCALL_64_after_hwframe+0x55/0x5d [ 44.546523] RIP: 0033:0x7f42999c6687 [ 44.546523] Code: 48 89 fa 4c 89 df e8 58 b3 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff [ 44.546523] RSP: 002b:00007ffeae4a7930 EFLAGS: 00000202 ORIG_RAX: 0000000000000012 [ 44.546523] RAX: ffffffffffffffda RBX: 00007f4299934740 RCX: 00007f42999c6687 [ 44.546523] RDX: 0000000000000001 RSI: 000055ea6149200f RDI: 0000000000000003 [ 44.546523] RBP: 00007ffeae4a79a0 R08: 0000000000000000 R09: 0000000000000000 [ 44.546523] R10: 0000010000000005 R11: 0000000000000202 R12: 0000 ---truncated--- | 2025-07-04 | not yet calculated | CVE-2025-38222 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: ceph: avoid kernel BUG for encrypted inode with unaligned file size The generic/397 test hits a BUG_ON for the case of encrypted inode with unaligned file size (for example, 33K or 1K): [ 877.737811] run fstests generic/397 at 2025-01-03 12:34:40 [ 877.875761] libceph: mon0 (2)127.0.0.1:40674 session established [ 877.876130] libceph: client4614 fsid 19b90bca-f1ae-47a6-93dd-0b03ee637949 [ 877.991965] libceph: mon0 (2)127.0.0.1:40674 session established [ 877.992334] libceph: client4617 fsid 19b90bca-f1ae-47a6-93dd-0b03ee637949 [ 878.017234] libceph: mon0 (2)127.0.0.1:40674 session established [ 878.017594] libceph: client4620 fsid 19b90bca-f1ae-47a6-93dd-0b03ee637949 [ 878.031394] xfs_io (pid 18988) is setting deprecated v1 encryption policy; recommend upgrading to v2. [ 878.054528] libceph: mon0 (2)127.0.0.1:40674 session established [ 878.054892] libceph: client4623 fsid 19b90bca-f1ae-47a6-93dd-0b03ee637949 [ 878.070287] libceph: mon0 (2)127.0.0.1:40674 session established [ 878.070704] libceph: client4626 fsid 19b90bca-f1ae-47a6-93dd-0b03ee637949 [ 878.264586] libceph: mon0 (2)127.0.0.1:40674 session established [ 878.265258] libceph: client4629 fsid 19b90bca-f1ae-47a6-93dd-0b03ee637949 [ 878.374578] -----------[ cut here ]------------ [ 878.374586] kernel BUG at net/ceph/messenger.c:1070! [ 878.375150] Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 878.378145] CPU: 2 UID: 0 PID: 4759 Comm: kworker/2:9 Not tainted 6.13.0-rc5+ #1 [ 878.378969] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 878.380167] Workqueue: ceph-msgr ceph_con_workfn [ 878.381639] RIP: 0010:ceph_msg_data_cursor_init+0x42/0x50 [ 878.382152] Code: 89 17 48 8b 46 70 55 48 89 47 08 c7 47 18 00 00 00 00 48 89 e5 e8 de cc ff ff 5d 31 c0 31 d2 31 f6 31 ff c3 cc cc cc cc 0f 0b <0f> 0b 0f 0b 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90 90 90 90 [ 878.383928] RSP: 0018:ffffb4ffc7cbbd28 EFLAGS: 00010287 [ 878.384447] RAX: ffffffff82bb9ac0 RBX: ffff981390c2f1f8 RCX: 0000000000000000 [ 878.385129] RDX: 0000000000009000 RSI: ffff981288232b58 RDI: ffff981390c2f378 [ 878.385839] RBP: ffffb4ffc7cbbe18 R08: 0000000000000000 R09: 0000000000000000 [ 878.386539] R10: 0000000000000000 R11: 0000000000000000 R12: ffff981390c2f030 [ 878.387203] R13: ffff981288232b58 R14: 0000000000000029 R15: 0000000000000001 [ 878.387877] FS: 0000000000000000(0000) GS:ffff9814b7900000(0000) knlGS:0000000000000000 [ 878.388663] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 878.389212] CR2: 00005e106a0554e0 CR3: 0000000112bf0001 CR4: 0000000000772ef0 [ 878.389921] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 878.390620] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 878.391307] PKRU: 55555554 [ 878.391567] Call Trace: [ 878.391807] <TASK> [ 878.392021] ? show_regs+0x71/0x90 [ 878.392391] ? die+0x38/0xa0 [ 878.392667] ? do_trap+0xdb/0x100 [ 878.392981] ? do_error_trap+0x75/0xb0 [ 878.393372] ? ceph_msg_data_cursor_init+0x42/0x50 [ 878.393842] ? exc_invalid_op+0x53/0x80 [ 878.394232] ? ceph_msg_data_cursor_init+0x42/0x50 [ 878.394694] ? asm_exc_invalid_op+0x1b/0x20 [ 878.395099] ? ceph_msg_data_cursor_init+0x42/0x50 [ 878.395583] ? ceph_con_v2_try_read+0xd16/0x2220 [ 878.396027] ? _raw_spin_unlock+0xe/0x40 [ 878.396428] ? raw_spin_rq_unlock+0x10/0x40 [ 878.396842] ? finish_task_switch.isra.0+0x97/0x310 [ 878.397338] ? __schedule+0x44b/0x16b0 [ 878.397738] ceph_con_workfn+0x326/0x750 [ 878.398121] process_one_work+0x188/0x3d0 [ 878.398522] ? __pfx_worker_thread+0x10/0x10 [ 878.398929] worker_thread+0x2b5/0x3c0 [ 878.399310] ? __pfx_worker_thread+0x10/0x10 [ 878.399727] kthread+0xe1/0x120 [ 878.400031] ? __pfx_kthread+0x10/0x10 [ 878.400431] ret_from_fork+0x43/0x70 [ 878.400771] ? __pfx_kthread+0x10/0x10 [ 878.401127] ret_from_fork_asm+0x1a/0x30 [ 878.401543] </TASK> [ 878.401760] Modules l ---truncated--- | 2025-07-04 | not yet calculated | CVE-2025-38223 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: can: kvaser_pciefd: refine error prone echo_skb_max handling logic echo_skb_max should define the supported upper limit of echo_skb[] allocated inside the netdevice's priv. The corresponding size value provided by this driver to alloc_candev() is KVASER_PCIEFD_CAN_TX_MAX_COUNT which is 17. But later echo_skb_max is rounded up to the nearest power of two (for the max case, that would be 32) and the tx/ack indices calculated further during tx/rx may exceed the upper array boundary. Kasan reported this for the ack case inside kvaser_pciefd_handle_ack_packet(), though the xmit function has actually caught the same thing earlier. BUG: KASAN: slab-out-of-bounds in kvaser_pciefd_handle_ack_packet+0x2d7/0x92a drivers/net/can/kvaser_pciefd.c:1528 Read of size 8 at addr ffff888105e4f078 by task swapper/4/0 CPU: 4 UID: 0 PID: 0 Comm: swapper/4 Not tainted 6.15.0 #12 PREEMPT(voluntary) Call Trace: <IRQ> dump_stack_lvl lib/dump_stack.c:122 print_report mm/kasan/report.c:521 kasan_report mm/kasan/report.c:634 kvaser_pciefd_handle_ack_packet drivers/net/can/kvaser_pciefd.c:1528 kvaser_pciefd_read_packet drivers/net/can/kvaser_pciefd.c:1605 kvaser_pciefd_read_buffer drivers/net/can/kvaser_pciefd.c:1656 kvaser_pciefd_receive_irq drivers/net/can/kvaser_pciefd.c:1684 kvaser_pciefd_irq_handler drivers/net/can/kvaser_pciefd.c:1733 __handle_irq_event_percpu kernel/irq/handle.c:158 handle_irq_event kernel/irq/handle.c:210 handle_edge_irq kernel/irq/chip.c:833 __common_interrupt arch/x86/kernel/irq.c:296 common_interrupt arch/x86/kernel/irq.c:286 </IRQ> Tx max count definitely matters for kvaser_pciefd_tx_avail(), but for seq numbers' generation that's not the case - we're free to calculate them as would be more convenient, not taking tx max count into account. The only downside is that the size of echo_skb[] should correspond to the max seq number (not tx max count), so in some situations a bit more memory would be consumed than could be. Thus make the size of the underlying echo_skb[] sufficient for the rounded max tx value. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2025-07-04 | not yet calculated | CVE-2025-38224 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: imx-jpeg: Cleanup after an allocation error When allocation failures are not cleaned up by the driver, further allocation errors will be false-positives, which will cause buffers to remain uninitialized and cause NULL pointer dereferences. Ensure proper cleanup of failed allocations to prevent these issues. | 2025-07-04 | not yet calculated | CVE-2025-38225 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: vivid: Change the siize of the composing syzkaller found a bug: BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 Write of size 1440 at addr ffffc9000d0ffda0 by task vivid-000-vid-c/5304 CPU: 0 UID: 0 PID: 5304 Comm: vivid-000-vid-c Not tainted 6.14.0-rc2-syzkaller-00039-g09fbf3d50205 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0x169/0x550 mm/kasan/report.c:489 kasan_report+0x143/0x180 mm/kasan/report.c:602 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x40/0x70 mm/kasan/shadow.c:106 tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline] tpg_fill_plane_buffer+0x1a9c/0x5af0 drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2705 vivid_fillbuff drivers/media/test-drivers/vivid/vivid-kthread-cap.c:470 [inline] vivid_thread_vid_cap_tick+0xf8e/0x60d0 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:629 vivid_thread_vid_cap+0x8aa/0xf30 drivers/media/test-drivers/vivid/vivid-kthread-cap.c:767 kthread+0x7a9/0x920 kernel/kthread.c:464 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> The composition size cannot be larger than the size of fmt_cap_rect. So execute v4l2_rect_map_inside() even if has_compose_cap == 0. | 2025-07-04 | not yet calculated | CVE-2025-38226 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: vidtv: Terminating the subsequent process of initialization failure syzbot reported a slab-use-after-free Read in vidtv_mux_init. [1] After PSI initialization fails, the si member is accessed again, resulting in this uaf. After si initialization fails, the subsequent process needs to be exited. [1] BUG: KASAN: slab-use-after-free in vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 [inline] BUG: KASAN: slab-use-after-free in vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524 Read of size 8 at addr ffff88802fa42acc by task syz.2.37/6059 CPU: 0 UID: 0 PID: 6059 Comm: syz.2.37 Not tainted 6.14.0-rc5-syzkaller #0 Hardware name: Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0xc3/0x670 mm/kasan/report.c:521 kasan_report+0xd9/0x110 mm/kasan/report.c:634 vidtv_mux_pid_ctx_init drivers/media/test-drivers/vidtv/vidtv_mux.c:78 vidtv_mux_init+0xac2/0xbe0 drivers/media/test-drivers/vidtv/vidtv_mux.c:524 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973 dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline] dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537 dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 __fput+0x3ff/0xb70 fs/file_table.c:464 task_work_run+0x14e/0x250 kernel/task_work.c:227 exit_task_work include/linux/task_work.h:40 [inline] do_exit+0xad8/0x2d70 kernel/exit.c:938 do_group_exit+0xd3/0x2a0 kernel/exit.c:1087 __do_sys_exit_group kernel/exit.c:1098 [inline] __se_sys_exit_group kernel/exit.c:1096 [inline] __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1096 x64_sys_call+0x151f/0x1720 arch/x86/include/generated/asm/syscalls_64.h:232 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f871d58d169 Code: Unable to access opcode bytes at 0x7f871d58d13f. RSP: 002b:00007fff4b19a788 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f871d58d169 RDX: 0000000000000064 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00007fff4b19a7ec R08: 0000000b4b19a87f R09: 00000000000927c0 R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000003 R13: 00000000000927c0 R14: 000000000001d553 R15: 00007fff4b19a840 </TASK> Allocated by task 6059: kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 kasan_save_track+0x14/0x30 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394 kmalloc_noprof include/linux/slab.h:901 [inline] kzalloc_noprof include/linux/slab.h:1037 [inline] vidtv_psi_pat_table_init drivers/media/test-drivers/vidtv/vidtv_psi.c:970 vidtv_channel_si_init drivers/media/test-drivers/vidtv/vidtv_channel.c:423 vidtv_mux_init drivers/media/test-drivers/vidtv/vidtv_mux.c:519 vidtv_start_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:194 vidtv_start_feed drivers/media/test-drivers/vidtv/vidtv_bridge.c:239 dmx_section_feed_start_filtering drivers/media/dvb-core/dvb_demux.c:973 dvb_dmxdev_feed_start drivers/media/dvb-core/dmxdev.c:508 [inline] dvb_dmxdev_feed_restart.isra.0 drivers/media/dvb-core/dmxdev.c:537 dvb_dmxdev_filter_stop+0x2b4/0x3a0 drivers/media/dvb-core/dmxdev.c:564 dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 __fput+0x3ff/0xb70 fs/file_tabl ---truncated--- | 2025-07-04 | not yet calculated | CVE-2025-38227 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: imagination: fix a potential memory leak in e5010_probe() Add video_device_release() to release the memory allocated by video_device_alloc() if something goes wrong. | 2025-07-04 | not yet calculated | CVE-2025-38228 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: media: cxusb: no longer judge rbuf when the write fails syzbot reported a uninit-value in cxusb_i2c_xfer. [1] Only when the write operation of usb_bulk_msg() in dvb_usb_generic_rw() succeeds and rlen is greater than 0, the read operation of usb_bulk_msg() will be executed to read rlen bytes of data from the dvb device into the rbuf. In this case, although rlen is 1, the write operation failed which resulted in the dvb read operation not being executed, and ultimately variable i was not initialized. [1] BUG: KMSAN: uninit-value in cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline] BUG: KMSAN: uninit-value in cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196 cxusb_gpio_tuner drivers/media/usb/dvb-usb/cxusb.c:124 [inline] cxusb_i2c_xfer+0x153a/0x1a60 drivers/media/usb/dvb-usb/cxusb.c:196 __i2c_transfer+0xe25/0x3150 drivers/i2c/i2c-core-base.c:-1 i2c_transfer+0x317/0x4a0 drivers/i2c/i2c-core-base.c:2315 i2c_transfer_buffer_flags+0x125/0x1e0 drivers/i2c/i2c-core-base.c:2343 i2c_master_send include/linux/i2c.h:109 [inline] i2cdev_write+0x210/0x280 drivers/i2c/i2c-dev.c:183 do_loop_readv_writev fs/read_write.c:848 [inline] vfs_writev+0x963/0x14e0 fs/read_write.c:1057 do_writev+0x247/0x5c0 fs/read_write.c:1101 __do_sys_writev fs/read_write.c:1169 [inline] __se_sys_writev fs/read_write.c:1166 [inline] __x64_sys_writev+0x98/0xe0 fs/read_write.c:1166 x64_sys_call+0x2229/0x3c80 arch/x86/include/generated/asm/syscalls_64.h:21 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0x1e0 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f | 2025-07-04 | not yet calculated | CVE-2025-38229 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: jfs: validate AG parameters in dbMount() to prevent crashes Validate db_agheight, db_agwidth, and db_agstart in dbMount to catch corrupted metadata early and avoid undefined behavior in dbAllocAG. Limits are derived from L2LPERCTL, LPERCTL/MAXAG, and CTLTREESIZE: - agheight: 0 to L2LPERCTL/2 (0 to 5) ensures shift (L2LPERCTL - 2*agheight) >= 0. - agwidth: 1 to min(LPERCTL/MAXAG, 2^(L2LPERCTL - 2*agheight)) ensures agperlev >= 1. - Ranges: 1-8 (agheight 0-3), 1-4 (agheight 4), 1 (agheight 5). - LPERCTL/MAXAG = 1024/128 = 8 limits leaves per AG; 2^(10 - 2*agheight) prevents division to 0. - agstart: 0 to CTLTREESIZE-1 - agwidth*(MAXAG-1) keeps ti within stree (size 1365). - Ranges: 0-1237 (agwidth 1), 0-348 (agwidth 8). UBSAN: shift-out-of-bounds in fs/jfs/jfs_dmap.c:1400:9 shift exponent -335544310 is negative CPU: 0 UID: 0 PID: 5822 Comm: syz-executor130 Not tainted 6.14.0-rc5-syzkaller #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_shift_out_of_bounds+0x3c8/0x420 lib/ubsan.c:468 dbAllocAG+0x1087/0x10b0 fs/jfs/jfs_dmap.c:1400 dbDiscardAG+0x352/0xa20 fs/jfs/jfs_dmap.c:1613 jfs_ioc_trim+0x45a/0x6b0 fs/jfs/jfs_discard.c:105 jfs_ioctl+0x2cd/0x3e0 fs/jfs/ioctl.c:131 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl+0xf5/0x170 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f Found by Linux Verification Center (linuxtesting.org) with Syzkaller. | 2025-07-04 | not yet calculated | CVE-2025-38230 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: Initialize ssc before laundromat_work to prevent NULL dereference In nfs4_state_start_net(), laundromat_work may access nfsd_ssc through nfs4_laundromat -> nfsd4_ssc_expire_umount. If nfsd_ssc isn't initialized, this can cause NULL pointer dereference. Normally the delayed start of laundromat_work allows sufficient time for nfsd_ssc initialization to complete. However, when the kernel waits too long for userspace responses (e.g. in nfs4_state_start_net -> nfsd4_end_grace -> nfsd4_record_grace_done -> nfsd4_cld_grace_done -> cld_pipe_upcall -> __cld_pipe_upcall -> wait_for_completion path), the delayed work may start before nfsd_ssc initialization finishes. Fix this by moving nfsd_ssc initialization before starting laundromat_work. | 2025-07-04 | not yet calculated | CVE-2025-38231 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: NFSD: fix race between nfsd registration and exports_proc As of now nfsd calls create_proc_exports_entry() at start of init_nfsd and cleanup by remove_proc_entry() at last of exit_nfsd. Which causes kernel OOPs if there is race between below 2 operations: (i) exportfs -r (ii) mount -t nfsd none /proc/fs/nfsd for 5.4 kernel ARM64: CPU 1: el1_irq+0xbc/0x180 arch_counter_get_cntvct+0x14/0x18 running_clock+0xc/0x18 preempt_count_add+0x88/0x110 prep_new_page+0xb0/0x220 get_page_from_freelist+0x2d8/0x1778 __alloc_pages_nodemask+0x15c/0xef0 __vmalloc_node_range+0x28c/0x478 __vmalloc_node_flags_caller+0x8c/0xb0 kvmalloc_node+0x88/0xe0 nfsd_init_net+0x6c/0x108 [nfsd] ops_init+0x44/0x170 register_pernet_operations+0x114/0x270 register_pernet_subsys+0x34/0x50 init_nfsd+0xa8/0x718 [nfsd] do_one_initcall+0x54/0x2e0 CPU 2 : Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 PC is at : exports_net_open+0x50/0x68 [nfsd] Call trace: exports_net_open+0x50/0x68 [nfsd] exports_proc_open+0x2c/0x38 [nfsd] proc_reg_open+0xb8/0x198 do_dentry_open+0x1c4/0x418 vfs_open+0x38/0x48 path_openat+0x28c/0xf18 do_filp_open+0x70/0xe8 do_sys_open+0x154/0x248 Sometimes it crashes at exports_net_open() and sometimes cache_seq_next_rcu(). and same is happening on latest 6.14 kernel as well: [ 0.000000] Linux version 6.14.0-rc5-next-20250304-dirty ... [ 285.455918] Unable to handle kernel paging request at virtual address 00001f4800001f48 ... [ 285.464902] pc : cache_seq_next_rcu+0x78/0xa4 ... [ 285.469695] Call trace: [ 285.470083] cache_seq_next_rcu+0x78/0xa4 (P) [ 285.470488] seq_read+0xe0/0x11c [ 285.470675] proc_reg_read+0x9c/0xf0 [ 285.470874] vfs_read+0xc4/0x2fc [ 285.471057] ksys_read+0x6c/0xf4 [ 285.471231] __arm64_sys_read+0x1c/0x28 [ 285.471428] invoke_syscall+0x44/0x100 [ 285.471633] el0_svc_common.constprop.0+0x40/0xe0 [ 285.471870] do_el0_svc_compat+0x1c/0x34 [ 285.472073] el0_svc_compat+0x2c/0x80 [ 285.472265] el0t_32_sync_handler+0x90/0x140 [ 285.472473] el0t_32_sync+0x19c/0x1a0 [ 285.472887] Code: f9400885 93407c23 937d7c27 11000421 (f86378a3) [ 285.473422] ---[ end trace 0000000000000000 ]--- It reproduced simply with below script: while [ 1 ] do /exportfs -r done & while [ 1 ] do insmod /nfsd.ko mount -t nfsd none /proc/fs/nfsd umount /proc/fs/nfsd rmmod nfsd done & So exporting interfaces to user space shall be done at last and cleanup at first place. With change there is no Kernel OOPs. | 2025-07-04 | not yet calculated | CVE-2025-38232 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: powerpc64/ftrace: fix clobbered r15 during livepatching While r15 is clobbered always with PPC_FTRACE_OUT_OF_LINE, it is not restored in livepatch sequence leading to not so obvious fails like below: BUG: Unable to handle kernel data access on write at 0xc0000000000f9078 Faulting instruction address: 0xc0000000018ff958 Oops: Kernel access of bad area, sig: 11 [#1] ... NIP: c0000000018ff958 LR: c0000000018ff930 CTR: c0000000009c0790 REGS: c00000005f2e7790 TRAP: 0300 Tainted: G K (6.14.0+) MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE> CR: 2822880b XER: 20040000 CFAR: c0000000008addc0 DAR: c0000000000f9078 DSISR: 0a000000 IRQMASK: 1 GPR00: c0000000018f2584 c00000005f2e7a30 c00000000280a900 c000000017ffa488 GPR04: 0000000000000008 0000000000000000 c0000000018f24fc 000000000000000d GPR08: fffffffffffe0000 000000000000000d 0000000000000000 0000000000008000 GPR12: c0000000009c0790 c000000017ffa480 c00000005f2e7c78 c0000000000f9070 GPR16: c00000005f2e7c90 0000000000000000 0000000000000000 0000000000000000 GPR20: 0000000000000000 c00000005f3efa80 c00000005f2e7c60 c00000005f2e7c88 GPR24: c00000005f2e7c60 0000000000000001 c0000000000f9078 0000000000000000 GPR28: 00007fff97960000 c000000017ffa480 0000000000000000 c0000000000f9078 ... Call Trace: check_heap_object+0x34/0x390 (unreliable) __mutex_unlock_slowpath.isra.0+0xe4/0x230 seq_read_iter+0x430/0xa90 proc_reg_read_iter+0xa4/0x200 vfs_read+0x41c/0x510 ksys_read+0xa4/0x190 system_call_exception+0x1d0/0x440 system_call_vectored_common+0x15c/0x2ec Fix it by restoring r15 always. | 2025-07-04 | not yet calculated | CVE-2025-38233 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: sched/rt: Fix race in push_rt_task Overview ======== When a CPU chooses to call push_rt_task and picks a task to push to another CPU's runqueue then it will call find_lock_lowest_rq method which would take a double lock on both CPUs' runqueues. If one of the locks aren't readily available, it may lead to dropping the current runqueue lock and reacquiring both the locks at once. During this window it is possible that the task is already migrated and is running on some other CPU. These cases are already handled. However, if the task is migrated and has already been executed and another CPU is now trying to wake it up (ttwu) such that it is queued again on the runqeue (on_rq is 1) and also if the task was run by the same CPU, then the current checks will pass even though the task was migrated out and is no longer in the pushable tasks list. Crashes ======= This bug resulted in quite a few flavors of crashes triggering kernel panics with various crash signatures such as assert failures, page faults, null pointer dereferences, and queue corruption errors all coming from scheduler itself. Some of the crashes: -> kernel BUG at kernel/sched/rt.c:1616! BUG_ON(idx >= MAX_RT_PRIO) Call Trace: ? __die_body+0x1a/0x60 ? die+0x2a/0x50 ? do_trap+0x85/0x100 ? pick_next_task_rt+0x6e/0x1d0 ? do_error_trap+0x64/0xa0 ? pick_next_task_rt+0x6e/0x1d0 ? exc_invalid_op+0x4c/0x60 ? pick_next_task_rt+0x6e/0x1d0 ? asm_exc_invalid_op+0x12/0x20 ? pick_next_task_rt+0x6e/0x1d0 __schedule+0x5cb/0x790 ? update_ts_time_stats+0x55/0x70 schedule_idle+0x1e/0x40 do_idle+0x15e/0x200 cpu_startup_entry+0x19/0x20 start_secondary+0x117/0x160 secondary_startup_64_no_verify+0xb0/0xbb -> BUG: kernel NULL pointer dereference, address: 00000000000000c0 Call Trace: ? __die_body+0x1a/0x60 ? no_context+0x183/0x350 ? __warn+0x8a/0xe0 ? exc_page_fault+0x3d6/0x520 ? asm_exc_page_fault+0x1e/0x30 ? pick_next_task_rt+0xb5/0x1d0 ? pick_next_task_rt+0x8c/0x1d0 __schedule+0x583/0x7e0 ? update_ts_time_stats+0x55/0x70 schedule_idle+0x1e/0x40 do_idle+0x15e/0x200 cpu_startup_entry+0x19/0x20 start_secondary+0x117/0x160 secondary_startup_64_no_verify+0xb0/0xbb -> BUG: unable to handle page fault for address: ffff9464daea5900 kernel BUG at kernel/sched/rt.c:1861! BUG_ON(rq->cpu != task_cpu(p)) -> kernel BUG at kernel/sched/rt.c:1055! BUG_ON(!rq->nr_running) Call Trace: ? __die_body+0x1a/0x60 ? die+0x2a/0x50 ? do_trap+0x85/0x100 ? dequeue_top_rt_rq+0xa2/0xb0 ? do_error_trap+0x64/0xa0 ? dequeue_top_rt_rq+0xa2/0xb0 ? exc_invalid_op+0x4c/0x60 ? dequeue_top_rt_rq+0xa2/0xb0 ? asm_exc_invalid_op+0x12/0x20 ? dequeue_top_rt_rq+0xa2/0xb0 dequeue_rt_entity+0x1f/0x70 dequeue_task_rt+0x2d/0x70 __schedule+0x1a8/0x7e0 ? blk_finish_plug+0x25/0x40 schedule+0x3c/0xb0 futex_wait_queue_me+0xb6/0x120 futex_wait+0xd9/0x240 do_futex+0x344/0xa90 ? get_mm_exe_file+0x30/0x60 ? audit_exe_compare+0x58/0x70 ? audit_filter_rules.constprop.26+0x65e/0x1220 __x64_sys_futex+0x148/0x1f0 do_syscall_64+0x30/0x80 entry_SYSCALL_64_after_hwframe+0x62/0xc7 -> BUG: unable to handle page fault for address: ffff8cf3608bc2c0 Call Trace: ? __die_body+0x1a/0x60 ? no_context+0x183/0x350 ? spurious_kernel_fault+0x171/0x1c0 ? exc_page_fault+0x3b6/0x520 ? plist_check_list+0x15/0x40 ? plist_check_list+0x2e/0x40 ? asm_exc_page_fault+0x1e/0x30 ? _cond_resched+0x15/0x30 ? futex_wait_queue_me+0xc8/0x120 ? futex_wait+0xd9/0x240 ? try_to_wake_up+0x1b8/0x490 ? futex_wake+0x78/0x160 ? do_futex+0xcd/0xa90 ? plist_check_list+0x15/0x40 ? plist_check_list+0x2e/0x40 ? plist_del+0x6a/0xd0 ? plist_check_list+0x15/0x40 ? plist_check_list+0x2e/0x40 ? dequeue_pushable_task+0x20/0x70 ? __schedule+0x382/0x7e0 ? asm_sysvec_reschedule_i ---truncated--- | 2025-07-04 | not yet calculated | CVE-2025-38234 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: HID: appletb-kbd: fix "appletb_backlight" backlight device reference counting During appletb_kbd_probe, probe attempts to get the backlight device by name. When this happens backlight_device_get_by_name looks for a device in the backlight class which has name "appletb_backlight" and upon finding a match it increments the reference count for the device and returns it to the caller. However this reference is never released leading to a reference leak. Fix this by decrementing the backlight device reference count on removal via put_device and on probe failure. | 2025-07-06 | not yet calculated | CVE-2025-38235 |
| Lucee Association Switzerland--Lucee | An authenticated remote code execution vulnerability exists in Lucee's administrative interface due to insecure design in the scheduled task functionality. An administrator with access to /lucee/admin/web.cfm can configure a scheduled job to retrieve a remote .cfm file from an attacker-controlled server, which is written to the Lucee webroot and executed with the privileges of the Lucee service account. Because Lucee does not enforce integrity checks, path restrictions, or execution controls for scheduled task fetches, this feature can be abused to achieve arbitrary code execution. This issue is distinct from CVE-2024-55354. | 2025-07-02 | not yet calculated | CVE-2025-34074 |
| Microweber Ltd.--CMS | An authenticated local file inclusion vulnerability exists in Microweber CMS versions <= 1.2.11 through misuse of the backup management API. Authenticated users can abuse the /api/BackupV2/upload and /api/BackupV2/download endpoints to read arbitrary files from the underlying filesystem. By specifying an absolute file path in the src parameter of the upload request, the server may relocate or delete the target file depending on the web service user's privileges. The corresponding download endpoint can then be used to retrieve the file contents, effectively enabling local file disclosure. This behavior stems from insufficient validation of user-supplied paths and inadequate restrictions on file access and backup logic. | 2025-07-02 | not yet calculated | CVE-2025-34076 |
| MikroTik--RouterOS | A misconfiguration in the default settings of MikroTik RouterOS 7 and fixed in v7.14 allows incoming IPv6 UDP traceroute packets. | 2025-06-30 | not yet calculated | CVE-2023-47310 |
| MikroTik--RouterOS | A cross-site scripting vulnerability is present in the hotspot of MikroTik's RouterOS on versions below 7.19.2. An attacker can inject the `javascript` protocol in the `dst` parameter. When the victim browses to the malicious URL and logs in, the XSS executes. The POST request used to login, can also be converted to a GET request, allowing an attacker to send a specifically crafted URL that automatically logs in the victim (into the attacker's account) and triggers the payload. | 2025-07-03 | not yet calculated | CVE-2025-6563 |
| modelcontextprotocol--python-sdk | The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.10.0, if a client deliberately triggers an exception after establishing a streamable HTTP session, this can lead to an uncaught ClosedResourceError on the server side, causing the server to crash and requiring a restart to restore service. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures. Version 1.10.0 contains a patch for the issue. | 2025-07-04 | not yet calculated | CVE-2025-53365 |
| modelcontextprotocol--python-sdk | The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.9.4, a validation error in the MCP SDK can cause an unhandled exception when processing malformed requests, resulting in service unavailability (500 errors) until manually restarted. Impact may vary depending on the deployment conditions, and presence of infrastructure-level resilience measures. Version 1.9.4 contains a patch for the issue. | 2025-07-04 | not yet calculated | CVE-2025-53366 |
| modelcontextprotocol--servers | Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). Versions of Filesystem prior to 0.6.4 or 2025.7.01 could allow access to unintended files via symlinks within allowed directories. Users are advised to upgrade to 0.6.4 or 2025.7.01 resolve. | 2025-07-02 | not yet calculated | CVE-2025-53109 |
| modelcontextprotocol--servers | Model Context Protocol Servers is a collection of reference implementations for the model context protocol (MCP). Versions of Filesystem prior to 0.6.4 or 2025.7.01 could allow access to unintended files in cases where the prefix matches an allowed directory. Users are advised to upgrade to 0.6.4 or 2025.7.01 resolve. | 2025-07-02 | not yet calculated | CVE-2025-53110 |
| Monero Project--Forum | A PHP objection injection vulnerability exists in the Monero Project's Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation. MIME type checks using PHP's finfo can be bypassed via crafted stream filter chains that prepend spoofed headers, allowing access to internal Laravel configuration files. An attacker can extract the APP_KEY from config/app.php, forge encrypted cookies, and trigger unsafe unserialize() calls, leading to reliable remote code execution. | 2025-07-01 | not yet calculated | CVE-2025-34060 |
| n/a--IITB SSO | Misconfigured settings in IITB SSO v1.1.0 allow attackers to access sensitive application data. | 2025-07-01 | not yet calculated | CVE-2025-45081 |
| n/a--Linjiashop | linjiashop <=0.9 is vulnerable to Incorrect Access Control. When using the default-generated JWT authentication, attackers can bypass the authentication and retrieve the encrypted "password" and "salt". The password can then be obtained through brute-force cracking. | 2025-07-01 | not yet calculated | CVE-2025-52101 |
| n/a--n/a | Improper mstatus.SUM bit retention (non-zero) in Open-Source RISC-V Processor commit f517abb violates privileged spec constraints, enabling potential physical memory access attacks. | 2025-07-01 | not yet calculated | CVE-2025-45006 |
| n/a--n/a | YONO SBI: Banking & Lifestyle v1.23.36 was discovered to use unencrypted communicatons, possibly allowing attackers to execute a man-in-the-middle attack. | 2025-07-01 | not yet calculated | CVE-2025-45080 |
| n/a--string-math | string-math v1.2.2 was discovered to contain a Regex Denial of Service (ReDoS) which is exploited via a crafted input. | 2025-06-30 | not yet calculated | CVE-2025-45143 |
| n/a--Trust Wallet | Insufficient validation of the screen lock mechanism in Trust Wallet v8.45 allows physically proximate attackers to bypass the lock screen and view the wallet balance. | 2025-07-01 | not yet calculated | CVE-2025-52294 |
| n/a--Ullu | Incorrect access control in Ullu (Android version v2.9.929 and IOS version v2.8.0) allows attackers to bypass parental pin feature via unspecified vectors. | 2025-07-01 | not yet calculated | CVE-2025-45083 |
| n/a--ZrLog | zrlog v3.1.5 was discovered to contain a Server-Side Request Forgery (SSRF) via the downloadUrl parameter. | 2025-07-01 | not yet calculated | CVE-2025-45872 |
| n8n-io--n8n | n8n is a workflow automation platform. Prior to version 1.99.1, an authorization vulnerability was discovered in the /rest/executions/:id/stop endpoint of n8n. An authenticated user can stop workflow executions that they do not own or that have not been shared with them, leading to potential business disruption. This issue has been patched in version 1.99.1. A workaround involves restricting access to the /rest/executions/:id/stop endpoint via reverse proxy or API gateway. | 2025-07-03 | not yet calculated | CVE-2025-52554 |
| NAVER--NAVER Whale browser | Whale browser for iOS before 3.9.1.4206 allow an attacker to execute malicious scripts in the browser via a crafted javascript scheme. | 2025-07-04 | not yet calculated | CVE-2025-53599 |
| NAVER--NAVER Whale browser | Whale browser before 4.32.315.22 allow an attacker to bypass the Same-Origin Policy in a dual-tab environment. | 2025-07-04 | not yet calculated | CVE-2025-53600 |
| Nokia--Nokia Single RAN | Sending a crafted SOAP "set" operation message within the Mobile Network Operator (MNO) internal Radio Access Network (RAN) management network can cause Nokia Single RAN baseband OAM service component restart with software versions earlier than release 24R1-SR 1.0 MP. This issue has been corrected to release 24R1-SR 1.0 MP and later. The OAM service component restarts automatically after the stack overflow without causing a base station restart or network service degradation, and without leaving any permanent impact on the Nokia Single RAN baseband OAM service. | 2025-07-02 | not yet calculated | CVE-2025-24328 |
| Nokia--Nokia Single RAN | Sending a crafted SOAP "provision" operation message archive field within the Mobile Network Operator (MNO) internal Radio Access Network (RAN) management network can cause path traversal issue in Nokia Single RAN baseband software with versions earlier than release 24R1-SR 1.0 MP. This issue has been corrected to release 24R1-SR 1.0 MP and later. Beginning with release 24R1-SR 1.0 MP, the OAM service software utilizes libarchive APIs with security options enabled, effectively mitigating the reported path traversal issue. | 2025-07-02 | not yet calculated | CVE-2025-24329 |
| Nokia--Nokia Single RAN | Sending a crafted SOAP "provision" operation message PlanId field within the Mobile Network Operator (MNO) internal Radio Access Network (RAN) management network can cause path traversal issue in Nokia Single RAN baseband software with versions earlier than release 24R1-SR 1.0 MP. This issue has been corrected to release 24R1-SR 1.0 MP and later. Beginning with release 24R1-SR 1.0 MP, the OAM service software performed PlanId field input validations mitigate the reported path traversal issue. | 2025-07-02 | not yet calculated | CVE-2025-24330 |
| Nokia--Nokia Single RAN | The Single RAN baseband OAM service is intended to run as an unprivileged service. However, it initially starts with root privileges and assigns certain capabilities before dropping to an unprivileged level. The capabilities retained from the root period are considered extensive after the privilege drop and, in theory, could potentially allow actions beyond the intended scope of the OAM service. These actions could include gaining root privileges, accessing root-owned files, modifying them as the file owner, and then returning them to root ownership. This issue has been corrected starting from release 24R1-SR 0.2 MP and later. Beginning with release 24R1-SR 0.2 MP, the OAM service software capabilities are restricted to the minimum necessary. | 2025-07-02 | not yet calculated | CVE-2025-24331 |
| Nokia--Nokia Single RAN | Nokia Single RAN baseband software earlier than 24R1-SR 1.0 MP contains administrative shell input validation fault, which authenticated admin user can, in theory, potentially use for injecting arbitrary commands for unprivileged baseband OAM service process execution via special characters added to baseband internal COMA_config.xml file. This issue has been corrected starting from release 24R1-SR 1.0 MP and later, by adding proper input validation to OAM service process which prevents injecting special characters via baseband internal COMA_config.xml file. | 2025-07-02 | not yet calculated | CVE-2025-24333 |
| Nokia--Nokia Single RAN | The Nokia Single RAN baseband software earlier than 23R2-SR 1.0 MP can be made to reveal the exact software release version by sending a specific HTTP POST request through the Mobile Network Operator (MNO) internal RAN management network. | 2025-07-02 | not yet calculated | CVE-2025-24334 |
| Nokia--Nokia Single RAN | Nokia Single RAN baseband software versions earlier than 24R1-SR 2.1 MP contain a SOAP message input validation flaw, which in theory could potentially be used for causing resource exhaustion in the Single RAN baseband OAM service. No practical exploit has been detected for this flaw. However, the issue has been corrected starting from release 24R1-SR 2.1 MP by adding sufficient input validation for received SOAP requests, effectively mitigating the reported issue. | 2025-07-02 | not yet calculated | CVE-2025-24335 |
| Nokia--Nokia Single RAN AirScale (Flexi Multiradio is not affected) | Nokia Single RAN AirScale baseband allows an authenticated administrative user access to all physical boards after performing a single login to the baseband system board. The baseband does not re-authenticate the user when they connect from the baseband system board to the baseband capacity boards using the internal bsoc SSH service, which is available only internally within the baseband and through the internal backplane between the boards. The bsoc SSH allows login from one board to another via the baseband internal backplane using an SSH private key present on the baseband system board. This bsoc SSH capability was previously considered an administrative functionality but has now been restricted to be available only to baseband root-privileged administrators. This restriction mitigates the possibility of misuse with lower-level privileges (e.g., from baseband software images). This mitigation is included starting from release 23R4-SR 3.0 MP and later | 2025-07-02 | not yet calculated | CVE-2025-24332 |
| NovelSat Ltd.--NovelSat NS2000, NS3000 Satellite Modem / Demodulator | Missing authentication checks in the query.fcgi endpoint of NS3000 v8.1.1.125110 , v7.2.8.124852 , and v7.x and NS2000 v7.02.08 allows attackers to execute a session hijacking attack. | 2025-07-02 | not yet calculated | CVE-2025-45814 |
| NSClient++--NSClient++ | A local privilege escalation vulnerability exists in NSClient++ 0.5.2.35 when both the web interface and ExternalScripts features are enabled. The configuration file (nsclient.ini) stores the administrative password in plaintext and is readable by local users. By extracting this password, an attacker can authenticate to the NSClient++ web interface (typically accessible on port 8443) and abuse the ExternalScripts plugin to inject and execute arbitrary commands as SYSTEM by registering a custom script, saving the configuration, and triggering it via the API. This behavior is documented but insecure, as the plaintext credential exposure undermines access isolation between local users and administrative functions. | 2025-07-02 | not yet calculated | CVE-2025-34078 |
| NSClient++--NSClient++ | An authenticated remote code execution vulnerability exists in NSClient++ version 0.5.2.35 when the web interface and ExternalScripts module are enabled. A remote attacker with the administrator password can authenticate to the web interface (default port 8443), inject arbitrary commands as external scripts via the /settings/query.json API, save the configuration, and trigger the script via the /query/{name} endpoint. The injected commands are executed with SYSTEM privileges, enabling full remote compromise. This capability is an intended feature, but the lack of safeguards or privilege separation makes it risky when exposed to untrusted actors. | 2025-07-02 | not yet calculated | CVE-2025-34079 |
| One Identity--OneLogin Active Directory Connector (ADC) | An information disclosure vulnerability exists in OneLogin AD Connector versions prior to 6.1.5 via the /api/adc/v4/configuration endpoint. An attacker with access to a valid directory_token-which may be retrievable from host registry keys or improperly secured logs-can retrieve a plaintext response disclosing sensitive credentials. These may include an API key, AWS IAM access and secret keys, and a base64-encoded JWT signing key used in the tenant's SSO IdP configuration. | 2025-07-01 | not yet calculated | CVE-2025-34062 |
| One Identity--OneLogin Active Directory Connector (ADC) | A cryptographic authentication bypass vulnerability exists in OneLogin AD Connector prior to 6.1.5 due to the exposure of a tenant's SSO JWT signing key via the /api/adc/v4/configuration endpoint. An attacker in possession of the signing key can craft valid JWT tokens impersonating arbitrary users within a OneLogin tenant. The tokens allow authentication to the OneLogin SSO portal and all downstream applications federated via SAML or OIDC. This allows full unauthorized access across the victim's SaaS environment. | 2025-07-01 | not yet calculated | CVE-2025-34063 |
| One Identity--OneLogin Active Directory Connector (ADC) | A cloud infrastructure misconfiguration in OneLogin AD Connector results in log data being sent to a hardcoded S3 bucket (onelogin-adc-logs-production) without validating bucket ownership. An attacker who registers this unclaimed bucket can begin receiving log files from other OneLogin tenants. These logs may contain sensitive data such as directory tokens, user metadata, and environment configuration. This enables cross-tenant leakage of secrets, potentially allowing JWT signing key recovery and user impersonation. | 2025-07-01 | not yet calculated | CVE-2025-34064 |
| OpenText--GroupWise | Incorrect Authorization vulnerability in OpenTextâ„¢ GroupWise allows Exploiting Incorrectly Configured Access Control Security Levels. The vulnerability could allow unauthorized access to calendar items marked private. This issue affects GroupWise versions 7 through 17.5, 23.4, 24.1, 24.2, 24.3, 24.4. | 2025-07-03 | not yet calculated | CVE-2025-0885 |
| Orkes--Conductor | Orkes Conductor v3.21.11 allows remote attackers to execute arbitrary OS commands through unrestricted access to Java classes. | 2025-06-30 | not yet calculated | CVE-2025-26074 |
| Pi-hole LLC--Web | An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain string. These commands are executed on the underlying operating system with the privileges of the Pi-hole service user. This behavior was present in the legacy AdminLTE interface and has since been patched in later versions. | 2025-07-03 | not yet calculated | CVE-2025-34087 |
| poppler--poppler | Poppler is a PDF rendering library. Versions prior to 25.06.0 use `std::atomic_int` for reference counting. Because `std::atomic_int` is only 32 bits, it is possible to overflow the reference count and trigger a use-after-free. Version 25.06.0 patches the issue. | 2025-07-02 | not yet calculated | CVE-2025-52886 |
| QUALITIA CO., LTD.--Active! mail 6 | Cross-site scripting vulnerability exists in Active! mail 6 BuildInfo: 6.30.01004145 to 6.60.06008562. If this vulnerability is exploited, an arbitrary script may be executed on the logged-in user's web browser when the user is accessing a specially crafted URL. | 2025-07-02 | not yet calculated | CVE-2025-52462 |
| QUALITIA CO., LTD.--Active! mail 6 | Cross-site request forgery vulnerability exists in Active! mail 6 BuildInfo: 6.60.06008562 and earlier. If this vulnerability is exploited, unintended E-mail may be sent when a user accesses a specially crafted URL while being logged in. | 2025-07-02 | not yet calculated | CVE-2025-52463 |
| RestDB--codehooks-mcp-server | RestDB's Codehooks.io MCP Server is an MCP server on the Codehooks.io platform. Prior to version 0.2.2, the MCP server is written in a way that is vulnerable to command injection attacks as part of some of its MCP Server tools definition and implementation. This could result in a user initiated remote command injection attack on a running MCP Server. This issue has been patched in version 0.2.2. | 2025-07-01 | not yet calculated | CVE-2025-53100 |
| Ricoh Company, Ltd.--RICOH Streamline NX | A reflected cross-site scripting vulnerability via a specific parameter exists in SLNX Help Documentation of RICOH Streamline NX. If this vulnerability is exploited, an arbitrary script may be executed in the web browser of the user who accessed the product. | 2025-06-30 | not yet calculated | CVE-2025-41439 |
| Ruijie--NBR Router | An information disclosure vulnerability exists in Ruijie NBR series routers (known to affect NBR2000G, NBR1300G, and NBR1000 models) via the /WEB_VMS/LEVEL15/ endpoint. By crafting a specific POST request with modified Cookie headers and specially formatted parameters, an unauthenticated attacker can retrieve administrative account credentials in plaintext. This flaw allows direct disclosure of sensitive user data due to improper authentication checks and insecure backend logic. | 2025-07-02 | not yet calculated | CVE-2025-34057 |
| run-llama--run-llama/llama_index | A critical deserialization vulnerability exists in the run-llama/llama_index library's JsonPickleSerializer component, affecting versions v0.12.27 through v0.12.40. This vulnerability allows remote code execution due to an insecure fallback to Python's pickle module. JsonPickleSerializer prioritizes deserialization using pickle.loads(), which can execute arbitrary code when processing untrusted data. Attackers can exploit this by crafting malicious payloads to achieve full system compromise. The root cause includes an insecure fallback mechanism, lack of validation or safeguards, misleading design, and violation of Python security guidelines. | 2025-07-06 | not yet calculated | CVE-2025-3108 |
| rust-ethereum--ethereum | ethereum is a common ethereum structs for Rust. Prior to ethereum crate v0.18.0, signature malleability (according to EIP-2) was only checked for "legacy" transactions, but not for EIP-2930, EIP-1559 and EIP-7702 transactions. This is a specification deviation. The signature malleability itself is not a security issue and not as high of a risk if the ethereum crate is used on a single-implementation blockchain. This issue has been patched in version v0.18.0. A workaround for this issue involves manually checking transaction malleability outside of the crate, however upgrading is recommended. | 2025-07-02 | not yet calculated | CVE-2025-53359 |
| Samsung Open Source--rLottie | Use After Free vulnerability in Samsung Open Source rLottie allows Remote Code Inclusion.This issue affects rLottie: V0.2. | 2025-06-30 | not yet calculated | CVE-2025-0634 |
| Samsung Open Source--rLottie | Out-of-bounds Read vulnerability in Samsung Open Source rLottie allows Overflow Buffers.This issue affects rLottie: V0.2. | 2025-06-30 | not yet calculated | CVE-2025-53074 |
| Samsung Open Source--rLottie | Improper Input Validation vulnerability in Samsung Open Source rLottie allows Path Traversal.This issue affects rLottie: V0.2. | 2025-06-30 | not yet calculated | CVE-2025-53075 |
| Samsung Open Source--rLottie | Improper Input Validation vulnerability in Samsung Open Source rLottie allows Overread Buffers.This issue affects rLottie: V0.2. | 2025-06-30 | not yet calculated | CVE-2025-53076 |
| Stamparm--Maltrail | An unauthenticated command injection vulnerability exists in stamparm/maltrail (Maltrail) versions <=0.54. A remote attacker can execute arbitrary operating system commands via the username parameter in a POST request to the /login endpoint. This occurs due to unsafe handling of user-supplied input passed to subprocess.check_output() in core/http.py, allowing injection of shell metacharacters. Exploitation does not require authentication and commands are executed with the privileges of the Maltrail process. | 2025-07-02 | not yet calculated | CVE-2025-34073 |
| sysadminsmedia--homebox | HomeBox is a home inventory and organization system. Prior to 0.20.1, HomeBox contains a missing authorization check in the API endpoints responsible for updating and deleting inventory item attachments. This flaw allows authenticated users to perform unauthorized actions on inventory item attachments that they do not own. This issue could lead to unauthorized data manipulation or loss of critical inventory data. This issue has been patched in version 0.20.1. There are no workarounds, users must upgrade. | 2025-07-02 | not yet calculated | CVE-2025-53108 |
| Tenda--AC6 | Tenda AC6 v15.03.05.16_multi is vulnerable to Buffer Overflow in the SetSysTimeCfg function via the time parameter. | 2025-07-03 | not yet calculated | CVE-2025-50258 |
| Tenda--AC6 | Tenda AC6 v15.03.05.16_multi is vulnerable to Buffer Overflow in the formSetFirewallCfg function via the firewallEn parameter. | 2025-07-03 | not yet calculated | CVE-2025-50260 |
| Tenda--AC6 | Tenda AC6 v15.03.05.16_multi is vulnerable to Buffer Overflow in the formSetQosBand function via the list parameter. | 2025-07-03 | not yet calculated | CVE-2025-50262 |
| Tenda--AC6 | Tenda AC6 v15.03.05.16_multi is vulnerable to Buffer Overflow in the fromSetRouteStatic function via the list parameter. | 2025-07-03 | not yet calculated | CVE-2025-50263 |
| Tenda--AC6 | Tenda AC6 15.03.05.16_multi is vulnerable to Buffer Overflow in the addWifiMacFilter function via the parameter deviceId. | 2025-07-01 | not yet calculated | CVE-2025-50641 |
| Tenda--n/a | A buffer overflow in the formSetCfm() function of Tenda AC1206 1200M 11ac US_AC1206V1.0RTL_V15.03.06.23_multi_TD01 allows attackers to cause a Denial of Service (DoS) via a crafted POST request. | 2025-06-30 | not yet calculated | CVE-2024-53621 |
| Trellix--Endpoint Security HX | A stored cross-site scripting vulnerability in ENS HX 10.0.4 allows a malicious user to inject arbitrary HTML into the ENS HX Malware Scan Name field, resulting in the exposure of sensitive data. | 2025-07-01 | not yet calculated | CVE-2025-5967 |
| Unknown--Contact Form Plugin | The Contact Form Plugin WordPress plugin before 1.1.29 does not sanitise and escape some of its settings, which could allow high privilege users such as contributor to perform Stored Cross-Site Scripting attacks. | 2025-06-30 | not yet calculated | CVE-2025-5730 |
| Unknown--Sharable Password Protected Posts | The Sharable Password Protected Posts before version 1.1.1 allows access to password protected posts by providing a secret key in a GET parameter. However, the key is exposed by the REST API. | 2025-07-04 | not yet calculated | CVE-2025-5920 |
| Unknown--WP Lightbox 2 | The WP Lightbox 2 WordPress plugin before 3.0.6.8 does not correctly sanitize the value of the title attribute of links before using them, which may allow malicious users to conduct XSS attacks. | 2025-06-30 | not yet calculated | CVE-2025-3745 |
| Wikimedia Foundation--Mediawiki - CampaignEvents Extension | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - CampaignEvents Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - CampaignEvents Extension: from 1.43.X before 1.43.2. | 2025-07-03 | not yet calculated | CVE-2025-53490 |
| Wikimedia Foundation--Mediawiki - CentralAuth Extension | Improper Authentication vulnerability in Wikimedia Foundation Mediawiki - CentralAuth Extension allows : Bypass Authentication.This issue affects Mediawiki - CentralAuth Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | 2025-07-03 | not yet calculated | CVE-2025-6926 |
| Wikimedia Foundation--Mediawiki - FeaturedFeeds Extension | Improper Input Validation vulnerability in Wikimedia Foundation Mediawiki - FeaturedFeeds Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - FeaturedFeeds Extension: 1.39.X, 1.42.X, 1.43.X. | 2025-07-03 | not yet calculated | CVE-2025-53502 |
| Wikimedia Foundation--Mediawiki - GoogleDocs4MW Extension | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - GoogleDocs4MW Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - GoogleDocs4MW Extension: from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | 2025-07-03 | not yet calculated | CVE-2025-53489 |
| Wikimedia Foundation--Mediawiki - IPInfo Extension | Uncontrolled Resource Consumption vulnerability in Wikimedia Foundation Mediawiki - IPInfo Extension allows Excessive Allocation.This issue affects Mediawiki - IPInfo Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | 2025-07-04 | not yet calculated | CVE-2025-53481 |
| Wikimedia Foundation--Mediawiki - IPInfo Extension | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - IPInfo Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - IPInfo Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | 2025-07-04 | not yet calculated | CVE-2025-53482 |
| Wikimedia Foundation--Mediawiki - MassEditRegex Extension | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - MassEditRegex Extension allows Stored XSS.This issue affects Mediawiki - MassEditRegex Extension: from 1.39.X before 1.39.12, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | 2025-07-03 | not yet calculated | CVE-2025-53500 |
| Wikimedia Foundation--Mediawiki - MintyDocs Extension | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - MintyDocs Extension allows Stored XSS.This issue affects Mediawiki - MintyDocs Extension: from 1.43.X before 1.43.2. | 2025-07-02 | not yet calculated | CVE-2025-53492 |
| Wikimedia Foundation--Mediawiki - MintyDocs Extension | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - MintyDocs Extension allows Stored XSS.This issue affects Mediawiki - MintyDocs Extension: from 1.43.X before 1.43.2. | 2025-07-02 | not yet calculated | CVE-2025-53493 |
| Wikimedia Foundation--Mediawiki - Scribunto Extension | Improper Access Control vulnerability in Wikimedia Foundation Mediawiki - Scribunto Extension allows : Accessing Functionality Not Properly Constrained by Authorization.This issue affects Mediawiki - Scribunto Extension: from 1.39.X before 1.39.12, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | 2025-07-03 | not yet calculated | CVE-2025-53501 |
| Wikimedia Foundation--Mediawiki - SecurePoll extension | ArchivePage.php, UnarchivePage.php, and VoterEligibilityPage#executeClear() do not validate request methods or CSRF tokens, allowing attackers to trigger sensitive actions if an admin visits a malicious site. This issue affects Mediawiki - SecurePoll extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | 2025-07-04 | not yet calculated | CVE-2025-53483 |
| Wikimedia Foundation--Mediawiki - SecurePoll extension | User-controlled inputs are improperly escaped in: * VotePage.php (poll option input) * ResultPage::getPagesTab() and getErrorsTab() (user-controllable page names) This allows attackers to inject JavaScript and compromise user sessions under certain conditions. This issue affects Mediawiki - SecurePoll extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | 2025-07-04 | not yet calculated | CVE-2025-53484 |
| Wikimedia Foundation--Mediawiki - SecurePoll extension | SetTranslationHandler.php does not validate that the user is an election admin, allowing any (even unauthenticated) user to change election-related translation text. While partially broken in newer MediaWiki versions, the check is still missing. This issue affects Mediawiki - SecurePoll extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | 2025-07-04 | not yet calculated | CVE-2025-53485 |
| Wikimedia Foundation--Mediawiki - TwoColConflict Extension | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - TwoColConflict Extension allows Stored XSS.This issue affects Mediawiki - TwoColConflict Extension: from 1.39.X before 1.39.13, from 1.42.X before 1.42.7, from 1.43.X before 1.43.2. | 2025-07-02 | not yet calculated | CVE-2025-53494 |
| WINSTAR--WN572HP3 | WINSTAR WN572HP3 v230525 was discovered to contain a heap overflow via the CONTENT_LENGTH variable at /cgi-bin/upload.cgi. | 2025-07-02 | not yet calculated | CVE-2025-45029 |
| wireapp--wire-ios | wire-ios is an iOS client for the Wire secure messaging application. From Wire iOS 3.111.1 to before 3.124.1, messages that were visible in the view port have been logged to the iOS system logs in clear text. Wire application logs created and managed by the application itself were not affected, especially not the logs users can export and send to Wire support. The iOS logs can only be accessed if someone had (physical) access to the underlying unlocked device. The issue manifested itself by calling canOpenUrl() and passing an invalid URL object. When iOS then performs the check and fails, it logs the contents to the system log. This is not documented behaviour. Wire released an emergency fix with version 3.124.1. As a workaround, users can reset their iOS device to remove the offending logs. Since Wire cannot access or modify iOS system logs, there's no other workaround other than a reset. | 2025-07-03 | not yet calculated | CVE-2025-49846 |
| Zhejiang Dahua Technology Co., Ltd.--Smart Cloud Gateway Registration Management Platform | An SQL injection vulnerability exists in the Dahua Smart Cloud Gateway Registration Management Platform via the username parameter in the /index.php/User/doLogin endpoint. The application fails to properly sanitize user input, allowing unauthenticated attackers to inject arbitrary SQL statements and potentially disclose sensitive information. | 2025-07-01 | not yet calculated | CVE-2025-34059 |
Vulnerability Summary for the Week of June 23, 2025
Posted on Monday June 30, 2025
High Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 70mai--M300 | A vulnerability was found in 70mai M300 up to 20250611 and classified as critical. Affected by this issue is some unknown functionality of the component Telnet Service. The manipulation leads to use of default credentials. The attack needs to be initiated within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-23 | 8.8 | CVE-2025-6529 |
| AcmeeDesign--WPShapere Lite | Cross-Site Request Forgery (CSRF) vulnerability in AcmeeDesign WPShapere Lite allows Stored XSS. This issue affects WPShapere Lite: from n/a through 1.4. | 2025-06-27 | 7.1 | CVE-2025-53317 |
| Adrian Tobey--FormLift for Infusionsoft Web Forms | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms allows Reflected XSS. This issue affects FormLift for Infusionsoft Web Forms: from n/a through 7.5.20. | 2025-06-27 | 7.1 | CVE-2025-47654 |
| Advantech--Advantech Wireless Sensing and Equipment (WISE) | Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload firmware through a public update page, potentially leading to backdoor installation or privilege escalation. | 2025-06-24 | 9.6 | CVE-2025-48469 |
| Advantech--Advantech Wireless Sensing and Equipment (WISE) | Successful exploitation of the vulnerability could allow an unauthenticated, remote attacker to send Modbus TCP packets to manipulate Digital Outputs, potentially allowing remote control of relay channel which may lead to operational or safety risks. | 2025-06-24 | 8.1 | CVE-2025-48466 |
| aharonyan--WP Front User Submit / Front Editor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aharonyan WP Front User Submit / Front Editor allows Reflected XSS. This issue affects WP Front User Submit / Front Editor: from n/a through 4.9.3. | 2025-06-27 | 7.1 | CVE-2025-28988 |
| alanft--Relocate Upload | Cross-Site Request Forgery (CSRF) vulnerability in alanft Relocate Upload allows Stored XSS. This issue affects Relocate Upload: from n/a through 0.24.1. | 2025-06-27 | 7.1 | CVE-2025-53315 |
| allure-framework--allure2 | Allure 2 is the version 2.x branch of Allure Report, a multi-language test reporting tool. A critical XML External Entity (XXE) vulnerability exists in the xunit-xml-plugin used by Allure 2 prior to version 2.34.1. The plugin fails to securely configure the XML parser (`DocumentBuilderFactory`) and allows external entity expansion when processing test result .xml files. This allows attackers to read arbitrary files from the file system and potentially trigger server-side request forgery (SSRF). Version 2.34.1 contains a patch for the issue. | 2025-06-24 | 7.5 | CVE-2025-52888 |
| Amol Nirmala Waman--Navayan Subscribe | Cross-Site Request Forgery (CSRF) vulnerability in Amol Nirmala Waman Navayan Subscribe allows Stored XSS. This issue affects Navayan Subscribe: from n/a through 1.13. | 2025-06-27 | 7.1 | CVE-2025-53311 |
| AncoraThemes--CityGov | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes CityGov allows PHP Local File Inclusion. This issue affects CityGov: from n/a through 1.9. | 2025-06-27 | 8.1 | CVE-2025-52815 |
| Anton Bond--Additional Order Filters for WooCommerce | Cross-Site Request Forgery (CSRF) vulnerability in Anton Bond Additional Order Filters for WooCommerce allows Stored XSS. This issue affects Additional Order Filters for WooCommerce: from n/a through 1.22. | 2025-06-27 | 7.1 | CVE-2025-53271 |
| ApusWP--Domnoo | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusWP Domnoo allows PHP Local File Inclusion. This issue affects Domnoo: from n/a through 1.49. | 2025-06-27 | 8.1 | CVE-2025-52812 |
| Arraytics--Eventin | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arraytics Eventin allows Reflected XSS. This issue affects Eventin: from n/a through 4.0.28. | 2025-06-27 | 7.1 | CVE-2025-49321 |
| Art-in Biliim Teknolojileri ve Yazlm Hizm. Tic. Ltd. ti.--Wi-Fi Cloud Hotspot | Improper Restriction of Excessive Authentication Attempts vulnerability in Art-in Bilişim Teknolojileri ve Yazılım Hizm. Tic. Ltd. Şti. Wi-Fi Cloud Hotspot allows Authentication Abuse, Authentication Bypass.This issue affects Wi-Fi Cloud Hotspot: before 30.05.2025. | 2025-06-24 | 9.3 | CVE-2025-4383 |
| Ataturk University--ATA-AOF Mobile Application | Cleartext Transmission of Sensitive Information, Use of Hard-coded Credentials vulnerability in Ataturk University ATA-AOF Mobile Application allows Authentication Abuse, Authentication Bypass.This issue affects ATA-AOF Mobile Application: before 20.06.2025. | 2025-06-24 | 10 | CVE-2025-4378 |
| beeteam368--BeeTeam368 Extensions | The BeeTeam368 Extensions plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.3.4 via the handle_remove_temp_file() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory. This vulnerability can be used to delete the wp-config.php file, which can be leveraged into a site takeover. | 2025-06-28 | 8.8 | CVE-2025-6381 |
| beeteam368--BeeTeam368 Extensions Pro | The BeeTeam368 Extensions Pro plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.3.4 via the handle_live_fn() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform actions on files outside of the originally intended directory. This vulnerability can be used to delete the wp-config.php file, which can be leveraged into a site takeover. | 2025-06-28 | 8.8 | CVE-2025-6379 |
| Bizerba SE & Co. KG--BRAIN2 | On a client with a non-admin user, a script can be integrated into a report. The reports could later be executed on the BRAIN2 server with administrator rights. | 2025-06-23 | 10 | CVE-2025-6512 |
| Bizerba SE & Co. KG--BRAIN2 | Standard Windows users can access the configuration file for database access of the BRAIN2 application and decrypt it. | 2025-06-23 | 9.3 | CVE-2025-6513 |
| blafoley--PT Project Notebooks Take Meeting minutes, create budgets, track task management, and more | The PT Project Notebooks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the wpnb_pto_new_users_add() function in versions 1.0.0 through 1.1.3. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator. | 2025-06-28 | 9.8 | CVE-2025-5304 |
| bocaletto-luca--elixir-system-monitor | SysmonElixir is a system monitor HTTP service in Elixir. Prior to version 1.0.1, the /read endpoint reads any file from the server's /etc/passwd by default. In v1.0.1, a whitelist was added that limits reading to only files under priv/data. This issue has been patched in version 1.0.1. | 2025-06-24 | 7.5 | CVE-2025-52574 |
| BoldThemes--Amwerk | Deserialization of Untrusted Data vulnerability in BoldThemes Amwerk allows Object Injection. This issue affects Amwerk: from n/a through 1.2.0. | 2025-06-27 | 9.8 | CVE-2025-52724 |
| Brother Industries, Ltd--HL-L8260CDN | An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device. An unauthenticated attacker can first discover the target device's serial number via CVE-2024-51977 over HTTP/HTTPS/IPP, or via a PJL request, or via an SNMP request. | 2025-06-25 | 9.8 | CVE-2024-51978 |
| Brother Industries, Ltd--HL-L8260CDN | An authenticated attacker may trigger a stack based buffer overflow by performing a malformed request to either the HTTP service (TCP port 80), the HTTPS service (TCP port 443), or the IPP service (TCP port 631). The malformed request will contain an empty Origin header value and a malformed Referer header value. The Referer header value will trigger a stack based buffer overflow when the host value in the Referer header is processed and is greater than 64 bytes in length. | 2025-06-25 | 7.2 | CVE-2024-51979 |
| Brother Industries, Ltd--HL-L8260CDN | An unauthenticated attacker who can connect to TCP port 9100 can issue a Printer Job Language (PJL) command that will crash the target device. The device will reboot, after which the attacker can reissue the command to repeatedly crash the device. A malformed PJL variable FORMLINES is set to a non number value causing the target to crash. | 2025-06-25 | 7.5 | CVE-2024-51982 |
| Brother Industries, Ltd--HL-L8260CDN | An unauthenticated attacker who can connect to the Web Services feature (HTTP TCP port 80) can issue a WS-Scan SOAP request containing an unexpected JobToken value which will crash the target device. The device will reboot, after which the attacker can reissue the command to repeatedly crash the device. | 2025-06-25 | 7.5 | CVE-2024-51983 |
| BuddhaThemes--HYDRO | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BuddhaThemes HYDRO allows Reflected XSS. This issue affects HYDRO: from n/a through 2.8. | 2025-06-27 | 7.1 | CVE-2025-31428 |
| BZOTheme--PrintXtore | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme PrintXtore allows PHP Local File Inclusion. This issue affects PrintXtore: from n/a through 1.7.5. | 2025-06-27 | 8.1 | CVE-2025-28946 |
| BZOTheme--Zenny | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Zenny allows PHP Local File Inclusion. This issue affects Zenny: from n/a through 1.7.5. | 2025-06-27 | 8.1 | CVE-2025-24769 |
| Campcodes--Online Recruitment Management System | A vulnerability was found in Campcodes Online Recruitment Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file Recruitment/admin/view_application.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-24 | 7.3 | CVE-2025-6567 |
| Canonical--cloud-init | When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration. | 2025-06-26 | 8.8 | CVE-2024-6174 |
| Case Informatics--Case ERP | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Case Informatics Case ERP allows SQL Injection.This issue affects Case ERP: before V2.0.1. | 2025-06-27 | 9.8 | CVE-2024-11739 |
| Case-Themes--CTUsers | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Case-Themes CTUsers allows PHP Local File Inclusion. This issue affects CTUsers: from n/a through 1.0.0. | 2025-06-27 | 7.5 | CVE-2025-32298 |
| chrisbadgett--LifterLMS | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in chrisbadgett LifterLMS allows SQL Injection. This issue affects LifterLMS: from n/a through 8.0.6. | 2025-06-27 | 9.3 | CVE-2025-52717 |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in an internal API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to upload arbitrary files to an affected device and then execute those files on the underlying operating system as root. This vulnerability is due a lack of file validation checks that would prevent uploaded files from being placed in privileged directories on an affected system. An attacker could exploit this vulnerability by uploading a crafted file to the affected device. A successful exploit could allow the attacker to store malicious files on the affected system and then execute arbitrary code or obtain root privileges on the system. | 2025-06-25 | 10 | CVE-2025-20282 |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit this vulnerability. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device. | 2025-06-25 | 9.8 | CVE-2025-20281 |
| code-projects--Car Rental System | A vulnerability was found in code-projects Car Rental System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /message_admin.php. The manipulation of the argument Message leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-24 | 7.3 | CVE-2025-6579 |
| code-projects--Food Distributor Site | A vulnerability, which was classified as critical, has been found in code-projects Food Distributor Site 1.0. This issue affects some unknown processing of the file /admin/process_login.php. The manipulation of the argument username/password leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-27 | 7.3 | CVE-2025-6777 |
| code-projects--Inventory Management System | A vulnerability, which was classified as critical, has been found in code-projects Inventory Management System 1.0. Affected by this issue is some unknown functionality of the file /php_action/editCategories.php. The manipulation of the argument editCategoriesName leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-23 | 7.3 | CVE-2025-6500 |
| code-projects--Inventory Management System | A vulnerability, which was classified as critical, was found in code-projects Inventory Management System 1.0. This affects an unknown part of the file /php_action/createCategories.php. The manipulation of the argument categoriesStatus leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-23 | 7.3 | CVE-2025-6501 |
| code-projects--Inventory Management System | A vulnerability has been found in code-projects Inventory Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /php_action/changePassword.php. The manipulation of the argument user_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-23 | 7.3 | CVE-2025-6502 |
| code-projects--Inventory Management System | A vulnerability was found in code-projects Inventory Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /php_action/fetchSelectedCategories.php. The manipulation of the argument categoriesId leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-23 | 7.3 | CVE-2025-6503 |
| code-projects--Inventory Management System | A vulnerability was found in code-projects Inventory Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /php_action/createBrand.php. The manipulation of the argument brandStatus leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-25 | 7.3 | CVE-2025-6611 |
| code-projects--Inventory Management System | A vulnerability was found in code-projects Inventory Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /php_action/removeCategories.php. The manipulation of the argument categoriesId leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-25 | 7.3 | CVE-2025-6612 |
| code-projects--Inventory Management System | A vulnerability has been found in code-projects Inventory Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /php_action/editBrand.php. The manipulation of the argument editBrandStatus leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-25 | 7.3 | CVE-2025-6665 |
| code-projects--Inventory Management System | A vulnerability was found in code-projects Inventory Management System 1.0. It has been classified as critical. This affects an unknown part of the file /php_action/fetchSelectedBrand.php. The manipulation of the argument brandId leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-25 | 7.3 | CVE-2025-6668 |
| code-projects--Inventory Management System | A vulnerability has been found in code-projects Inventory Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /php_action/removeBrand.php. The manipulation of the argument brandId leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-28 | 7.3 | CVE-2025-6819 |
| code-projects--Inventory Management System | A vulnerability was found in code-projects Inventory Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /php_action/createProduct.php. The manipulation of the argument productName leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-28 | 7.3 | CVE-2025-6820 |
| code-projects--Inventory Management System | A vulnerability was found in code-projects Inventory Management System 1.0. It has been classified as critical. This affects an unknown part of the file /php_action/createOrder.php. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-28 | 7.3 | CVE-2025-6821 |
| code-projects--Inventory Management System | A vulnerability was found in code-projects Inventory Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /php_action/removeProduct.php. The manipulation of the argument productId leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-28 | 7.3 | CVE-2025-6822 |
| code-projects--Inventory Management System | A vulnerability was found in code-projects Inventory Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /php_action/editProduct.php. The manipulation of the argument editProductName leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-28 | 7.3 | CVE-2025-6823 |
| code-projects--Inventory Management System | A vulnerability, which was classified as critical, was found in code-projects Inventory Management System 1.0. This affects an unknown part of the file /php_action/editOrder.php. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-28 | 7.3 | CVE-2025-6827 |
| code-projects--Inventory Management System | A vulnerability has been found in code-projects Inventory Management System 1.0 and classified as critical. This vulnerability affects unknown code of the file /orders.php. The manipulation of the argument i leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-28 | 7.3 | CVE-2025-6828 |
| code-projects--Inventory Management System | A vulnerability was found in code-projects Inventory Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /php_action/editPayment.php. The manipulation of the argument orderId leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-28 | 7.3 | CVE-2025-6834 |
| code-projects--Library System | A vulnerability was found in code-projects Library System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /student-issue-book.php. The manipulation of the argument reg leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 7.3 | CVE-2025-6835 |
| code-projects--Library System | A vulnerability classified as critical has been found in code-projects Library System 1.0. Affected is an unknown function of the file /profile.php. The manipulation of the argument phone leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well. | 2025-06-29 | 7.3 | CVE-2025-6836 |
| code-projects--Payroll Management System | A vulnerability, which was classified as critical, has been found in code-projects Payroll Management System 1.0. Affected by this issue is some unknown functionality of the file /Payroll_Management_System/ajax.php?action=save_department. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-28 | 7.3 | CVE-2025-6826 |
| code-projects--Product Inventory System | A vulnerability, which was classified as critical, was found in code-projects Product Inventory System 1.0. This affects an unknown part of the file /index.php of the component Login. The manipulation of the argument Username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 7.3 | CVE-2025-6840 |
| code-projects--Simple Forum | A vulnerability was found in code-projects Simple Forum 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /signin.php. The manipulation of the argument User leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 7.3 | CVE-2025-6844 |
| code-projects--Simple Forum | A vulnerability was found in code-projects Simple Forum 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /register1.php. The manipulation of the argument User leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 7.3 | CVE-2025-6845 |
| code-projects--Simple Forum | A vulnerability classified as critical has been found in code-projects Simple Forum 1.0. This affects an unknown part of the file /forum_viewfile.php. The manipulation of the argument Name leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 7.3 | CVE-2025-6846 |
| code-projects--Simple Online Hotel Reservation System | A vulnerability was found in code-projects Simple Online Hotel Reservation System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/delete_account.php. The manipulation of the argument admin_id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-24 | 7.3 | CVE-2025-6578 |
| code-projects--Simple Photo Gallery | A vulnerability was found in code-projects Simple Photo Gallery 1.0. It has been classified as critical. Affected is an unknown function of the file /upload-photo.php. The manipulation of the argument file_img leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 7.3 | CVE-2025-6843 |
| CodeRevolution--Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit | The Aiomatic - Automatic AI Content Writer & Editor, GPT-3 & GPT-4, ChatGPT ChatBot & AI Toolkit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aiomatic_image_editor_ajax_submit' function in all versions up to, and including, 2.5.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. In order to exploit the vulnerability, there must be a value entered for the Stability.AI API key. The value can be arbitrary. | 2025-06-24 | 7.5 | CVE-2025-6206 |
| codesupplyco--Networker | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in codesupplyco Networker allows PHP Local File Inclusion. This issue affects Networker: from n/a through 1.2.0. | 2025-06-27 | 8.1 | CVE-2025-52723 |
| Comet System--T0510 | A vulnerability classified as critical was found in Comet System T0510, T3510, T3511, T4511, T6640, T7511, T7611, P8510, P8552 and H3531 1.60. This vulnerability affects unknown code of the file /setupA.cfg of the component Web-based Management Interface. The manipulation leads to missing authentication. Access to the local network is required for this attack. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-27 | 7.5 | CVE-2025-6763 |
| ControlID--iDSecure On-premises | ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to SQL injections which could allow an attacker to leak arbitrary information and insert arbitrary SQL syntax into SQL queries. | 2025-06-24 | 9.1 | CVE-2025-49853 |
| ControlID--iDSecure On-premises | ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to a server-side request forgery vulnerability which could allow an unauthenticated attacker to retrieve information from other servers. | 2025-06-24 | 7.5 | CVE-2025-49852 |
| ConvoyPanel--panel | Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the LocaleController component of Performave Convoy. An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious locale and namespace parameters. This allows the attacker to include and execute arbitrary PHP files on the server. This issue has been patched in version 4.4.1. A temporary workaround involves implementing strict Web Application Firewall (WAF) rules to incoming requests targeting the vulnerable endpoints. | 2025-06-23 | 10 | CVE-2025-52562 |
| Creanncy--Davenport - Versatile Blog and Magazine WordPress Theme | Path Traversal vulnerability in Creanncy Davenport - Versatile Blog and Magazine WordPress Theme allows PHP Local File Inclusion. This issue affects Davenport - Versatile Blog and Magazine WordPress Theme: from n/a through 1.3. | 2025-06-27 | 8.1 | CVE-2025-52811 |
| D-Link--DIR-619L | A vulnerability, which was classified as critical, has been found in D-Link DIR-619L 2.06B01. Affected by this issue is the function formSetWANType_Wizard5 of the file /goform/formSetWANType_Wizard5. The manipulation of the argument curTime leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-06-25 | 8.8 | CVE-2025-6614 |
| D-Link--DIR-619L | A vulnerability, which was classified as critical, was found in D-Link DIR-619L 2.06B01. This affects the function formAutoDetecWAN_wizard4 of the file /goform/formAutoDetecWAN_wizard4. The manipulation of the argument curTime leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-06-25 | 8.8 | CVE-2025-6615 |
| D-Link--DIR-619L | A vulnerability has been found in D-Link DIR-619L 2.06B01 and classified as critical. This vulnerability affects the function formSetWAN_Wizard51 of the file /goform/formSetWAN_Wizard51. The manipulation of the argument curTime leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-06-25 | 8.8 | CVE-2025-6616 |
| D-Link--DIR-619L | A vulnerability was found in D-Link DIR-619L 2.06B01 and classified as critical. This issue affects the function formAdvanceSetup of the file /goform/formAdvanceSetup. The manipulation of the argument webpage leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2025-06-25 | 8.8 | CVE-2025-6617 |
| Debian--zulucrypt | The Debian zuluPolkit/CMakeLists.txt file for zuluCrypt through the zulucrypt_6.2.0-1 package has insecure PolicyKit allow_any/allow_inactive/allow_active settings that allow a local user to escalate their privileges to root. | 2025-06-28 | 9.3 | CVE-2025-53391 |
| Dejan Jasnic--Trusty Whistleblowing | Missing Authorization vulnerability in Dejan Jasnic Trusty Whistleblowing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Trusty Whistleblowing: from n/a through 1.5.2. | 2025-06-27 | 8.2 | CVE-2025-52818 |
| Dell--Unisphere for PowerMax vApp | Dell Unisphere for PowerMax vApp, version(s) 9.2.4.x, contain(s) an Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Code execution. | 2025-06-27 | 7.2 | CVE-2025-36595 |
| designthemes--LMS | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes LMS allows Reflected XSS. This issue affects LMS: from n/a through 9.1. | 2025-06-27 | 7.1 | CVE-2025-52799 |
| devnex--Devnex Addons For Elementor | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in devnex Devnex Addons For Elementor allows PHP Local File Inclusion. This issue affects Devnex Addons For Elementor: from n/a through 1.0.9. | 2025-06-27 | 7.5 | CVE-2025-53339 |
| DirectIQ--DirectIQ Email Marketing | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in DirectIQ DirectIQ Email Marketing allows SQL Injection. This issue affects DirectIQ Email Marketing: from n/a through 2.0. | 2025-06-27 | 9.3 | CVE-2025-52829 |
| discourse--discourse | Discourse is an open-source discussion platform. Versions prior to 3.5.0.beta6 are vulnerable to cross-site scripting when the content security policy isn't enabled when using social logins. Version 3.5.0.beta6 patches the issue. As a workaround, have the content security policy enabled. | 2025-06-25 | 8.1 | CVE-2025-48954 |
| dor--re.place | Cross-Site Request Forgery (CSRF) vulnerability in dor re.place allows Stored XSS. This issue affects re.place: from n/a through 0.2.1. | 2025-06-27 | 7.1 | CVE-2025-53338 |
| Dover Fueling Solutions--ProGauge MagLink LX 4 | Dover Fueling Solutions ProGauge MagLink LX Consoles expose an undocumented and unauthenticated target communication framework (TCF) interface on a specific port. Files can be created, deleted, or modified, potentially leading to remote code execution. | 2025-06-27 | 9.8 | CVE-2025-5310 |
| dugudlabs--SpecFit-Virtual Try On Woocommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dugudlabs SpecFit-Virtual Try On Woocommerce allows Stored XSS. This issue affects SpecFit-Virtual Try On Woocommerce: from n/a through 7.0.6. | 2025-06-27 | 7.1 | CVE-2025-23973 |
| eosphoros-ai--db-gpt | A vulnerability was found in eosphoros-ai db-gpt up to 0.7.2. It has been classified as critical. Affected is the function import_flow of the file /api/v2/serve/awel/flow/import. The manipulation of the argument File leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-27 | 7.3 | CVE-2025-6772 |
| Eron Software--Wowwo CRM | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eron Software Wowwo CRM allows Blind SQL Injection.This issue affects . NOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available. | 2025-06-27 | 9.8 | CVE-2024-12150 |
| ESAPI--esapi-java-legacy | A vulnerability was found in ESAPI esapi-java-legacy and classified as problematic. This issue affects the interface Encoder.encodeForSQL of the SQL Injection Defense. An attack leads to an improper neutralization of special elements. The attack may be initiated remotely and an exploit has been disclosed to the public. The project was contacted early about this issue and handled it with an exceptional level of professionalism. Upgrading to version 2.7.0.0 is able to address this issue. Commit ID f75ac2c2647a81d2cfbdc9c899f8719c240ed512 is disabling the feature by default and any attempt to use it will trigger a warning. And commit ID e2322914304d9b1c52523ff24be495b7832f6a56 is updating the misleading Java class documentation to warn about the risks. | 2025-06-29 | 7.3 | CVE-2025-5878 |
| ethoseo--Track Everything | Cross-Site Request Forgery (CSRF) vulnerability in ethoseo Track Everything allows Stored XSS. This issue affects Track Everything: from n/a through 2.0.1. | 2025-06-27 | 7.1 | CVE-2025-53332 |
| FasterThemes--FastBook | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FasterThemes FastBook allows Stored XSS. This issue affects FastBook: from n/a through 1.1. | 2025-06-27 | 7.1 | CVE-2025-25173 |
| Fastw3b LLC--FW Food Menu | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Fastw3b LLC FW Food Menu allows Path Traversal. This issue affects FW Food Menu : from n/a through 6.0.0. | 2025-06-27 | 8.6 | CVE-2025-49448 |
| Fastw3b LLC--FW Gallery | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Fastw3b LLC FW Gallery allows PHP Local File Inclusion. This issue affects FW Gallery: from n/a through 8.0.0. | 2025-06-27 | 8.1 | CVE-2025-49416 |
| favethemes--Homey | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in favethemes Homey allows SQL Injection. This issue affects Homey: from n/a through 2.4.5. | 2025-06-27 | 9.3 | CVE-2025-52834 |
| filebrowser--filebrowser | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In version 2.32.0, the Command Execution feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void. The concrete impact depends on the commands being granted to the attacker, but the large number of standard commands allowing the execution of subcommands makes it likely that every user having the `Execute commands` permissions can exploit this vulnerability. Everyone who can exploit it will have full code execution rights with the uid of the server process. Until this issue is fixed, the maintainers recommend to completely disable `Execute commands` for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration. As a defense-in-depth measure, organizations not requiring command execution should operate the Filebrowser from a distroless container image. A patch version has been pushed to disable the feature for all existent installations, and making it opt-in. A warning has been added to the documentation and is printed on the console if the feature is enabled. Due to the project being in maintenance-only mode, the bug has not been fixed. The fix is tracked on pull request 5199. | 2025-06-26 | 8.1 | CVE-2025-52903 |
| filebrowser--filebrowser | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In version 2.32.0 of the web application, all users have a scope assigned, and they only have access to the files within that scope. The Command Execution feature of Filebrowser allows the execution of shell commands which are not restricted to the scope, potentially giving an attacker read and write access to all files managed by the server. Until this issue is fixed, the maintainers recommend to completely disable `Execute commands` for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration. As a defense-in-depth measure, organizations not requiring command execution should operate the Filebrowser from a distroless container image. A patch version has been pushed to disable the feature for all existent installations, and making it opt-in. A warning has been added to the documentation and is printed on the console if the feature is enabled. Due to the project being in maintenance-only mode, the bug has not been fixed. Fix is tracked on pull request 5199. | 2025-06-26 | 8.1 | CVE-2025-52904 |
| filebrowser--filebrowser | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The Markdown preview function of File Browser prior to v2.33.7 is vulnerable to Stored Cross-Site-Scripting (XSS). Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser. Version 2.33.7 contains a fix for the issue. | 2025-06-26 | 7.6 | CVE-2025-52902 |
| flexostudio--Flexo Counter | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexostudio Flexo Counter allows Reflected XSS. This issue affects Flexo Counter: from n/a through 1.0001. | 2025-06-27 | 7.1 | CVE-2025-50052 |
| FocuxTheme--WPKit For Elementor | Missing Authorization vulnerability in FocuxTheme WPKit For Elementor allows Privilege Escalation. This issue affects WPKit For Elementor: from n/a through 1.1.0. | 2025-06-27 | 9.8 | CVE-2025-32281 |
| Funnnny--HidePost | Cross-Site Request Forgery (CSRF) vulnerability in Funnnny HidePost allows Reflected XSS. This issue affects HidePost: from n/a through 2.3.8. | 2025-06-27 | 7.1 | CVE-2025-53310 |
| gameusers--Game Users Share Buttons | The Game Users Share Buttons plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ajaxDeleteTheme() function in all versions up to, and including, 1.3.0. This makes it possible for Subscriber-level attackers to add arbitrary file paths (such as ../../../../wp-config.php) to the themeNameId parameter of the AJAX request, which can lead to remote code execution. | 2025-06-28 | 8.8 | CVE-2025-6755 |
| getredhawkstudio--File Manager Plugin For Wordpress | Unrestricted Upload of File with Dangerous Type vulnerability in getredhawkstudio File Manager Plugin For Wordpress allows Upload a Web Shell to a Web Server. This issue affects File Manager Plugin For Wordpress: from n/a through 7.5. | 2025-06-27 | 9.1 | CVE-2025-53260 |
| ggml-org--llama.cpp | llama.cpp is an inference of several LLM models in C/C++. Prior to version b5721, there is a signed vs. unsigned integer overflow in llama.cpp's tokenizer implementation (llama_vocab::tokenize) (src/llama-vocab.cpp:3036) resulting in unintended behavior in tokens copying size comparison. Allowing heap-overflowing llama.cpp inferencing engine with carefully manipulated text input during tokenization process. This issue has been patched in version b5721. | 2025-06-24 | 8.6 | CVE-2025-52566 |
| goalthemes--Sofass | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Sofass allows PHP Local File Inclusion. This issue affects Sofass: from n/a through 1.3.4. | 2025-06-27 | 8.1 | CVE-2025-24760 |
| gogs--gogs | Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instance with the privileges of the account specified by RUN_USER in the configuration. Allowing attackers to access and alter any users' code hosted on the same instance. This issue has been patched in version 0.13.3. | 2025-06-24 | 10 | CVE-2024-56731 |
| gopi_plus--Image Slider With Description | Cross-Site Request Forgery (CSRF) vulnerability in gopi_plus Image Slider With Description allows Stored XSS. This issue affects Image Slider With Description: from n/a through 9.2. | 2025-06-27 | 7.1 | CVE-2025-53308 |
| gopiplus--Owl carousel responsive | The Owl carousel responsive plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' parameter in all versions up to, and including, 1.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2025-06-26 | 8.8 | CVE-2025-5590 |
| HaruTheme--Drag and Drop Multiple File Upload (Pro) - WooCommerce | Unrestricted Upload of File with Dangerous Type vulnerability in HaruTheme Drag and Drop Multiple File Upload (Pro) - WooCommerce allows Upload a Web Shell to a Web Server. This issue affects Drag and Drop Multiple File Upload (Pro) - WooCommerce: from n/a through 5.0.6. | 2025-06-27 | 10 | CVE-2025-49885 |
| Helmholz--myREX24 | An unauthenticated remote attacker can enumerate valid user names from an unprotected endpoint. | 2025-06-24 | 7.5 | CVE-2025-3092 |
| Hewlett Packard Enterprise--HPE OneView for VMware vCenter | A potential security vulnerability has been identified in HPE OneView for VMware vCenter (OV4VC). This vulnerability could be exploited allowing an attacker with read only privilege to cause Vertical Privilege Escalation (operator can perform admin actions). | 2025-06-26 | 8.7 | CVE-2025-37101 |
| hikariatama--Hikka | Hikka, a Telegram userbot, has vulnerability affects all users on all versions of Hikka. Two scenarios are possible. 1. Web interface does not have an authenticated session: attacker can use his own Telegram account to gain RCE to the server by authorizing in the dangling web interface. 2. Web interface does have an authenticated session: due to insufficient warning in the authentication message, users were tempted to click "Allow" in the "Allow web application ops" menu. This gave an attacker access not only to remote code execution, but also to Telegram accounts of owners. Scenario number 2 is known to have been exploited in the wild. No known patches are available, but some workarounds are available. Use `--no-web` flag and do not start userbot without it; after authorizing in the web interface, close the port on the server and/or start the userbot with `--no-web` flag; and do not click "Allow" in your helper bot unless it is your explicit action that needs to be allowed. | 2025-06-24 | 10 | CVE-2025-52572 |
| hikariatama--Hikka | Hikka is a Telegram userbot. A vulnerability affects all users of versions below 1.6.2, including most of the forks. It allows an unauthenticated attacker to gain access to Telegram account of a victim, as well as full access to the server. The issue is patched in version 1.6.2. No known workarounds are available. | 2025-06-24 | 9.7 | CVE-2025-52571 |
| Hitachi Energy--MicroSCADA X SYS600 | A vulnerability exists in in the Monitor Pro interface of the MicroSCADA X SYS600 product. An authenticated user with low privileges can see and overwrite files causing information leak and data corruption. | 2025-06-24 | 7.3 | CVE-2025-39202 |
| Hitachi Energy--Relion 670/650 and SAM600-IO | A denial-of-service vulnerability due to improper prioritization of network traffic over protection mechanism exists in Relion 670/650 and SAM600-IO series device that if exploited could potentially cause critical functions like LDCM (Line Distance Communication Module) to malfunction. | 2025-06-24 | 7.5 | CVE-2025-2403 |
| hiyouga--LLaMA-Factory | LLaMA-Factory is a tuning library for large language models. A remote code execution vulnerability was discovered in LLaMA-Factory versions up to and including 0.9.3 during the LLaMA-Factory training process. This vulnerability arises because the `vhead_file` is loaded without proper safeguards, allowing malicious attackers to execute arbitrary malicious code on the host system simply by passing a malicious `Checkpoint path` parameter through the `WebUI` interface. The attack is stealthy, as the victim remains unaware of the exploitation. The root cause is that the `vhead_file` argument is loaded without the secure parameter `weights_only=True`. Version 0.9.4 contains a fix for the issue. | 2025-06-26 | 8.3 | CVE-2025-53002 |
| Hossin Asaadi--WP Permalink Translator | Cross-Site Request Forgery (CSRF) vulnerability in Hossin Asaadi WP Permalink Translator allows Stored XSS. This issue affects WP Permalink Translator: from n/a through 1.7.6. | 2025-06-27 | 7.1 | CVE-2025-53274 |
| Hunt Electronic--HBF-09KD | Certain hybrid DVR models ((HBF-09KD and HBF-16NK)) from Hunt Electronic have an Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to directly access a system configuration file and obtain plaintext administrator credentials. | 2025-06-26 | 9.8 | CVE-2025-6561 |
| Hunt Electronic--Hybrid DVR | Certain hybrid DVR models (HBF-09KD and HBF-16NK) from Hunt Electronic have an OS Command Injection vulnerability, allowing remote attackers with regular privileges to inject arbitrary OS commands and execute them on the device. | 2025-06-26 | 8.8 | CVE-2025-6562 |
| iamapinan--Woocommerce Line Notify | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in iamapinan Woocommerce Line Notify allows Stored XSS. This issue affects Woocommerce Line Notify: from n/a through 1.1.7. | 2025-06-27 | 7.1 | CVE-2025-30972 |
| IBM--i | IBM i 7.2, 7.3, 7.4, and 7.5 could allow a user to gain elevated privileges due to an unqualified library call in IBM Facsimile Support for i. A malicious actor could cause user-controlled code to run with administrator privilege. | 2025-06-25 | 8.8 | CVE-2025-36004 |
| IBM--Informix Dynamic Server | IBM Informix Dynamic Server 12.10,14.10, and15.0 could allow a remote attacker to cause a denial of service due to an integer underflow when processing packets. | 2025-06-28 | 7.5 | CVE-2025-1991 |
| IBM--InfoSphere Information Server | IBM InfoSphere Information Server 11.7 vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. | 2025-06-25 | 7.6 | CVE-2025-0966 |
| IBM--WebSphere Application Server | IBM WebSphere Application Server 8.5 and 9.0 could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects. | 2025-06-25 | 9 | CVE-2025-36038 |
| idokd--Simple Payment | The Simple Payment plugin for WordPress is vulnerable to Authentication Bypass in versions 1.3.6 to 2.3.8. This is due to the plugin not properly verifying a user's identity prior to logging them in through the create_user() function. This makes it possible for unauthenticated attackers to log in as administrative users. | 2025-06-27 | 9.8 | CVE-2025-6688 |
| Infigo Software--IS-theme-companion | Cross-Site Request Forgery (CSRF) vulnerability in Infigo Software IS-theme-companion allows Object Injection. This issue affects IS-theme-companion: from n/a through 1.57. | 2025-06-27 | 8.8 | CVE-2025-53277 |
| Infility--Infility Global | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global allows Reflected XSS. This issue affects Infility Global: from n/a through 2.12.7. | 2025-06-27 | 7.1 | CVE-2025-52774 |
| InnoShop--InnoShop | In Innoshop through 0.4.1, an authenticated attacker could exploit the File Manager functions in the admin panel to achieve code execution on the server, by uploading a crafted file and then renaming it to have a .php extension by using the Rename Function. This bypasses the initial check that uploaded files are image files. The application relies on frontend checks to restrict the administrator from changing the extension of uploaded files to .php. This restriction is easily bypassed with any proxy tool (e.g., BurpSuite). Once the attacker renames the file, and gives it the .php extension, a GET request can be used to trigger the execution of code on the server. | 2025-06-23 | 9.9 | CVE-2025-52921 |
| InnoShop--InnoShop | Innoshop through 0.4.1 allows directory traversal via FileManager API endpoints. An authenticated attacker with access to the admin panel could abuse this to: (1) fully map the filesystem structure via the /api/file_manager/files?base_folder= endpoint, (2) create arbitrary directories on the server via the /api/file_manager/directories endpoint, (3) read arbitrary files from the server by copying the file to a readable location within the application via the /api/file_manager/copy_files endpoint, {4) delete arbitrary files from the server via a DELETE request to /api/file_manager/files, or (5) create arbitrary files on the server by uploading them and then leveraging the /api/file_manager/move_files endpoint to move them anywhere in the filesystem. | 2025-06-23 | 7.4 | CVE-2025-52922 |
| iterate GmbH--Cyberduck | Cyberduck and Mountain Duck improperly handle TLS certificate pinning for untrusted certificates (e.g., self-signed), unnecessarily installing it to the Windows Certificate Store of the current user without any restrictions. This issue affects Cyberduck through 9.1.6 and Mountain Duck through 4.17.5. | 2025-06-25 | 8 | CVE-2025-41255 |
| iterate GmbH--Cyberduck | Cyberduck and Mountain Duck improper handle TLS certificate pinning for untrusted certificates (e.g., self-signed), since the certificate fingerprint is stored as SHA-1, although SHA-1 is considered weak. This issue affects Cyberduck: through 9.1.6; Mountain Duck: through 4.17.5. | 2025-06-25 | 7.4 | CVE-2025-41256 |
| John Russell--National Weather Service Alerts | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in John Russell National Weather Service Alerts allows PHP Local File Inclusion. This issue affects National Weather Service Alerts: from n/a through 1.3.5. | 2025-06-27 | 8.1 | CVE-2025-52809 |
| JoinWebs--Classiera | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoinWebs Classiera allows SQL Injection. This issue affects Classiera: from n/a through 4.0.34. | 2025-06-27 | 9.3 | CVE-2025-52722 |
| Jory Hogeveen--Off-Canvas Sidebars & Menus (Slidebars) | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jory Hogeveen Off-Canvas Sidebars & Menus (Slidebars) allows Reflected XSS. This issue affects Off-Canvas Sidebars & Menus (Slidebars): from n/a through 0.5.8.4. | 2025-06-27 | 7.1 | CVE-2025-49290 |
| Jose--Content No Cache | Improper Control of Generation of Code ('Code Injection') vulnerability in Jose Content No Cache allows Code Injection. This issue affects Content No Cache: from n/a through 0.1.3. | 2025-06-27 | 8.6 | CVE-2025-28993 |
| kanboard--kanboard | Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard allows password reset emails to be sent with URLs derived from the unvalidated Host header when the application_url configuration is unset (default behavior). This allows an attacker to craft a malicious password reset link that leaks the token to an attacker-controlled domain. If a victim (including an administrator) clicks the poisoned link, their account can be taken over. This affects all users who initiate a password reset while application_url is not set. This issue has been patched in version 1.2.46. | 2025-06-24 | 8.1 | CVE-2025-52560 |
| Kingdee--Cloud-Starry-Sky Enterprise Edition | A vulnerability was found in Kingdee Cloud-Starry-Sky Enterprise Edition 6.x/7.x/8.x/9.0. It has been rated as critical. Affected by this issue is the function plugin.buildMobilePopHtml of the file \k3\o2o\bos\webapp\action\DynamicForm 4 Action.class of the component Freemarker Engine. The manipulation leads to improper neutralization of special elements used in a template engine. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The vendor explains, that in the fixed release "Freemarker is set to 'ALLOWS_NOTHING_RESOLVER' to not parse any classes." | 2025-06-27 | 7.3 | CVE-2025-6761 |
| Linksys--E8450 | A vulnerability, which was classified as critical, was found in Linksys E8450 up to 1.2.00.360516. This affects the function set_device_language of the file portal.cgi of the component HTTP POST Request Handler. The manipulation of the argument dut_language leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-27 | 8.8 | CVE-2025-6751 |
| Linksys--WRT1900ACS | A vulnerability has been found in Linksys WRT1900ACS, EA7200, EA7450 and EA7500 up to 20250619 and classified as critical. This vulnerability affects the function SetDefaultConnectionService of the file /upnp/control/Layer3Forwarding of the component IGD. The manipulation of the argument NewDefaultConnectionService leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-27 | 8.8 | CVE-2025-6752 |
| Looks Awesome--OnionBuzz | Cross-Site Request Forgery (CSRF) vulnerability in Looks Awesome OnionBuzz allows Stored XSS. This issue affects OnionBuzz: from n/a through 1.0.7. | 2025-06-27 | 7.1 | CVE-2025-53312 |
| lucidcrew--WP Forum Server | Cross-Site Request Forgery (CSRF) vulnerability in lucidcrew WP Forum Server allows Stored XSS. This issue affects WP Forum Server: from n/a through 1.8.2. | 2025-06-27 | 7.1 | CVE-2025-53305 |
| lucidcrew--WP Forum Server | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in lucidcrew WP Forum Server allows SQL Injection. This issue affects WP Forum Server: from n/a through 1.8.2. | 2025-06-27 | 7.6 | CVE-2025-53306 |
| lxc--incus | Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security options `security.mac_filtering`, `security.ipv4_filtering` and `security.ipv6_filtering`. This can lead to ARP spoofing on the bridge and to fully spoof another VM/container on the same bridge. Commit 254dfd2483ab8de39b47c2258b7f1cf0759231c8 contains a patch for the issue. | 2025-06-25 | 8.1 | CVE-2025-52890 |
| ManageEngine--Exchange Reporter Plus | Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Folder-wise read mails with subject report. | 2025-06-26 | 8.1 | CVE-2025-5366 |
| ManageEngine--Exchange Reporter Plus | Zohocorp ManageEngine Exchange reporter Plus version 5722 and below are vulnerable to Stored XSS in the Attachments by filename keyword report. | 2025-06-26 | 8.1 | CVE-2025-5966 |
| Mavi Yeil Software--Guest Tracking Software | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mavi YeÅŸil Software Guest Tracking Software allows SQL Injection.This issue affects . NOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available. | 2025-06-27 | 9.8 | CVE-2024-12364 |
| MB connect line--mbCONNECT24 | An unauthenticated remote attacker can obtain limited sensitive information and/or DoS the device due to missing authentication for critical function. | 2025-06-24 | 8.2 | CVE-2025-3090 |
| MB connect line--mbCONNECT24 | An low privileged remote attacker in possession of the second factor for another user can login as that user without knowledge of the other user`s password. | 2025-06-24 | 7.5 | CVE-2025-3091 |
| MDJM--Mobile DJ Manager | Missing Authorization vulnerability in MDJM Mobile DJ Manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Mobile DJ Manager: from n/a through 1.7.6. | 2025-06-27 | 8.8 | CVE-2025-52824 |
| Michel - xiligroup dev--xili-dictionary | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Michel - xiligroup dev xili-dictionary allows Reflected XSS. This issue affects xili-dictionary: from n/a through 2.12.5.2. | 2025-06-27 | 7.1 | CVE-2025-52778 |
| MICROSENS--NMP Web+ | MICROSENS NMP Web+ could allow an unauthenticated attacker to generate forged JSON Web Tokens (JWT) to bypass authentication. | 2025-06-25 | 9.1 | CVE-2025-49151 |
| MICROSENS--NMP Web+ | MICROSENS NMP Web+ could allow an unauthenticated attacker to overwrite files and execute arbitrary code. | 2025-06-25 | 9.8 | CVE-2025-49153 |
| MICROSENS--NMP Web+ | MICROSENS NMP Web+ contain JSON Web Tokens (JWT) that do not expire, which could allow an attacker to gain access to the system. | 2025-06-25 | 7.5 | CVE-2025-49152 |
| MIKO--MikoPBX | PBXCoreREST/Controllers/Files/PostController.php in MikoPBX through 2024.1.114 allows uploading a PHP script to an arbitrary directory. | 2025-06-27 | 9.9 | CVE-2025-52207 |
| Mitsubishi Electric Corporation--G-50 | Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation G-50 Version 3.37 and prior, G-50-W Version 3.37 and prior, G-50A Version 3.37 and prior, GB-50 Version 3.37 and prior, GB-50A Version 3.37 and prior, GB-24A Version 9.12 and prior, G-150AD Version 3.21 and prior, AG-150A-A Version 3.21 and prior, AG-150A-J Version 3.21 and prior, GB-50AD Version 3.21 and prior, GB-50ADA-A Version 3.21 and prior, GB-50ADA-J Version 3.21 and prior, EB-50GU-A Version 7.11 and prior, EB-50GU-J Version 7.11 and prior, AE-200J Version 8.01 and prior, AE-200A Version 8.01 and prior, AE-200E Version 8.01 and prior, AE-50J Version 8.01 and prior, AE-50A Version 8.01 and prior, AE-50E Version 8.01 and prior, EW-50J Version 8.01 and prior, EW-50A Version 8.01 and prior, EW-50E Version 8.01 and prior, TE-200A Version 8.01 and prior, TE-50A Version 8.01 and prior, TW-50A Version 8.01 and prior, and CMS-RMD-J Version 1.40 and prior allows a remote unauthenticated attacker to bypass authentication and then control the air conditioning systems illegally, or disclose information in them by exploiting this vulnerability. In addition, the attacker may tamper with firmware for them using the disclosed information. | 2025-06-26 | 9.8 | CVE-2025-3699 |
| Mobilteg Mobile Informatics--Mikro Hand Terminal - MikroDB | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mobilteg Mobile Informatics Mikro Hand Terminal - MikroDB allows SQL Injection.This issue affects . NOTE: The vendor did not inform about the completion of the fixing process within the specified time. The CVE will be updated when new information becomes available. | 2025-06-27 | 9.8 | CVE-2024-12143 |
| mojoomla--School Management | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mojoomla School Management allows Reflected XSS. This issue affects School Management: from n/a through 92.0.0. | 2025-06-27 | 7.1 | CVE-2025-47574 |
| mojoomla--WPCRM - CRM for Contact form CF7 & WooCommerce | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce allows Reflected XSS. This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through 3.2.0. | 2025-06-27 | 7.1 | CVE-2025-24774 |
| MongoDB Inc--MongoDB Server | The MongoDB Server is susceptible to a denial of service vulnerability due to improper handling of specific date values in JSON input when using OIDC authentication. This can be reproduced using the mongo shell to send a malicious JSON payload leading to an invariant failure and server crash. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5. The same issue affects MongoDB Server v6.0 versions prior to 6.0.21, but an attacker can only induce denial of service after authenticating. | 2025-06-26 | 7.5 | CVE-2025-6709 |
| MongoDB Inc--MongoDB Server | MongoDB Server may be susceptible to stack overflow due to JSON parsing mechanism, where specifically crafted JSON inputs may induce unwarranted levels of recursion, resulting in excessive stack space consumption. Such inputs can lead to a stack overflow that causes the server to crash which could occur pre-authorisation. This issue affects MongoDB Server v7.0 versions prior to 7.0.17 and MongoDB Server v8.0 versions prior to 8.0.5. The same issue affects MongoDB Server v6.0 versions prior to 6.0.21, but an attacker can only induce denial of service after authenticating. | 2025-06-26 | 7.5 | CVE-2025-6710 |
| n/a--Arc | Arc before 1.26.1 on Windows has a bypass issue in the site settings that allows websites (with previously granted permissions) to add new permissions when the user clicks anywhere on the website. | 2025-06-26 | 9.6 | CVE-2024-52928 |
| n/a--RT-Thread | A vulnerability, which was classified as critical, was found in RT-Thread up to 5.1.0. This affects the function sys_device_open/sys_device_read/sys_device_control/sys_device_init/sys_device_close/sys_device_write of the file components/drivers/core/device.c. The manipulation leads to memory corruption. It is possible to launch the attack on the local host. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-26 | 7.8 | CVE-2025-6693 |
| n/a--snyk | Versions of the package snyk before 1.1297.3 are vulnerable to Insertion of Sensitive Information into Log File through local Snyk CLI debug logs. Container Registry credentials provided via environment variables or command line arguments can be exposed when executing Snyk CLI in DEBUG or DEBUG/TRACE mode. The issue affects the following Snyk commands: 1. When snyk container test or snyk container monitor commands are run against a container registry, with debug mode enabled, the container registry credentials may be written into the local Snyk CLI debug log. This only happens with credentials specified in environment variables (SNYK_REGISTRY_USERNAME and SNYK_REGISTRY_PASSWORD), or in the CLI (--password/-p and --username/-u). 2. When snyk auth command is executed with debug mode enabled AND the log level is set to TRACE, the Snyk access / refresh credential tokens used to connect the CLI to Snyk may be written into the local CLI debug logs. 3. When snyk iac test is executed with a Remote IAC Custom rules bundle, debug mode enabled, AND the log level is set to TRACE, the docker registry token may be written into the local CLI debug logs. | 2025-06-26 | 7.2 | CVE-2025-6624 |
| Netgear--EX6100 | A vulnerability was found in Netgear EX6100 1.0.2.28_1.1.138. It has been rated as critical. Affected by this issue is the function sub_415EF8. The manipulation leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-23 | 8.8 | CVE-2025-6510 |
| Netgear--EX6150 | A vulnerability classified as critical has been found in Netgear EX6150 1.0.0.46_1.0.76. This affects the function sub_410090. The manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-23 | 8.8 | CVE-2025-6511 |
| Netgear--WNCE3001 | A vulnerability was found in Netgear WNCE3001 1.0.0.50. It has been classified as critical. This affects the function http_d of the component HTTP POST Request Handler. The manipulation of the argument Host leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-24 | 8.8 | CVE-2025-6565 |
| nicdark--Hotel Booking | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in nicdark Hotel Booking allows PHP Local File Inclusion. This issue affects Hotel Booking: from n/a through 3.7. | 2025-06-27 | 7.5 | CVE-2025-53259 |
| nmedia--Simple User Registration | The Simple User Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3. This is due to insufficient restrictions on user meta values that can be supplied during registration. This makes it possible for unauthenticated attackers to register as an administrator. | 2025-06-26 | 9.8 | CVE-2025-4334 |
| notepad-plus-plus--notepad-plus-plus | Notepad++ is a free and open-source source code editor. In versions 8.8.1 and prior, a privilege escalation vulnerability exists in the Notepad++ v8.8.1 installer that allows unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. An attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder - which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges. This issue has been fixed and will be released in version 8.8.2. | 2025-06-23 | 7.3 | CVE-2025-49144 |
| NVIDIA--Megatron LM | NVIDIA Megatron-LM for all platforms contains a vulnerability in a python component where an attacker may cause a code injection issue by providing a malicious file. A successful exploit of this vulnerability may lead to Code Execution, Escalation of Privileges, Information Disclosure and Data Tampering. | 2025-06-24 | 7.8 | CVE-2025-23264 |
| NVIDIA--Megatron LM | NVIDIA Megatron-LM for all platforms contains a vulnerability in a python component where an attacker may cause a code injection issue by providing a malicious file. A successful exploit of this vulnerability may lead to Code Execution, Escalation of Privileges, Information Disclosure and Data Tampering. | 2025-06-24 | 7.8 | CVE-2025-23265 |
| octo-sts--app | Octo-STS is a GitHub App that acts like a Security Token Service (STS) for the GitHub API. Octo-STS versions before v0.5.3 are vulnerable to unauthenticated SSRF by abusing fields in OpenID Connect tokens. Malicious tokens were shown to trigger internal network requests which could reflect error logs with sensitive information. Upgrade to v0.5.3 to resolve this issue. This version includes patch sets to sanitize input and redact logging. | 2025-06-26 | 8.6 | CVE-2025-52477 |
| OPPO--ColorOS | OPPO Clone Phone uses a weak password WiFi hotspot to transfer files, resulting in Information disclosure. | 2025-06-23 | 7.4 | CVE-2025-27387 |
| ovatheme--BRW | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme BRW allows PHP Local File Inclusion. This issue affects BRW: from n/a through 1.7.9. | 2025-06-27 | 8.1 | CVE-2025-52814 |
| Parsons--Parsons Utility Enterprise Data Management | A cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one. | 2025-06-25 | 8.8 | CVE-2025-5015 |
| pebas--CouponXxL | Deserialization of Untrusted Data vulnerability in pebas CouponXxL allows Object Injection. This issue affects CouponXxL: from n/a through 3.0.0. | 2025-06-27 | 9.8 | CVE-2025-52725 |
| pebas--CouponXxL Custom Post Types | Incorrect Privilege Assignment vulnerability in pebas CouponXxL Custom Post Types allows Privilege Escalation. This issue affects CouponXxL Custom Post Types: from n/a through 3.0. | 2025-06-27 | 8.6 | CVE-2025-52726 |
| pep.vn--WP Optimize By xTraffic | Deserialization of Untrusted Data vulnerability in pep.vn WP Optimize By xTraffic allows Object Injection. This issue affects WP Optimize By xTraffic: from n/a through 5.1.6. | 2025-06-27 | 9.8 | CVE-2025-28970 |
| PHPGurukul--Local Services Search Engine Management System | A vulnerability classified as critical was found in PHPGurukul Local Services Search Engine Management System 2.1. Affected by this vulnerability is an unknown functionality of the file /admin/edit-category-detail.php. The manipulation of the argument editid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 7.3 | CVE-2025-6863 |
| plumwd--Twitch TV Embed Suite | Cross-Site Request Forgery (CSRF) vulnerability in plumwd Twitch TV Embed Suite allows Stored XSS. This issue affects Twitch TV Embed Suite: from n/a through 2.1.0. | 2025-06-27 | 7.1 | CVE-2025-53313 |
| Preh Car Connect GmbH (JOYNEXT GmbH)--Volkswagen MIB3 infotainment system MIB3 OI MQB | A heap buffer overflow in the image processing binary of the MIB3 infotainment unit allows an attacker to execute arbitrary code on it. The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. The list of affected MIB3 OEM part numbers is provided in the referenced resources. | 2025-06-28 | 8 | CVE-2023-28905 |
| Preh Car Connect GmbH (JOYNEXT GmbH)--Volkswagen MIB3 infotainment system MIB3 OI MQB | A specific flaw exists within the Bluetooth stack of the MIB3 unit. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow when receiving fragmented HCI packets on a channel. An attacker can leverage this vulnerability to bypass the MTU check on a channel with enabled fragmentation. Consequently, this can lead to a buffer overflow in upper layer profiles, which can be used to obtain remote code execution. The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. The list of affected MIB3 OEM part numbers is provided in the referenced resources. | 2025-06-28 | 8 | CVE-2023-28909 |
| Preh Car Connect GmbH (JOYNEXT GmbH)--Volkswagen MIB3 infotainment system MIB3 OI MQB | A specific flaw exists within the Bluetooth stack of the MIB3 infotainment system. The issue results from the disabled abortion flag eventually leading to bypassing assertion functions. The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. The list of affected MIB3 OEM part numbers is provided in the referenced resources. | 2025-06-28 | 8 | CVE-2023-28910 |
| Preh Car Connect GmbH (JOYNEXT GmbH)--Volkswagen MIB3 infotainment system MIB3 OI MQB | A command injection in the networking service of the MIB3 infotainment allows an attacker already presenting in the system to escalate privileges and obtain administrative access to the system. The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. The list of affected MIB3 OEM part numbers is provided in the referenced resources. | 2025-06-28 | 7.8 | CVE-2023-28906 |
| QuanticaLabs--CSS3 Vertical Web Pricing Tables | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuanticaLabs CSS3 Vertical Web Pricing Tables allows Reflected XSS. This issue affects CSS3 Vertical Web Pricing Tables: from n/a through 1.9. | 2025-06-27 | 7.1 | CVE-2025-52727 |
| real-web--RealtyElite | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in real-web RealtyElite allows PHP Local File Inclusion. This issue affects RealtyElite: from n/a through 1.0.0. | 2025-06-27 | 8.1 | CVE-2025-52808 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack. | 2025-06-24 | 8.3 | CVE-2025-6032 |
| regibaer--Evangelische Termine | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in regibaer Evangelische Termine allows Reflected XSS. This issue affects Evangelische Termine: from n/a through 3.3. | 2025-06-27 | 7.1 | CVE-2025-28960 |
| RobMarsh--Image Shadow | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in RobMarsh Image Shadow allows Path Traversal. This issue affects Image Shadow: from n/a through 1.1.0. | 2025-06-27 | 7.7 | CVE-2025-24765 |
| samcharrington--RSS Digest | Cross-Site Request Forgery (CSRF) vulnerability in samcharrington RSS Digest allows Stored XSS. This issue affects RSS Digest: from n/a through 1.5. | 2025-06-27 | 7.1 | CVE-2025-53331 |
| Sapido--BR071n | Multiple wireless router models from Sapido have an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server. The affected models are out of support; replacing the device is recommended. | 2025-06-24 | 9.8 | CVE-2025-6559 |
| Sapido--BR071n | Multiple wireless router models from Sapido have an Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to directly access a system configuration file and obtain plaintext administrator credentials. The affected models are out of support; replacing the device is recommended. | 2025-06-24 | 9.8 | CVE-2025-6560 |
| scriptsbundle--DWT - Directory & Listing WordPress Theme | The DWT - Directory & Listing WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.6. This is due to the plugin not properly checking for an empty token value prior to resetting a user's password through the dwt_listing_reset_password() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account. | 2025-06-27 | 9.8 | CVE-2024-12827 |
| Serhii Pasyuk--Gmedia Photo Gallery | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Serhii Pasyuk Gmedia Photo Gallery allows PHP Local File Inclusion. This issue affects Gmedia Photo Gallery: from n/a through 1.23.0. | 2025-06-27 | 7.5 | CVE-2025-53257 |
| serpednet--SERPed.net | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in serpednet SERPed.net allows PHP Local File Inclusion. This issue affects SERPed.net: from n/a through 4.6. | 2025-06-27 | 8.1 | CVE-2025-28998 |
| sh1zen--WP Optimizer | Cross-Site Request Forgery (CSRF) vulnerability in sh1zen WP Optimizer allows SQL Injection. This issue affects WP Optimizer: from n/a through 2.3.6. | 2025-06-27 | 9.6 | CVE-2025-53314 |
| smartiolabs--Smart Notification | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in smartiolabs Smart Notification allows Reflected XSS. This issue affects Smart Notification: from n/a through 10.3. | 2025-06-27 | 7.1 | CVE-2025-39478 |
| Sneeit--MagOne | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sneeit MagOne allows Reflected XSS. This issue affects MagOne: from n/a through 8.5. | 2025-06-27 | 7.1 | CVE-2025-39488 |
| snstheme--MBStore - Digital WooCommerce WordPress Theme | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme MBStore - Digital WooCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects MBStore - Digital WooCommerce WordPress Theme: from n/a through 2.3. | 2025-06-27 | 8.1 | CVE-2025-28947 |
| snstheme--Samex - Clean, Minimal Shop WooCommerce WordPress Theme | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Samex - Clean, Minimal Shop WooCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects Samex - Clean, Minimal Shop WooCommerce WordPress Theme: from n/a through 2.6. | 2025-06-27 | 8.1 | CVE-2023-25998 |
| snstheme--SNS Vicky | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme SNS Vicky allows PHP Local File Inclusion. This issue affects SNS Vicky: from n/a through 3.7. | 2025-06-27 | 8.1 | CVE-2025-28990 |
| SourceCodester--Best Salon Management System | A vulnerability classified as critical has been found in SourceCodester Best Salon Management System 1.0. Affected is an unknown function of the component Login. The manipulation of the argument Username leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-24 | 7.3 | CVE-2025-6580 |
| SourceCodester--Simple Company Website | A vulnerability classified as critical has been found in SourceCodester Simple Company Website 1.0. This affects an unknown part of the file /classes/Login.php. The manipulation of the argument Username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 7.3 | CVE-2025-6871 |
| StarCitizenTools--mediawiki-extensions-TabberNeue | TabberNeue is a MediaWiki extension that allows the wiki to create tabs. Starting in version 3.0.0 and prior to version 3.1.1, any user can insert arbitrary HTMLinto the DOM by inserting a payload into any allowed attribute of the `<tabber>` tag. Version 3.1.1 contains a patch for the bug. | 2025-06-27 | 8.6 | CVE-2025-53093 |
| Syed Tahir Ali Jan--Bulk YouTube Post Creator | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Syed Tahir Ali Jan Bulk YouTube Post Creator allows Reflected XSS. This issue affects Bulk YouTube Post Creator: from n/a through 1.0. | 2025-06-27 | 7.1 | CVE-2025-49423 |
| szajenw--Spoecznociowa 6 PL 2013 | Cross-Site Request Forgery (CSRF) vulnerability in szajenw Społecznościowa 6 PL 2013 allows Stored XSS. This issue affects Społecznościowa 6 PL 2013: from n/a through 2.0.6. | 2025-06-27 | 7.1 | CVE-2025-53329 |
| TB-eye Ltd.--XRN-410SN/TE | An OS command injection issue exists in multiple versions of TB-eye network recorders and AHD recorders. If this vulnerability is exploited, an arbitrary OS command may be executed by an attacker who is logging in to the device. | 2025-06-27 | 7.2 | CVE-2025-36529 |
| TeamViewer--Full Client | Incorrect Permission Assignment for Critical Resource in the TeamViewer Client (Full and Host) of TeamViewer Remote and Tensor prior Version 15.67 on Windows allows a local unprivileged user to trigger arbitrary file deletion with SYSTEM privileges via leveraging the MSI rollback mechanism. The vulnerability only applies to the Remote Management features: Backup, Monitoring, and Patch Management. | 2025-06-24 | 7 | CVE-2025-36537 |
| techjewel--Ninja Tables Easy Data Table Builder | The Ninja Tables - Easy Data Table Builder plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.18 via the args[url] parameter. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2025-06-27 | 7.2 | CVE-2025-2940 |
| thembay--Diza | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza allows PHP Local File Inclusion. This issue affects Diza: from n/a through 1.3.9. | 2025-06-27 | 8.1 | CVE-2025-52729 |
| thembay--Greenmart | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Greenmart allows PHP Local File Inclusion. This issue affects Greenmart: from n/a through 4.2.3. | 2025-06-27 | 8.1 | CVE-2025-49883 |
| thembay--Puca | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Puca allows PHP Local File Inclusion. This issue affects Puca: from n/a through 2.6.33. | 2025-06-27 | 8.1 | CVE-2025-30992 |
| themefic--Ultra Addons for Contact Form 7 | The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Database module in versions 3.5.11 to 3.5.19 due to insufficient input sanitization and output escaping. The unfiltered field names are stored alongside the sanitized values. Later, the admin-side AJAX endpoint ajax_get_table_data() returns those raw names as JSON column headers, and the client-side DataTables renderer injects them directly into the DOM without any HTML encoding. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-26 | 7.2 | CVE-2025-6212 |
| themehunk--Zita | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehunk Zita allows PHP Local File Inclusion. This issue affects Zita: from n/a through 1.6.5. | 2025-06-27 | 8.1 | CVE-2025-52816 |
| ThemeMove--Amely | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ThemeMove Amely allows SQL Injection. This issue affects Amely: from n/a through 3.1.4. | 2025-06-27 | 9.3 | CVE-2025-39474 |
| ThemesGrove--WP SmartPay | Authentication Bypass Using an Alternate Path or Channel vulnerability in ThemesGrove WP SmartPay allows Authentication Abuse. This issue affects WP SmartPay: from n/a through 2.7.13. | 2025-06-27 | 8.8 | CVE-2025-25171 |
| themeton--Seven Stars | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themeton Seven Stars allows Stored XSS. This issue affects Seven Stars: from n/a through 1.4.4. | 2025-06-27 | 7.1 | CVE-2025-31067 |
| thhake--Photo Express for Google | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in thhake Photo Express for Google allows Reflected XSS. This issue affects Photo Express for Google: from n/a through 0.3.2. | 2025-06-27 | 7.1 | CVE-2025-27361 |
| TMRW-studio--Katerio - Magazine | Path Traversal vulnerability in TMRW-studio Katerio - Magazine allows PHP Local File Inclusion. This issue affects Katerio - Magazine: from n/a through 1.5.1. | 2025-06-27 | 8.1 | CVE-2025-52810 |
| TOTOLINK--A702R | A vulnerability has been found in TOTOLINK A702R 4.0.0-B20230721.1521 and classified as critical. This vulnerability affects unknown code of the file /boafrm/formIpv6Setup of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-25 | 8.8 | CVE-2025-6627 |
| TOTOLINK--A702R | A vulnerability classified as critical was found in TOTOLINK A702R up to 4.0.0-B20230721.1521. Affected by this vulnerability is an unknown functionality of the file /boafrm/formWlSiteSurvey of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-28 | 8.8 | CVE-2025-6825 |
| TOTOLINK--EX1200T | A vulnerability classified as critical has been found in TOTOLINK EX1200T 4.1.2cu.5232_B20210713. Affected is an unknown function of the file /boafrm/formIpv6Setup of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-24 | 8.8 | CVE-2025-6568 |
| TOTOLINK--X15 | A vulnerability classified as critical has been found in TOTOLINK X15 up to 1.0.0-B20230714.1105. Affected is an unknown function of the file /boafrm/formParentControl of the component HTTP POST Request Handler. The manipulation of the argument submit-url leads to buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-28 | 8.8 | CVE-2025-6824 |
| TrendMakers--Sight Bulb Pro Firmware ZJ_CG32-2201 | During the initial setup of the device the user connects to an access point broadcast by the Sight Bulb Pro. During the negotiation, AES Encryption keys are passed in cleartext. If captured, an attacker may be able to decrypt communications between the management app and the Sight Bulb Pro which may include sensitive information such as network credentials. | 2025-06-27 | 7.6 | CVE-2025-6521 |
| UTT--HiPER 840G | A vulnerability was found in UTT HiPER 840G up to 3.1.1-190328. It has been classified as critical. This affects the function strcpy of the file /goform/setSysAdm of the component API. The manipulation of the argument passwd1 leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-26 | 8.8 | CVE-2025-6732 |
| UTT--HiPER 840G | A vulnerability was found in UTT HiPER 840G up to 3.1.1-190328. It has been declared as critical. This vulnerability affects the function sub_416928 of the file /goform/formConfigDnsFilterGlobal of the component API. The manipulation of the argument GroupName leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-26 | 8.8 | CVE-2025-6733 |
| UTT--HiPER 840G | A vulnerability was found in UTT HiPER 840G up to 3.1.1-190328. It has been rated as critical. This issue affects the function sub_484E40 of the file /goform/formP2PLimitConfig of the component API. The manipulation of the argument except leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-26 | 8.8 | CVE-2025-6734 |
| uxper--Nuss | Deserialization of Untrusted Data vulnerability in uxper Nuss allows Object Injection. This issue affects Nuss: from n/a through 1.3.3. | 2025-06-27 | 8.8 | CVE-2025-52827 |
| uxper--Sala | Deserialization of Untrusted Data vulnerability in uxper Sala allows Object Injection. This issue affects Sala: from n/a through 1.1.3. | 2025-06-27 | 8.8 | CVE-2025-52826 |
| Visionatrix--Visionatrix | Visionatrix is an AI Media processing tool using ComfyUI. In versions 1.5.0 to before 2.5.1, the /docs/flows endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack allowing full takeover of the application and exfiltration of secrets stored in the application. The implementation uses the get_swagger_ui_html function from FastAPI. This function does not encode or sanitize its arguments before using them to generate the HTML for the swagger documentation page and is not intended to be used with user-controlled arguments. Any user of this application can be targeted with a one-click attack that can takeover their session and all the secrets that may be contained within it. This issue has been patched in version 2.5.1. | 2025-06-23 | 8.8 | CVE-2025-49126 |
| WebGeniusLab--Zikzag Core | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebGeniusLab Zikzag Core allows PHP Local File Inclusion. This issue affects Zikzag Core: from n/a through 1.4.5. | 2025-06-27 | 8.1 | CVE-2025-49886 |
| Wow-Company--Hover Effects | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Wow-Company Hover Effects allows SQL Injection. This issue affects Hover Effects: from n/a through 2.1.2. | 2025-06-27 | 7.6 | CVE-2025-53258 |
| WPBean--WPB Category Slider for WooCommerce | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WPBean WPB Category Slider for WooCommerce allows PHP Local File Inclusion. This issue affects WPB Category Slider for WooCommerce: from n/a through 1.71. | 2025-06-27 | 7.5 | CVE-2025-53281 |
| wpeverest--Everest Forms | Deserialization of Untrusted Data vulnerability in wpeverest Everest Forms allows Object Injection. This issue affects Everest Forms: from n/a through 3.2.2. | 2025-06-27 | 9.8 | CVE-2025-52709 |
| WPEverest--Everest Forms Pro | The Everest Forms (Pro) plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.9.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The vulnerability requires an admin to trigger the deletion via deletion of a form entry and cannot be carried out by the attacker alone. | 2025-06-25 | 7.5 | CVE-2025-5927 |
| wphobby--Backwp | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphobby Backwp allows Reflected XSS. This issue affects Backwp: from n/a through 2.0.2. | 2025-06-27 | 7.1 | CVE-2025-28956 |
| wpopal--GG Bought Together for WooCommerce | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpopal GG Bought Together for WooCommerce allows SQL Injection. This issue affects GG Bought Together for WooCommerce: from n/a through 1.0.2. | 2025-06-27 | 9.3 | CVE-2025-23967 |
| Xiaomi--Xiaomi Mi Connect Service | An unauthorized access vulnerability exists in the Xiaomi Mi Connect Service APP. The vulnerability is caused by the validation logic is flawed and can be exploited by attackers to Unauthorized access to the victim's device. | 2025-06-23 | 9.6 | CVE-2024-45347 |
| xiaoyunjie--openvpn-cms-flask | A vulnerability classified as critical was found in xiaoyunjie openvpn-cms-flask up to 1.2.7. This vulnerability affects the function Upload of the file app/plugins/oss/app/controller.py of the component File Upload. The manipulation of the argument image leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.2.8 is able to address this issue. The name of the patch is e23559b98c8ea2957f09978c29f4e512ba789eb6. It is recommended to upgrade the affected component. | 2025-06-27 | 7.3 | CVE-2025-6776 |
| YayCommerce--YaySMTP | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YaySMTP allows SQL Injection. This issue affects YaySMTP: from n/a through 6.8.1. | 2025-06-27 | 7.6 | CVE-2025-53256 |
| yhirose--cpp-httplib | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In version 0.21.0, when many http headers fields are passed in, the library does not limit the number of headers, and the memory associated with the headers will not be released when the connection is disconnected. This leads to potential exhaustion of system memory and results in a server crash or unresponsiveness. Version 0.22.0 contains a patch for the issue. | 2025-06-26 | 7.5 | CVE-2025-52887 |
| ZealousWeb--Abandoned Contact Form 7 | Missing Authorization vulnerability in ZealousWeb Abandoned Contact Form 7 allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Abandoned Contact Form 7: from n/a through 2.0. | 2025-06-27 | 8.2 | CVE-2025-52817 |
| zephyrproject-rtos--Zephyr | A denial-of-service issue in the dns implemenation could cause an infinite loop. | 2025-06-24 | 8.2 | CVE-2025-2962 |
Medium Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 70mai--1S | A vulnerability classified as problematic was found in 70mai 1S up to 20250611. This vulnerability affects unknown code of the file /cgi-bin/Config.cgi?action=set of the component Configuration Handler. The manipulation leads to improper authorization. The attack needs to be approached within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-23 | 4.3 | CVE-2025-6525 |
| 70mai--M300 | A vulnerability has been found in 70mai M300 up to 20250611 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /livestream/12 of the component RTSP Live Video Stream Endpoint. The manipulation leads to improper authentication. The attack needs to be done within the local network. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-23 | 4.3 | CVE-2025-6528 |
| 70mai--M300 | A vulnerability was found in 70mai M300 up to 20250611. It has been classified as problematic. This affects an unknown part of the file demo.sh of the component Telnet Service. The manipulation leads to denial of service. Access to the local network is required for this attack. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-23 | 4.8 | CVE-2025-6530 |
| aaluoxiang--oa_system | A vulnerability was found in aaluoxiang oa_system up to c3a08168c144f27256a90838492c713f55f1b207 and classified as critical. This issue affects the function outAddress of the component External Address Book Handler. The manipulation leads to sql injection. The attack may be initiated remotely. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | 2025-06-28 | 6.3 | CVE-2025-6829 |
| abditsori--My Resume Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in abditsori My Resume Builder allows Stored XSS. This issue affects My Resume Builder: from n/a through 1.0.3. | 2025-06-27 | 6.5 | CVE-2025-53336 |
| Adobe--Adobe Commerce | Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access. Exploitation of this issue requires user interaction. | 2025-06-25 | 4.3 | CVE-2025-49550 |
| Adrian Lad--PlatiOnline Payments | Missing Authorization vulnerability in Adrian Ladó PlatiOnline Payments allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PlatiOnline Payments: from n/a through 6.3.2. | 2025-06-27 | 4.3 | CVE-2025-53288 |
| Advantech--Advantech Wireless Sensing and Equipment (WISE) | Successful exploitation of the vulnerability could allow an attacker to cause repeated reboots, potentially leading to remote denial-of-service and system unavailability. | 2025-06-24 | 6.5 | CVE-2025-48467 |
| Advantech--Advantech Wireless Sensing and Equipment (WISE) | Successful exploitation of the vulnerability could allow an attacker that has physical access to interface with JTAG to inject or modify firmware. | 2025-06-24 | 6.4 | CVE-2025-48468 |
| Advantech--Advantech Wireless Sensing and Equipment (WISE) | Successful exploitation of the vulnerability could allow an unauthenticated attacker to conduct brute force guessing and account takeover as the session cookies are predictable, potentially allowing the attackers to gain root, admin or user access and reset passwords. | 2025-06-24 | 5 | CVE-2025-48461 |
| Advantech--Advantech Wireless Sensing and Equipment (WISE) | Successful exploitation of the vulnerability could allow an attacker to consume all available session slots and block other users from logging in, thereby preventing legitimate users from gaining access to the product. | 2025-06-24 | 4.2 | CVE-2025-48462 |
| Advantech--Advantech Wireless Sensing and Equipment (WISE) | Successful exploitation of the stored cross-site scripting vulnerability could allow an attacker to inject malicious scripts into device fields and executed in other users' browser, potentially leading to session hijacking, defacement, credential theft, or privilege escalation. | 2025-06-24 | 4.1 | CVE-2025-48470 |
| Aftab Husain--Hide Admin Bar From Front End | Cross-Site Request Forgery (CSRF) vulnerability in Aftab Husain Hide Admin Bar From Front End allows Cross Site Request Forgery. This issue affects Hide Admin Bar From Front End: from n/a through 1.0.0. | 2025-06-27 | 4.3 | CVE-2025-53267 |
| Akka--Akka | In Akka through 2.10.6, akka-cluster-metrics uses Java serialization for cluster metrics. | 2025-06-28 | 6 | CVE-2025-53393 |
| Aman--Popup addon for Ninja Forms | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Aman Popup addon for Ninja Forms allows DOM-Based XSS. This issue affects Popup addon for Ninja Forms: from n/a through 3.4. | 2025-06-27 | 6.5 | CVE-2025-53279 |
| AMD--AMD EPYC 7001 Series | Improper signature verification in AMD CPU ROM microcode patch loader may allow an attacker with local administrator privilege to load malicious microcode, potentially resulting in loss of integrity of x86 instruction execution, loss of confidentiality and integrity of data in x86 CPU privileged context and compromise of SMM execution environment. | 2025-06-27 | 6.4 | CVE-2024-36347 |
| AntoineH--Football Pool | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AntoineH Football Pool allows Stored XSS. This issue affects Football Pool: from n/a through 2.12.5. | 2025-06-27 | 6.5 | CVE-2025-53280 |
| armandofiore--FL3R Accessibility Suite | The FL3R Accessibility Suite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fl3raccessibilitysuite shortcode in all versions up to, and including, 1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-27 | 6.4 | CVE-2025-6689 |
| aviplugins.com--Thumbnail Editor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aviplugins.com Thumbnail Editor allows Stored XSS. This issue affects Thumbnail Editor: from n/a through 2.3.3. | 2025-06-27 | 6.5 | CVE-2025-53282 |
| azumbro--Drive Folder Embedder | The Drive Folder Embedder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tablecssclass' parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-26 | 6.4 | CVE-2025-6546 |
| blakelong--Tournament Bracket Generator | The Tournament Bracket Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'bracket' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-26 | 6.4 | CVE-2025-6290 |
| Blend Media--WordPress CTA | Cross-Site Request Forgery (CSRF) vulnerability in Blend Media WordPress CTA allows Cross Site Request Forgery. This issue affects WordPress CTA: from n/a through 1.6.9. | 2025-06-27 | 4.3 | CVE-2025-53270 |
| bourgesloic--Post Rating and Review | The Post Rating and Review plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-26 | 6.4 | CVE-2025-6538 |
| Brother Industries, Ltd--HL-L8260CDN | An authenticated attacker can reconfigure the target device to use an external service (such as LDAP or FTP) controlled by the attacker. If an existing password is present for an external service, the attacker can force the target device to authenticate to an attacker controlled device using the existing credentials for that external service. In the case of an external LDAP or FTP service, this will disclose the plaintext password for that external service to the attacker. | 2025-06-25 | 6.8 | CVE-2024-51984 |
| Brother Industries, Ltd--HL-L8260CDN | An unauthenticated attacker who can access either the HTTP service (TCP port 80), the HTTPS service (TCP port 443), or the IPP service (TCP port 631), can leak several pieces of sensitive information from a vulnerable device. The URI path /etc/mnt_info.csv can be accessed via a GET request and no authentication is required. The returned result is a comma separated value (CSV) table of information. The leaked information includes the device's model, firmware version, IP address, and serial number. | 2025-06-25 | 5.3 | CVE-2024-51977 |
| Brother Industries, Ltd--HL-L8260CDN | An unauthenticated attacker may perform a limited server side request forgery (SSRF), forcing the target device to open a TCP connection to an arbitrary port number on an arbitrary IP address. This SSRF leverages the WS-Addressing ReplyTo element in a Web service (HTTP TCP port 80) SOAP request. The attacker can not control the data sent in the SSRF connection, nor can the attacker receive any data back. This SSRF is suitable for TCP port scanning of an internal network when the Web service (HTTP TCP port 80) is exposed across a network segment. | 2025-06-25 | 5.3 | CVE-2024-51980 |
| Brother Industries, Ltd--HL-L8260CDN | An unauthenticated attacker may perform a blind server side request forgery (SSRF), due to a CLRF injection issue that can be leveraged to perform HTTP request smuggling. This SSRF leverages the WS-Addressing feature used during a WS-Eventing subscription SOAP operation. The attacker can control all the HTTP data sent in the SSRF connection, but the attacker can not receive any data back from this connection. | 2025-06-25 | 5.3 | CVE-2024-51981 |
| Burst Statistics B.V.--Burst Statistics | Cross-Site Request Forgery (CSRF) vulnerability in Burst Statistics B.V. Burst Statistics allows Cross Site Request Forgery. This issue affects Burst Statistics: from n/a through 2.0.6. | 2025-06-27 | 4.3 | CVE-2025-53193 |
| butterflymedia--Modern Design Library | The Modern Design Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-26 | 6.4 | CVE-2025-5842 |
| Canonical--cloud-init | cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could trigger hotplug-hook commands. | 2025-06-26 | 5.9 | CVE-2024-11584 |
| ceph--ceph | Ceph is a distributed object, block, and file storage platform. In versions 17.2.7, 18.2.1 through 18.2.4, and 19.0.0 through 19.2.2, an unprivileged user can escalate to root privileges in a ceph-fuse mounted CephFS by chmod 777 a directory owned by root to gain access. The result of this is that a user could read, write and execute to any directory owned by root as long as they chmod 777 it. This impacts confidentiality, integrity, and availability. It is patched in versions 17.2.8, 18.2.5, and 19.2.3. | 2025-06-26 | 6.5 | CVE-2025-52555 |
| chatchat-space--Langchain-Chatchat | A vulnerability classified as critical has been found in chatchat-space Langchain-Chatchat up to 0.3.1. This affects the function upload_temp_docs of the file /knowledge_base/upload_temp_docs of the component Backend. The manipulation of the argument flag leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 6.3 | CVE-2025-6853 |
| chatchat-space--Langchain-Chatchat | A vulnerability, which was classified as critical, has been found in chatchat-space Langchain-Chatchat up to 0.3.1. This issue affects some unknown processing of the file /v1/file. The manipulation of the argument flag leads to path traversal. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 5.5 | CVE-2025-6855 |
| chatchat-space--Langchain-Chatchat | A vulnerability classified as problematic was found in chatchat-space Langchain-Chatchat up to 0.3.1. This vulnerability affects unknown code of the file /v1/files?purpose=assistants. The manipulation leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 4.3 | CVE-2025-6854 |
| checkpoint--Check Point SmartConsole | Credentials are not cleared from memory after being used. A user with Administrator permissions can execute memory dump for SmartConsole process and fetch them. | 2025-06-29 | 6.1 | CVE-2024-24915 |
| chemiker--e.nigma buttons | The e.nigma buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 1.1.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-26 | 6.4 | CVE-2025-5535 |
| Cisco--Cisco Identity Services Engine Software | A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to bypass the authorization mechanisms for specific administrative functions. This vulnerability is due to insufficient authorization enforcement mechanisms for users created by SAML SSO integration with an external identity provider. An attacker could exploit this vulnerability by submitting a series of specific commands to an affected device. A successful exploit could allow the attacker to modify a limited number of system settings, including some that would result in a system restart. In single-node Cisco ISE deployments, devices that are not authenticated to the network will not be able to authenticate until the Cisco ISE system comes back online. | 2025-06-25 | 6.4 | CVE-2025-20264 |
| code-projects--Car Rental System | A vulnerability was found in code-projects Car Rental System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/add_cars.php. The manipulation of the argument image leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-25 | 6.3 | CVE-2025-6667 |
| code-projects--Library System | A vulnerability classified as critical was found in code-projects Library System 1.0. Affected by this vulnerability is an unknown functionality of the file /profile.php. The manipulation of the argument image leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 6.3 | CVE-2025-6837 |
| code-projects--Product Inventory System | A vulnerability has been found in code-projects Product Inventory System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/edit_product.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 4.7 | CVE-2025-6841 |
| code-projects--Product Inventory System | A vulnerability was found in code-projects Product Inventory System 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/edit_user.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 4.7 | CVE-2025-6842 |
| code-projects--School Fees Payment System | A vulnerability classified as problematic was found in code-projects School Fees Payment System 1.0. Affected by this vulnerability is an unknown functionality of the file /student.php. The manipulation of the argument sname/contact/about/emailid/transcation_remark leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-24 | 4.3 | CVE-2025-6569 |
| code-projects--Simple Forum | A vulnerability classified as critical was found in code-projects Simple Forum 1.0. This vulnerability affects unknown code of the file /forum_edit.php. The manipulation of the argument iii leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 6.3 | CVE-2025-6847 |
| code-projects--Simple Forum | A vulnerability, which was classified as critical, has been found in code-projects Simple Forum 1.0. This issue affects some unknown processing of the file /forum1.php. The manipulation of the argument File leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 6.3 | CVE-2025-6848 |
| code-projects--Simple Forum | A vulnerability has been found in code-projects Simple Forum 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /forum1.php. The manipulation of the argument File leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 6.3 | CVE-2025-6850 |
| code-projects--Simple Forum | A vulnerability has been found in code-projects Simple Forum 1.0 and classified as critical. This vulnerability affects unknown code of the file /forum_downloadfile.php. The manipulation of the argument filename leads to path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 4.3 | CVE-2025-6866 |
| CodeAstro--Patient Record Management System | A vulnerability, which was classified as problematic, was found in CodeAstro Patient Record Management System 1.0. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-25 | 4.3 | CVE-2025-6664 |
| coldfunction--qCUDA | A vulnerability was found in coldfunction qCUDA up to db0085400c2f2011eed46fbc04fdc0873141688e. It has been rated as problematic. Affected by this issue is the function qcow_make_empty of the file qCUDA/qcu-device/block/qcow.c. The manipulation of the argument s->l1_size leads to integer overflow. The attack needs to be approached locally. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-06-25 | 5.3 | CVE-2025-6603 |
| Conjure--Position Department Service Quality Evaluation System | A vulnerability, which was classified as critical, has been found in Conjure Position Department Service Quality Evaluation System up to 1.0.11. Affected by this issue is the function eval of the file public/assets/less/bootstrap-less/mixins/head.php. The manipulation of the argument payload leads to backdoor. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 6.3 | CVE-2025-6839 |
| cookiebot--Cookiebot | Cross-Site Request Forgery (CSRF) vulnerability in cookiebot Cookiebot allows Cross Site Request Forgery. This issue affects Cookiebot: from n/a through 4.5.8. | 2025-06-27 | 4.3 | CVE-2025-53197 |
| coolrunner--Homerunner | The Homerunner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.29. This is due to missing or incorrect nonce validation on the main_settings() function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-06-26 | 4.3 | CVE-2025-5932 |
| corporatezen222--Responsive Food and Drink Menu | The Responsive Food and Drink Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's display_pdf_menus shortcode in all versions up to, and including, 2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-26 | 6.4 | CVE-2025-6378 |
| CyberChimps--Responsive Blocks | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CyberChimps Responsive Blocks allows DOM-Based XSS. This issue affects Responsive Blocks: from n/a through 2.0.6. | 2025-06-27 | 6.5 | CVE-2025-53202 |
| danbriapps--Pre-Publish Post Checklist | Missing Authorization vulnerability in danbriapps Pre-Publish Post Checklist allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pre-Publish Post Checklist: from n/a through 3.1. | 2025-06-27 | 4.3 | CVE-2025-53323 |
| Dilip kumar--Beauty Contact Popup Form | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dilip kumar Beauty Contact Popup Form allows Stored XSS. This issue affects Beauty Contact Popup Form: from n/a through 6.0. | 2025-06-27 | 5.9 | CVE-2025-53325 |
| diyhi--bbs | A vulnerability classified as critical has been found in diyhi bbs up to 6.8. This affects the function getUrl of the file /admin/login of the component HTTP Header Handler. The manipulation of the argument Host leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-27 | 6.3 | CVE-2025-6762 |
| douglaskarr--Podcast Feed Player Widget and Shortcode | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in douglaskarr Podcast Feed Player Widget and Shortcode allows Stored XSS. This issue affects Podcast Feed Player Widget and Shortcode: from n/a through 2.2.0. | 2025-06-27 | 6.5 | CVE-2025-53300 |
| Dromara--MaxKey | A vulnerability was found in Dromara MaxKey up to 4.1.7 and classified as critical. This issue affects the function Add of the file maxkey-webs\maxkey-web-mgt\src\main\java\org\dromara\maxkey\web\apps\contorller\SAML20DetailsController.java of the component Meta URL Handler. The manipulation of the argument post leads to server-side request forgery. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-23 | 6.3 | CVE-2025-6517 |
| ecoal95--EC Stars Rating | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ecoal95 EC Stars Rating allows Stored XSS. This issue affects EC Stars Rating: from n/a through 1.0.11. | 2025-06-27 | 5.9 | CVE-2025-53296 |
| EDGARROJAS--WooCommerce PDF Invoice Builder | Cross-Site Request Forgery (CSRF) vulnerability in EDGARROJAS WooCommerce PDF Invoice Builder allows Cross Site Request Forgery. This issue affects WooCommerce PDF Invoice Builder: from n/a through 1.2.148. | 2025-06-27 | 4.3 | CVE-2025-53203 |
| EdwardBock--Cron Logger | Missing Authorization vulnerability in EdwardBock Cron Logger allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cron Logger: from n/a through 1.3.0. | 2025-06-27 | 4.3 | CVE-2025-53266 |
| Elastic--Kibana | URL redirection to an untrusted site ('Open Redirect') in Kibana can lead to sending a user to an arbitrary site and server-side request forgery via a specially crafted URL. | 2025-06-25 | 4.3 | CVE-2025-25012 |
| Elena Yamshikova--Virusdie | Cross-Site Request Forgery (CSRF) vulnerability in Elena Yamshikova Virusdie allows Cross Site Request Forgery. This issue affects Virusdie: from n/a through 1.1.3. | 2025-06-27 | 5.4 | CVE-2025-53265 |
| emarket-design--Event RSVP and Simple Event Management Plugin | The Event RSVP and Simple Event Management Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'emd_mb_meta' shortcode in all versions up to, and including, 4.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-26 | 6.4 | CVE-2025-5540 |
| Enalean--tuleap | Tuleap is an Open Source Suite to improve management of software developments and collaboration. An attacker could use a vulnerability present in Tuleap Community Edition prior to version 16.8.99.1748845907 and Tuleap Enterprise Edition prior to versions 16.8-3 and 16.7-5 to trick victims into changing the canned responses. Tuleap Community Edition 16.8.99.1748845907, Tuleap Enterprise Edition 16.8-3, and Tuleap Enterprise Edition 16.7-5 contain a fix for the vulnerability. | 2025-06-25 | 4.6 | CVE-2025-48991 |
| Enalean--tuleap | Tuleap is an Open Source Suite to improve management of software developments and collaboration. An attacker could use a cross-site request forgery vulnerability in Tuleap Community Edition prior to version 16.8.99.1749830289 and Tuleap Enterprise Edition prior to version 16.9-1 to trick victims into changing the canned responses. Tuleap Community Edition 16.8.99.1749830289 and Tuleap Enterprise Edition 16.9-1 contain a patch for the issue. | 2025-06-25 | 4.6 | CVE-2025-50179 |
| filebrowser--filebrowser | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The file access permissions for files uploaded to or created from File Browser are never explicitly set by the application. The same is true for the database used by File Browser. On standard servers using File Browser prior to version 2.33.7 where the umask configuration has not been hardened before, this makes all the stated files readable by any operating system account. Version 2.33.7 fixes the issue. | 2025-06-26 | 5.5 | CVE-2025-52900 |
| Flock Safety--Gunshot Detection devices | Flock Safety Gunshot Detection devices before 1.3 have an on-chip debug interface with improper access control. | 2025-06-27 | 6.4 | CVE-2025-47819 |
| Flock Safety--License Plate Reader | Flock Safety LPR (License Plate Reader) devices with firmware through 2.2 have an on-chip debug interface with improper access control. | 2025-06-27 | 6.4 | CVE-2025-47822 |
| fmos--WP-PhotoNav | The WP-PhotoNav plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's photonav shortcode in all versions up to, and including, 1.2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-26 | 6.4 | CVE-2025-6383 |
| gioni--Plugin Inspector | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in gioni Plugin Inspector allows Path Traversal. This issue affects Plugin Inspector: from n/a through 1.5. | 2025-06-27 | 4.9 | CVE-2025-53298 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated attackers to create a DoS condition by sending crafted GraphQL requests. | 2025-06-26 | 6.5 | CVE-2025-3279 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed unauthenticated attackers to upload arbitrary files to public projects by sending crafted API requests, potentially leading to resource abuse and unauthorized content storage. | 2025-06-26 | 5.3 | CVE-2025-1754 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 17.2 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users with Guest role permissions to add child items to incident work items by sending crafted API requests that bypassed UI-enforced role restrictions. | 2025-06-26 | 4.3 | CVE-2025-5315 |
| gogs--gogs | Gogs is an open source self-hosted Git service. In application version 0.14.0+dev and prior, there is a stored cross-site scripting (XSS) vulnerability present in Gogs, which allows client-side Javascript code execution. The vulnerability is caused by the usage of a vulnerable and outdated component: pdfjs-1.4.20 under public/plugins/. This issue has been fixed for gogs.io/gogs in version 0.13.3. | 2025-06-24 | 6.3 | CVE-2025-47943 |
| gooaclok819--sublinkX | A vulnerability was found in gooaclok819 sublinkX up to 1.8. It has been rated as critical. Affected by this issue is the function AddTemp of the file api/template.go. The manipulation of the argument filename leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9 is able to address this issue. The patch is identified as 778d26aef723daa58df98c8060c43f5bf5d1b10b. It is recommended to upgrade the affected component. | 2025-06-27 | 6.3 | CVE-2025-6774 |
| gotson--komga | Komga is a media server for comics, mangas, BDs, magazines and eBooks. A Cross-Site Scripting (XSS) vulnerability has been discovered in versions 1.8.0 through 1.21.3 when serving EPUB resources, either directly from the API, or when reading using the epub reader. The vulnerability lets an attacker perform actions on the victim's behalf. When targeting an admin user, this can be combined with controlling a server-side command to achieve arbitrary code execution. For this vulnerability to be exploited, a malicious EPUB file has to be present in a Komga library, and subsequently accessed in the Epub reader by an admin user. Version 1.22.0 contains a patch for the issue. | 2025-06-24 | 4.2 | CVE-2025-52880 |
| gpriday--SiteOrigin Widgets Bundle | The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-url` DOM Element Attribute in all versions up to, and including, 1.68.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-25 | 6.4 | CVE-2025-5585 |
| grosbouff--WP SoundSystem | The WP SoundSystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wpsstm-track shortcode in all versions up to, and including, 3.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-26 | 6.4 | CVE-2025-6258 |
| gurievcreative--GC Social Wall | The GC Social Wall plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gc_social_wall' shortcode in all versions up to, and including, 1.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-26 | 6.4 | CVE-2025-5564 |
| Hexagon--HxGN OnCall Dispatch Advantage | Hexagon HxGN OnCall Dispatch Advantage (Web) v10.2309.03.00264 and Hexagon HxGN OnCall Dispatch Advantage (Mobile) v10.2402 are vulnerable to Cross Site Scripting (XSS) which allows a remote authenticated attacker with access to the Broadcast (Person) functionality to execute arbitrary code. | 2025-06-25 | 4.6 | CVE-2025-44206 |
| himmelblau-idm--himmelblau | Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. A vulnerability present in versions 0.9.10 through 0.9.16 allows a user to authenticate to a Linux host via Himmelblau using an *invalid* Linux Hello PIN, provided the host is offline. While the user gains access to the local system, Single Sign-On (SSO) fails due to the network being down and the inability to issue tokens (due to a failure to unlock the Hello key). The core issue lies in an incorrect assumption within the `acquire_token_by_hello_for_business_key` function: it was expected to return a `TPMFail` error for an invalid Hello key when offline, but instead, a preceding nonce request resulted in a `RequestFailed` error, leading the system to erroneously transition to an offline success state without validating the Hello key unlock. This impacts systems using Himmelblau for authentication when operating in an offline state with Hello PIN authentication enabled. Rocky Linux 8 (and variants) are not affected by this vulnerability. The problem is resolved in Himmelblau version 0.9.17. A workaround is available for users who cannot immediately upgrade. Disabling Hello PIN authentication by setting `enable_hello = false` in `/etc/himmelblau/himmelblau.conf` will mitigate the vulnerability. | 2025-06-26 | 5.2 | CVE-2025-53013 |
| Hitachi Energy--MicroSCADA X SYS600 | A vulnerability exists in MicroSCADA X SYS600 product. If exploited this could allow a local unauthenticated attacker to tamper a system file, making denial of Notify service. | 2025-06-24 | 6.1 | CVE-2025-39201 |
| Hitachi Energy--MicroSCADA X SYS600 | A vulnerability exists in the IEC 61850 of the MicroSCADA X SYS600 product. An IEC 61850-8 crafted message content from IED or remote system can cause a denial of service resulting in disconnection loop. | 2025-06-24 | 6.5 | CVE-2025-39203 |
| Hitachi Energy--MicroSCADA X SYS600 | A vulnerability exists in the Web interface of the MicroSCADA X SYS600 product. The filtering query in the Web interface can be malformed, so returning data can leak unauthorized information to the user. | 2025-06-24 | 6.5 | CVE-2025-39204 |
| Hitachi Energy--MicroSCADA X SYS600 | A vulnerability exists in the IEC 61850 in MicroSCADA X SYS600 product. The certificate validation of the TLS protocol allows remote Man-in-the-Middle attack due to missing proper validation. | 2025-06-24 | 6.5 | CVE-2025-39205 |
| Hitachi Energy--Relion 670/650 and SAM600-IO | An authenticated user with file access privilege via FTP access can cause the Relion 670/650 and SAM600-IO series device to reboot due to improper disk space management. | 2025-06-24 | 6.5 | CVE-2025-1718 |
| HKUDS--LightRAG | A vulnerability was found in HKUDS LightRAG up to 1.3.8. It has been declared as critical. Affected by this vulnerability is the function upload_to_input_dir of the file lightrag/api/routers/document_routes.py of the component File Upload. The manipulation of the argument file.filename leads to path traversal. It is possible to launch the attack on the local host. The identifier of the patch is 60777d535b719631680bcf5d0969bdef79ca4eaf. It is recommended to apply a patch to fix this issue. | 2025-06-27 | 5.3 | CVE-2025-6773 |
| HT Plugins--HT Mega Absolute Addons for WPBakery Page Builder | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Mega - Absolute Addons for WPBakery Page Builder allows Stored XSS. This issue affects HT Mega - Absolute Addons for WPBakery Page Builder: from n/a through 1.0.8. | 2025-06-27 | 6.5 | CVE-2025-53206 |
| HT Plugins--HT Slider For Elementor | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HT Plugins HT Slider For Elementor allows DOM-Based XSS. This issue affects HT Slider For Elementor: from n/a through 1.6.5. | 2025-06-27 | 6.5 | CVE-2025-53199 |
| huija--bicycleSharingServer | A vulnerability, which was classified as critical, has been found in huija bicycleSharingServer up to 7b8a3ba48ad618604abd4797d2e7cf3b5ac7625a. Affected by this issue is the function userDao.selectUserByUserNameLike of the file UserServiceImpl.java. The manipulation of the argument Username leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-06-27 | 6.3 | CVE-2025-6738 |
| huija--bicycleSharingServer | A vulnerability classified as critical was found in huija bicycleSharingServer up to 7b8a3ba48ad618604abd4797d2e7cf3b5ac7625a. Affected by this vulnerability is the function searchAdminMessageShow of the file AdminController.java. The manipulation of the argument Title leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | 2025-06-27 | 6.3 | CVE-2025-6749 |
| huija--bicycleSharingServer | A vulnerability was found in huija bicycleSharingServer 1.0 and classified as critical. This issue affects the function selectAdminByNameLike of the file AdminController.java. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-27 | 6.3 | CVE-2025-6753 |
| IBM--Cloud Pak System | IBM Cloud Pak System 2.3.5.0, 2.3.3.7, 2.3.3.7 iFix1 on Power and 2.3.3.6, 2.3.3.6 iFix1, 2.3.3.6 iFix2, 2.3.4.0, 2.3.4.1 on Intel operating systems is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. | 2025-06-27 | 5.4 | CVE-2023-38007 |
| IBM--Cognos Analytics | IBM Cognos Analytics 11.2.0 through 12.2.4 Fix Pack 5 and 12.0.0 through 12.0.4 is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2025-06-28 | 6.4 | CVE-2024-52900 |
| IBM--Datacap | IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. | 2025-06-28 | 5.4 | CVE-2024-39730 |
| IBM--Datacap | IBM Datacap 9.1.7, 9.1.8, and 9.1.9 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. | 2025-06-28 | 5.4 | CVE-2025-36027 |
| IBM--Datacap | IBM Datacap 9.1.7, 9.1.8, and 9.1.9 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. | 2025-06-28 | 4.3 | CVE-2025-36026 |
| IBM--InfoSphere Information Server | IBM InfoSphere DataStage Flow Designer in IBM InfoSphere Information Server 11.7 discloses sensitive user information in API requests in clear text that could be intercepted using man in the middle techniques. | 2025-06-26 | 5.3 | CVE-2025-36034 |
| ickata--Image Editor by Pixo | The Image Editor by Pixo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'download' parameter in all versions up to, and including, 2.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-26 | 6.4 | CVE-2025-5588 |
| iCount--iCount Payment Gateway | Missing Authorization vulnerability in iCount iCount Payment Gateway allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects iCount Payment Gateway: from n/a through 2.0.6. | 2025-06-27 | 5.3 | CVE-2025-53295 |
| imw3--My Wp Brand | Cross-Site Request Forgery (CSRF) vulnerability in imw3 My Wp Brand allows Cross Site Request Forgery. This issue affects My Wp Brand: from n/a through 1.1.3. | 2025-06-27 | 4.3 | CVE-2025-53269 |
| innate-images-llc--VR Calendar | The VR Calendar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.7. This is due to missing or incorrect nonce validation on the syncCalendar() function. This makes it possible for unauthenticated attackers to trigger a calendar sync via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-06-27 | 4.3 | CVE-2025-5936 |
| InnoShop--InnoShop | Innoshop through 0.4.1 allows Insecure Direct Object Reference (IDOR) at multiple places within the frontend shop. Anyone can create a customer account and easily exploit these. Successful exploitation results in disclosure of the PII of other customers and the deletion of their reviews of products on the website. To be specific, an attacker could view the order details of any order by browsing to /en/account/orders/_ORDER_ID_ or use the address and billing information of other customers by manipulating the shipping_address_id and billing_address_id parameters when making an order (this information is then reflected in the receipt). Additionally, an attacker could delete the reviews of other users by sending a DELETE request to /en/account/reviews/_REVIEW_ID. | 2025-06-23 | 6.4 | CVE-2025-52920 |
| Intelbras--InControl | A vulnerability, which was classified as critical, has been found in Intelbras InControl 2.21.60.9. This issue affects some unknown processing of the file /v1/operador/ of the component HTTP PUT Request Handler. The manipulation leads to permission issues. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-27 | 6.3 | CVE-2025-6765 |
| itsourcecode--Employee Management System | A vulnerability was found in itsourcecode Employee Management System up to 1.0. It has been classified as critical. This affects an unknown part of the file /admin/editempprofile.php. The manipulation of the argument FirstName leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-25 | 4.7 | CVE-2025-6610 |
| jairoochoa--isMobile() Shortcode for WordPress | The isMobile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'device' parameter in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-27 | 6.4 | CVE-2025-6488 |
| java-aodeng--Hope-Boot | A vulnerability was found in java-aodeng Hope-Boot 1.0.0. It has been classified as problematic. Affected is the function doLogin of the file /src/main/java/com/hope/controller/WebController.java of the component Login. The manipulation of the argument redirect_url leads to open redirect. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-24 | 4.3 | CVE-2025-6552 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.03.3 a DOM-based XSS at the Performance Monitor page was possible | 2025-06-23 | 5.4 | CVE-2025-52875 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.03.3 reflected XSS on the favoriteIcon page was possible | 2025-06-23 | 5.4 | CVE-2025-52876 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.03.3 reflected XSS on diskUsageBuildsStats page was possible | 2025-06-23 | 4.8 | CVE-2025-52877 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.03.3 usernames were exposed to the users without proper permissions | 2025-06-23 | 4.3 | CVE-2025-52878 |
| JetBrains--TeamCity | In JetBrains TeamCity before 2025.03.3 reflected XSS in the NPM Registry integration was possible | 2025-06-23 | 4.8 | CVE-2025-52879 |
| johnjamesjacoby--A/B Testing for WordPress | The A/B Testing for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ab-testing-for-wp/ab-test-block' block in all versions up to, and including, 1.18.2 due to insufficient input sanitization and output escaping on the 'id' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-27 | 6.4 | CVE-2025-4587 |
| Josh--WP Edit | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Josh WP Edit allows Stored XSS. This issue affects WP Edit: from n/a through 4.0.4. | 2025-06-27 | 5.9 | CVE-2025-53253 |
| joshuayoes--ios-simulator-mcp | iOS Simulator MCP Server (ios-simulator-mcp) is a Model Context Protocol (MCP) server for interacting with iOS simulators. Versions prior to 1.3.3 are written in a way that is vulnerable to command injection vulnerability attacks as part of some of its MCP Server tool definition and implementation. The MCP Server exposes the tool `ui_tap` which relies on Node.js child process API `exec` which is an unsafe and vulnerable API if concatenated with untrusted user input. LLM exposed user input for `duration`, `udid`, and `x` and `y` args can be replaced with shell meta-characters like `;` or `&&` or others to change the behavior from running the expected command `idb` to another command. When LLMs are tricked through prompt injection (and other techniques and attack vectors) to call the tool with input that uses special shell characters such as `; rm -rf /tmp;#` and other payload variations, the full command-line text will be interepted by the shell and result in other commands except of `ps` executing on the host running the MCP Server. Version 1.3.3 contains a patch for the issue. | 2025-06-26 | 6 | CVE-2025-52573 |
| juzaweb--CMS | A vulnerability classified as critical has been found in juzaweb CMS 3.4.2. Affected is an unknown function of the file /admin-cp/imports of the component Import Page. The manipulation leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-26 | 6.3 | CVE-2025-6735 |
| juzaweb--CMS | A vulnerability classified as critical was found in juzaweb CMS 3.4.2. Affected by this vulnerability is an unknown functionality of the file /admin-cp/theme/install of the component Add New Themes Page. The manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-26 | 6.3 | CVE-2025-6736 |
| kanboard--kanboard | Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard is vulnerable to username enumeration and IP spoofing-based brute-force protection bypass. By analyzing login behavior and abusing trusted HTTP headers, an attacker can determine valid usernames and circumvent rate-limiting or blocking mechanisms. Any organization running a publicly accessible Kanboard instance is affected, especially if relying on IP-based protections like Fail2Ban or CAPTCHA for login rate-limiting. Attackers with access to the login page can exploit this flaw to enumerate valid usernames and bypass IP-based blocking mechanisms, putting all user accounts at higher risk of brute-force or credential stuffing attacks. Version 1.2.46 contains a patch for the issue. | 2025-06-25 | 5.3 | CVE-2025-52576 |
| kaushik07--WP Masonry & Infinite Scroll | The WP Masonry & Infinite Scroll plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wmis' shortcode in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-26 | 6.4 | CVE-2025-5488 |
| Konrd Koller--ONet Regenerate Thumbnails | Cross-Site Request Forgery (CSRF) vulnerability in Konrád Koller ONet Regenerate Thumbnails allows Cross Site Request Forgery. This issue affects ONet Regenerate Thumbnails: from n/a through 1.5. | 2025-06-27 | 4.3 | CVE-2025-53264 |
| kstover--Ninja Forms The Contact Form Builder That Grows With You | The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the use of a templating engine in all versions up to, and including, 3.10.2.1 due to insufficient output escaping on user data passed through the template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-27 | 6.4 | CVE-2025-5398 |
| Lenze--PLC Designer V4 | A local, low-privileged attacker can learn the password of the connected controller in PLC Designer V4 due to an incorrect implementation that results in the password being displayed in plain text under special conditions. | 2025-06-25 | 5.5 | CVE-2025-41647 |
| lfprojects--MLflow | gateway_proxy_handler in MLflow before 3.1.0 lacks gateway_path validation. | 2025-06-23 | 5.8 | CVE-2025-52967 |
| linlinjava--litemall | A vulnerability, which was classified as problematic, was found in linlinjava litemall 1.8.0. Affected is an unknown function of the file /wx/comment/post. The manipulation of the argument adminComment leads to improper authorization. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-26 | 4.3 | CVE-2025-6702 |
| macbookandrew--WP YouTube Live | Cross-Site Request Forgery (CSRF) vulnerability in macbookandrew WP YouTube Live allows Cross Site Request Forgery. This issue affects WP YouTube Live: from n/a through 1.10.0. | 2025-06-27 | 4.3 | CVE-2025-53261 |
| mdesignfa--Namasha By Mdesign | The Namasha By Mdesign plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'playicon_title' parameter in all versions up to, and including, 1.2.00 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-26 | 6.4 | CVE-2025-6537 |
| meshtastic--Meshtastic-Android | Meshtastic-Android is an Android application for the mesh radio software Meshtastic. Prior to version 2.5.21, an attacker is able to send an unencrypted direct message to a victim impersonating any other node of the mesh. This message will be displayed in the same chat that the victim normally communicates with the other node and it will appear as using PKC, while it is not. This means that the victim will be provided with a false sense of security due to the green padlock displayed when using PKC and they'll read the attacker's message as legitimate. Version 2.5.21 contains a patch for the issue. It is suggested to implement a stricter control on whether a message has been received using PKC or using the shared Meshtastic channel key. Moreover, instead of showing no green padlock icon in the chat with no PKC, consider using an explicit indicator like, for example, the yellow half-open padlock displayed when in HAM mode. This remediation, however, applies to the client applications rather than the Meshtastic firmware. | 2025-06-24 | 5.3 | CVE-2025-52883 |
| MongoDB Inc--MongoDB Server | An authenticated user may trigger a use after free that may result in MongoDB Server crash and other unexpected behavior, even if the user does not have authorization to shut down a server. The crash is triggered on affected versions by issuing an aggregation framework operation using a specific combination of rarely-used aggregation pipeline expressions. This issue affects MongoDB Server v6.0 version prior to 6.0.21, MongoDB Server v7.0 version prior to 7.0.17 and MongoDB Server v8.0 version prior to 8.0.4 when the SBE engine is enabled. | 2025-06-26 | 5 | CVE-2025-6706 |
| MongoDB Inc--MongoDB Server | Under certain conditions, an authenticated user request may execute with stale privileges following an intentional change by an authorized administrator. This issue affects MongoDB Server v5.0 version prior to 5.0.31, MongoDB Server v6.0 version prior to 6.0.24, MongoDB Server v7.0 version prior to 7.0.21 and MongoDB Server v8.0 version prior to 8.0.5. | 2025-06-26 | 4.2 | CVE-2025-6707 |
| Moodle--Moodle | A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | 2025-06-24 | 4.2 | CVE-2025-53021 |
| Morten Dalgaard Johansen--Dashboard Widget Sidebar | Missing Authorization vulnerability in Morten Dalgaard Johansen Dashboard Widget Sidebar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Dashboard Widget Sidebar: from n/a through 1.2.3. | 2025-06-27 | 4.3 | CVE-2025-53293 |
| MS--WP Visual Sitemap | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in MS WP Visual Sitemap allows Stored XSS. This issue affects WP Visual Sitemap: from n/a through 1.0.2. | 2025-06-27 | 6.5 | CVE-2025-53290 |
| murtuzamakda52--web-cam | The web-cam plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slug' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-26 | 6.4 | CVE-2025-6540 |
| n/a--DaiCuo | A vulnerability, which was classified as problematic, was found in DaiCuo up to 1.3.13. This affects an unknown part of the file /admin.php/addon/index. The manipulation leads to cross-site request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 4.3 | CVE-2025-6865 |
| n/a--HDF5 | A vulnerability has been found in HDF5 up to 1.14.6 and classified as critical. This vulnerability affects the function H5F_addr_decode_len of the file /hdf5/src/H5Fint.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. | 2025-06-23 | 5.3 | CVE-2025-6516 |
| n/a--SeaCMS | A vulnerability, which was classified as problematic, has been found in SeaCMS up to 13.2. Affected by this issue is some unknown functionality of the file /admin_type.php. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 4.3 | CVE-2025-6864 |
| n8n-io--n8n | n8n is a workflow automation platform. Versions prior to 1.98.0 have an Open Redirect vulnerability in the login flow. Authenticated users can be redirected to untrusted, attacker-controlled domains after logging in, by crafting malicious URLs with a misleading redirect query parameter. This may lead to phishing attacks by impersonating the n8n UI on lookalike domains (e.g., n8n.local.evil.com), credential or 2FA theft if users are tricked into re-entering sensitive information, and/or reputation risk due to the visual similarity between attacker-controlled domains and trusted ones. The vulnerability affects anyone hosting n8n and exposing the `/signin` endpoint to users. The issue has been patched in version 1.98.0. All users should upgrade to this version or later. The fix introduces strict origin validation for redirect URLs, ensuring only same-origin or relative paths are allowed after login. | 2025-06-26 | 4.6 | CVE-2025-49592 |
| Nabil Lemsieh--HurryTimer | Missing Authorization vulnerability in Nabil Lemsieh HurryTimer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HurryTimer: from n/a through 2.13.1. | 2025-06-27 | 5.3 | CVE-2025-53255 |
| neoxx--TimeZoneCalculator | The TimeZoneCalculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'timezonecalculator_output' shortcode in all versions up to, and including, 3.37 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-26 | 6.4 | CVE-2025-5559 |
| Netgate--pfSense | In Netgate pfSense CE 2.8.0, the "WebCfg - Diagnostics: Command" privilege allows reading arbitrary files via diag_command.php dlPath directory traversal. NOTE: the Supplier's perspective is that this is intended behavior for this privilege level, and that system administrators are informed through both the product documentation and UI. | 2025-06-28 | 5 | CVE-2025-53392 |
| NixOS--Nix | A race condition in the Nix, Lix, and Guix package managers enables changing the ownership of arbitrary files to the UID and GID of the build user (e.g., nixbld* or guixbuild*). This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b. | 2025-06-27 | 5.6 | CVE-2025-52993 |
| NOYAFA--LF9 Pro | A vulnerability classified as problematic was found in NOYAFA/Xiami LF9 Pro up to 20250611. Affected by this vulnerability is an unknown functionality of the component RTSP Live Video Stream Endpoint. The manipulation leads to improper access controls. The attack can only be initiated within the local network. The exploit has been disclosed to the public and may be used. This dashcam is distributed by multiple resellers and different names. | 2025-06-24 | 4.3 | CVE-2025-6532 |
| NVIDIA--AIStore | NVIDIA AIStore contains a vulnerability in the AIS Operator where a user may gain elevated k8s cluster access by using the ServiceAccount attached to the ClusterRole. A successful exploit of this vulnerability may lead to information disclosure. | 2025-06-24 | 5 | CVE-2025-23260 |
| oatpp--Oat++ | A vulnerability was found in oatpp Oat++ up to 1.3.1. It has been declared as critical. This vulnerability affects the function deserializeArray of the file src/oatpp/json/Deserializer.cpp. The manipulation leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-24 | 5.3 | CVE-2025-6566 |
| omnipressteam--Omnipress | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in omnipressteam Omnipress allows DOM-Based XSS. This issue affects Omnipress: from n/a through 1.6.3. | 2025-06-27 | 6.5 | CVE-2025-53276 |
| openbao--openbao | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 may leak sensitive information in logs when processing malformed data. This is separate from the earlier HCSEC-2025-09 / CVE-2025-4166. This issue has been fixed in OpenBao v2.3.0 and later. Like with HCSEC-2025-09, there is no known workaround except to ensure properly formatted requests from all clients. | 2025-06-25 | 4.5 | CVE-2025-52893 |
| opicron--Image Cleanup | Cross-Site Request Forgery (CSRF) vulnerability in opicron Image Cleanup allows Cross Site Request Forgery. This issue affects Image Cleanup: from n/a through 1.9.2. | 2025-06-27 | 4.3 | CVE-2025-53272 |
| osompress--Osom Blocks Custom Post Type listing block | The Osom Blocks - Custom Post Type listing block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_name' parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-27 | 6.4 | CVE-2025-5940 |
| pankaj.sakaria--CMS Blocks | Missing Authorization vulnerability in pankaj.sakaria CMS Blocks allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CMS Blocks: from n/a through 1.1. | 2025-06-27 | 6.5 | CVE-2025-53284 |
| PHPGurukul--Hospital Management System | A vulnerability, which was classified as critical, has been found in PHPGurukul Hospital Management System 4.0. Affected by this issue is some unknown functionality of the file /doctor/search.php. The manipulation of the argument searchdata leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-24 | 6.3 | CVE-2025-6570 |
| plugindevs--Post Carousel Slider for Elementor | The Post Carousel Slider for Elementor plugin for WordPress is vulnerable to improper authorization due to a missing capability check on the process_wbelps_promo_form() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the plugin's supportâ€form handler to send arbitrary emails to the site's support address. | 2025-06-26 | 4.3 | CVE-2025-3863 |
| PluginsCafe--Address Autocomplete via Google for Gravity Forms | Cross-Site Request Forgery (CSRF) vulnerability in PluginsCafe Address Autocomplete via Google for Gravity Forms allows Cross Site Request Forgery. This issue affects Address Autocomplete via Google for Gravity Forms: from n/a through 1.3.4. | 2025-06-27 | 5.4 | CVE-2025-53263 |
| Preh Car Connect GmbH (JOYNEXT GmbH)--Volkswagen MIB3 infotainment system MIB3 OI MQB | There is no memory isolation between CPU cores of the MIB3 infotainment. This fact allows an attacker with access to the main operating system to compromise the CPU core responsible for CAN message processing. The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. The list of affected MIB3 OEM part numbers is provided in the referenced resources. | 2025-06-28 | 6.7 | CVE-2023-28907 |
| Preh Car Connect GmbH (JOYNEXT GmbH)--Volkswagen MIB3 infotainment system MIB3 OI MQB | A specific flaw exists within the Bluetooth stack of the MIB3 infotainment. The issue results from the lack of proper validation of user-supplied data, which can result in an arbitrary channel disconnection. An attacker can leverage this vulnerability to cause a denial-of-service attack for every connected client of the infotainment device. The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. The list of affected MIB3 OEM part numbers is provided in the referenced resources. | 2025-06-28 | 6.5 | CVE-2023-28911 |
| Preh Car Connect GmbH (JOYNEXT GmbH)--Volkswagen MIB3 infotainment system MIB3 OI MQB | The MIB3 infotainment unit used in Skoda and Volkswagen vehicles does not incorporate any privilege separation for the proprietary inter-process communication mechanism, leaving attackers with presence in the system an ability to undermine access control restrictions implemented at the operating system level. The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. The list of affected MIB3 OEM part numbers is provided in the referenced resources. | 2025-06-28 | 6.3 | CVE-2023-29113 |
| Preh Car Connect GmbH (JOYNEXT GmbH)--Volkswagen MIB3 infotainment system MIB3 OI MQB | A logic flaw leading to a RAM buffer overflow in the bootloader component of the MIB3 infotainment unit allows an attacker with physical access to the MIB3 ECU to bypass firmware signature verification and run arbitrary code in the infotainment system at boot process. | 2025-06-28 | 5.2 | CVE-2023-28904 |
| Preh Car Connect GmbH (JOYNEXT GmbH)--Volkswagen MIB3 infotainment system MIB3 OI MQB | A specific flaw exists within the Bluetooth stack of the MIB3 infotainment. The issue results from the lack of proper validation of user-supplied data, which can result in an integer overflow when receiving non-fragmented HCI packets on a channel. The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. The list of affected MIB3 OEM part numbers is provided in the referenced resources. | 2025-06-28 | 5.4 | CVE-2023-28908 |
| Preh Car Connect GmbH (JOYNEXT GmbH)--Volkswagen MIB3 infotainment system MIB3 OI MQB | The MIB3 unit stores the synchronized phone contact book in clear-text, allowing an attacker with either code execution privilege on the system or physical access to the system to obtain vehicle owner's contact data. The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. The list of affected MIB3 OEM part numbers is provided in the referenced resources. | 2025-06-28 | 5.7 | CVE-2023-28912 |
| PySpur-Dev--pyspur | A vulnerability was found in PySpur-Dev pyspur up to 0.1.18. It has been classified as critical. Affected is the function SingleLLMCallNode of the file backend/pyspur/nodes/llm/single_llm_call.py of the component Jinja2 Template Handler. The manipulation of the argument user_message leads to improper neutralization of special elements used in a template engine. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-23 | 6.3 | CVE-2025-6518 |
| qodeinteractive--Qi Addons For Elementor | The Qi Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 1.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-28 | 6.4 | CVE-2025-6252 |
| QuantumCloud--ChatBot | Missing Authorization vulnerability in QuantumCloud ChatBot allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ChatBot: from n/a through 6.7.3. | 2025-06-27 | 4.3 | CVE-2025-53200 |
| quarkusio--quarkus | Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. In versions prior to 3.24.0, there is a potential data leak when duplicating a duplicated context. Quarkus extensively uses the Vert.x duplicated context to implement context propagation. With the new semantic data from one transaction can leak to the data from another transaction. From a Vert.x point of view, this new semantic clarifies the behavior. A significant amount of data is stored in the duplicated context, including request scope, security details, and metadata. Duplicating a duplicated context is rather rare and is only done in a few places. This issue has been patched in version 3.24.0. | 2025-06-23 | 6.4 | CVE-2025-49574 |
| Raise The Money--Raise The Money | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Raise The Money Raise The Money allows DOM-Based XSS. This issue affects Raise The Money: from n/a through 5.2. | 2025-06-27 | 6.5 | CVE-2025-53321 |
| Red Hat--Red Hat Data Grid 8 | A flaw was found in Infinispan CLI. A sensitive password, decoded from a Base64-encoded Kubernetes secret, is processed in plaintext and included in a command string that may expose the data in an error message when a command is not found. | 2025-06-26 | 6.2 | CVE-2025-5731 |
| Red Hat--Red Hat Enterprise Linux 10 | A flaw was found in the libssh library. An out-of-bounds read can be triggered in the sftp_handle function due to an incorrect comparison check that permits the function to access memory beyond the valid handle list and to return an invalid pointer, which is used in further processing. This vulnerability allows an authenticated remote attacker to potentially read unintended memory regions, exposing sensitive information or affect service behavior. | 2025-06-24 | 5.4 | CVE-2025-5318 |
| rextheme--WP VR 360 Panorama and Free Virtual Tour Builder For WordPress | The WP VR - 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hotspot-hover' parameter in all versions up to, and including, 8.5.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-28 | 6.4 | CVE-2025-6350 |
| Robert Cummings--Quick Favicon | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Robert Cummings Quick Favicon allows Stored XSS. This issue affects Quick Favicon: from n/a through 0.22.8. | 2025-06-27 | 5.9 | CVE-2025-53287 |
| Rohil--Contact Form – 7 : Hide Success Message | Missing Authorization vulnerability in Rohil Contact Form – 7 : Hide Success Message allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Contact Form – 7 : Hide Success Message: from n/a through 1.1.4. | 2025-06-27 | 5.3 | CVE-2025-53304 |
| Roland Beaussant--Audio Editor & Recorder | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Roland Beaussant Audio Editor & Recorder allows Retrieve Embedded Sensitive Data. This issue affects Audio Editor & Recorder: from n/a through 2.2.3. | 2025-06-27 | 5.3 | CVE-2025-53211 |
| RooCodeInc--Roo-Code | Roo Code is an AI-powered autonomous coding agent. Prior to version 3.20.3, there was an issue where the Roo Code agent's `search_files` tool did not respect the setting to disable reads outside of the VS Code workspace. This means that an attacker who was able to inject a prompt into the agent could potentially read a sensitive file and then write the information to a JSON schema. Users have the option to disable schema fetching in VS Code, but the feature is enabled by default. For users with this feature enabled, writing to the schema would trigger a network request without the user having a chance to deny. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent. Version 3.20.3 fixed the issue where `search_files` did not respect the setting to limit it to the workspace. This reduces the scope of the damage if an attacker is able to take control of the agent through prompt injection or another vector. | 2025-06-27 | 5.9 | CVE-2025-53097 |
| RooCodeInc--Roo-Code | Roo Code is an AI-powered autonomous coding agent. The project-specific MCP configuration for the Roo Code agent is stored in the `.roo/mcp.json` file within the VS Code workspace. Because the MCP configuration format allows for execution of arbitrary commands, prior to version 3.20.3, it would have been possible for an attacker with access to craft a prompt to ask the agent to write a malicious command to the MCP configuration file. If the user had opted-in to auto-approving file writes within the project, this would have led to arbitrary command execution. This issue is of moderate severity, since it requires the attacker to already be able to submit prompts to the agent (for instance through a prompt injection attack), for the user to have MCP enabled (on by default), and for the user to have enabled auto-approved file writes (off by default). Version 3.20.3 fixes the issue by adding an additional layer of opt-in configuration for auto-approving writing to Roo's configuration files, including all files within the `.roo/` folder. | 2025-06-27 | 5.9 | CVE-2025-53098 |
| rui_mashita--Aioseo Multibyte Descriptions | Cross-Site Request Forgery (CSRF) vulnerability in rui_mashita Aioseo Multibyte Descriptions allows Cross Site Request Forgery. This issue affects Aioseo Multibyte Descriptions: from n/a through 0.0.6. | 2025-06-27 | 4.3 | CVE-2025-53327 |
| ryanpcmcquen--Import external attachments | Cross-Site Request Forgery (CSRF) vulnerability in ryanpcmcquen Import external attachments allows Cross Site Request Forgery. This issue affects Import external attachments: from n/a through 1.5.12. | 2025-06-27 | 4.3 | CVE-2025-53268 |
| samsk--WP DataTable | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in samsk WP DataTable allows DOM-Based XSS. This issue affects WP DataTable: from n/a through 0.2.7. | 2025-06-27 | 6.5 | CVE-2025-53292 |
| scheeeli--EZ SQL Reports Shortcode Widget and DB Backup | The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's SQLREPORT shortcode in all versions up to, and including, 5.25.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-29 | 6.4 | CVE-2025-6462 |
| Sentry--Sentry | In Sentry 25.1.0 through 25.5.1, an authenticated attacker can access a project's issue endpoint and perform unauthorized actions (such as adding a comment) without being a member of the project's team. A seven-digit issue ID must be known (it is not treated as a secret and might be mentioned publicly, or it could be predicted). | 2025-06-24 | 4.2 | CVE-2025-53073 |
| sfturing--hosp_order | A vulnerability was found in sfturing hosp_order up to 627f426331da8086ce8fff2017d65b1ddef384f8. It has been declared as critical. This vulnerability affects the function getOfficeName of the file OfficeServiceImpl.java. The manipulation of the argument officesName leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. | 2025-06-27 | 6.3 | CVE-2025-6766 |
| sfturing--hosp_order | A vulnerability was found in sfturing hosp_order up to 627f426331da8086ce8fff2017d65b1ddef384f8. It has been rated as critical. This issue affects the function findDoctorByCondition of the file DoctorServiceImpl.java. The manipulation of the argument hospitalName leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | 2025-06-27 | 6.3 | CVE-2025-6767 |
| sfturing--hosp_order | A vulnerability classified as critical has been found in sfturing hosp_order up to 627f426331da8086ce8fff2017d65b1ddef384f8. Affected is the function findAllHosByCondition of the file HospitalServiceImpl.java. The manipulation of the argument hospitalName leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. | 2025-06-27 | 6.3 | CVE-2025-6768 |
| SIFUSM--BD S1 | A vulnerability was found in SIFUSM/MZZYG BD S1 up to 20250611. It has been declared as problematic. This vulnerability affects unknown code of the component RTSP Live Video Stream Endpoint. The manipulation leads to improper access controls. Access to the local network is required for this attack to succeed. The exploit has been disclosed to the public and may be used. This dashcam is distributed by multiple resellers and different names. | 2025-06-23 | 4.3 | CVE-2025-6531 |
| Slickstream--Slickstream | Cross-Site Request Forgery (CSRF) vulnerability in Slickstream Slickstream allows Cross Site Request Forgery. This issue affects Slickstream: from n/a through 2.0.3. | 2025-06-27 | 4.3 | CVE-2025-53273 |
| Smart Agenda--Smart Agenda | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Smart Agenda Smart Agenda allows Stored XSS. This issue affects Smart Agenda: from n/a through 4.9. | 2025-06-27 | 6.5 | CVE-2025-53294 |
| smub--Charitable Donation Plugin for WordPress Fundraising with Recurring Donations & More | The Charitable - Donation Plugin for WordPress - Fundraising with Recurring Donations & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the privacy settings fields in all versions up to, and including, 1.8.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. This issue was partially fixed in version 1.8.6.1 and fully fixed in version 1.8.6.2. | 2025-06-26 | 4.4 | CVE-2025-5275 |
| SourceCodester--Best Salon Management System | A vulnerability classified as critical was found in SourceCodester Best Salon Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /add-customer.php. The manipulation of the argument name/email/mobilenum/gender/details/dob/marriage_date leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-24 | 6.3 | CVE-2025-6581 |
| SourceCodester--Best Salon Management System | A vulnerability, which was classified as critical, has been found in SourceCodester Best Salon Management System 1.0. Affected by this issue is some unknown functionality of the file /edit-customer-detailed.php. The manipulation of the argument editid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-24 | 6.3 | CVE-2025-6582 |
| SourceCodester--Best Salon Management System | A vulnerability, which was classified as critical, was found in SourceCodester Best Salon Management System 1.0. This affects an unknown part of the file /view-appointment.php. The manipulation of the argument viewid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-25 | 6.3 | CVE-2025-6583 |
| SourceCodester--Best Salon Management System | A vulnerability classified as critical has been found in SourceCodester Best Salon Management System 1.0. This affects an unknown part of the file /panel/add-staff.php. The manipulation of the argument Name leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-25 | 6.3 | CVE-2025-6604 |
| SourceCodester--Best Salon Management System | A vulnerability classified as critical was found in SourceCodester Best Salon Management System 1.0. This vulnerability affects unknown code of the file /panel/edit-staff.php. The manipulation of the argument editid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-25 | 6.3 | CVE-2025-6605 |
| SourceCodester--Best Salon Management System | A vulnerability, which was classified as critical, has been found in SourceCodester Best Salon Management System 1.0. This issue affects some unknown processing of the file /panel/add-services.php. The manipulation of the argument Type leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-25 | 6.3 | CVE-2025-6606 |
| SourceCodester--Best Salon Management System | A vulnerability, which was classified as critical, was found in SourceCodester Best Salon Management System 1.0. Affected is an unknown function of the file /panel/stock.php. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-25 | 6.3 | CVE-2025-6607 |
| SourceCodester--Best Salon Management System | A vulnerability has been found in SourceCodester Best Salon Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /panel/edit-services.php. The manipulation of the argument editid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-25 | 6.3 | CVE-2025-6608 |
| SourceCodester--Best Salon Management System | A vulnerability was found in SourceCodester Best Salon Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /panel/bwdates-reports-details.php. The manipulation of the argument fromdate/todate leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-25 | 6.3 | CVE-2025-6609 |
| SourceCodester--Best Salon Management System | A vulnerability was found in SourceCodester Best Salon Management System 1.0. It has been classified as critical. This affects an unknown part of the file /panel/pro_sale.php. The manipulation of the argument fromdate/todate leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 6.3 | CVE-2025-6859 |
| SourceCodester--Best Salon Management System | A vulnerability was found in SourceCodester Best Salon Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /panel/staff_commision.php. The manipulation of the argument fromdate/todate leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 6.3 | CVE-2025-6860 |
| SourceCodester--Best Salon Management System | A vulnerability was found in SourceCodester Best Salon Management System 1.0. It has been rated as critical. This issue affects some unknown processing of the file /panel/add_plan.php. The manipulation of the argument plan_name/description/duration_days/price leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 6.3 | CVE-2025-6861 |
| SourceCodester--Best Salon Management System | A vulnerability classified as critical has been found in SourceCodester Best Salon Management System 1.0. Affected is an unknown function of the file /panel/edit_plan.php. The manipulation of the argument editid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 6.3 | CVE-2025-6862 |
| SourceCodester--Best Salon Management System | A vulnerability, which was classified as critical, was found in SourceCodester Best Salon Management System 1.0. Affected is an unknown function of the file /panel/add_subscribe.php. The manipulation of the argument user_id/plan_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 6.3 | CVE-2025-6874 |
| SourceCodester--Best Salon Management System | A vulnerability has been found in SourceCodester Best Salon Management System 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /panel/edit-subscription.php. The manipulation of the argument editid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 6.3 | CVE-2025-6875 |
| SourceCodester--Best Salon Management System | A vulnerability was found in SourceCodester Best Salon Management System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /panel/add-category.php. The manipulation of the argument Name leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 6.3 | CVE-2025-6876 |
| SourceCodester--Best Salon Management System | A vulnerability was found in SourceCodester Best Salon Management System 1.0. It has been classified as critical. This affects an unknown part of the file /panel/edit-category.php. The manipulation of the argument editid leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 6.3 | CVE-2025-6877 |
| SourceCodester--Simple Company Website | A vulnerability was found in SourceCodester Simple Company Website 1.0 and classified as critical. This issue affects some unknown processing of the file /admin/services/manage.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 4.7 | CVE-2025-6867 |
| SourceCodester--Simple Company Website | A vulnerability was found in SourceCodester Simple Company Website 1.0. It has been classified as critical. Affected is an unknown function of the file /admin/clients/manage.php. The manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 4.7 | CVE-2025-6868 |
| SourceCodester--Simple Company Website | A vulnerability was found in SourceCodester Simple Company Website 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/testimonials/manage.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 4.7 | CVE-2025-6869 |
| SourceCodester--Simple Company Website | A vulnerability was found in SourceCodester Simple Company Website 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /classes/Content.php?f=service. The manipulation of the argument img leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 4.7 | CVE-2025-6870 |
| SourceCodester--Simple Company Website | A vulnerability classified as critical was found in SourceCodester Simple Company Website 1.0. This vulnerability affects unknown code of the file /classes/SystemSettings.php?f=update_settings. The manipulation of the argument img leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 4.7 | CVE-2025-6872 |
| SourceCodester--Simple Company Website | A vulnerability, which was classified as critical, has been found in SourceCodester Simple Company Website 1.0. This issue affects some unknown processing of the file /classes/Users.php?f=save. The manipulation of the argument img leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 4.7 | CVE-2025-6873 |
| suhailahmad64--Amazon Products to WooCommerce | The Amazon Products to WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcta2w_get_amazon_product_callback() function in all versions up to, and including, 1.2.7. This makes it possible for unauthenticated attackers to create new produces. | 2025-06-26 | 5.3 | CVE-2025-5813 |
| swift--Conference Scheduler | The Conference Scheduler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'className' parameter in all versions up to, and including, 2.5.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-24 | 6.4 | CVE-2025-5258 |
| TB-eye Ltd.--XRN-410SN/TE | Buffer Overflow vulnerability exists in multiple versions of TB-eye network recorders and AHD recorders. The CGI process may be terminated abnormally by processing a specially crafted request. | 2025-06-27 | 5.3 | CVE-2025-41418 |
| The Website Flip--Add & Replace Affiliate Links for Amazon | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in The Website Flip Add & Replace Affiliate Links for Amazon allows Stored XSS. This issue affects Add & Replace Affiliate Links for Amazon: from n/a through 1.0.6. | 2025-06-27 | 5.9 | CVE-2025-53285 |
| Theme Junkie--Theme Junkie Team Content | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Theme Junkie Theme Junkie Team Content allows DOM-Based XSS. This issue affects Theme Junkie Team Content: from n/a through 0.1.1. | 2025-06-27 | 6.5 | CVE-2025-53301 |
| TOTOLINK--CA300-PoE | A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been classified as critical. Affected is the function SetWLanApcliSettings of the file wps.so. The manipulation of the argument PIN leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-25 | 6.3 | CVE-2025-6618 |
| TOTOLINK--CA300-PoE | A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been declared as critical. Affected by this vulnerability is the function setUpgradeFW of the file upgrade.so. The manipulation of the argument FileName leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-25 | 6.3 | CVE-2025-6619 |
| TOTOLINK--CA300-PoE | A vulnerability was found in TOTOLINK CA300-PoE 6.2c.884. It has been rated as critical. Affected by this issue is the function setUpgradeUboot of the file upgrade.so. The manipulation of the argument FileName leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-25 | 6.3 | CVE-2025-6620 |
| TOTOLINK--CA300-PoE | A vulnerability classified as critical has been found in TOTOLINK CA300-PoE 6.2c.884. This affects the function QuickSetting of the file ap.so. The manipulation of the argument hour/minute leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-25 | 6.3 | CVE-2025-6621 |
| TrendMakers--Sight Bulb Pro Firmware ZJ_CG32-2201 | Unauthenticated users on an adjacent network with the Sight Bulb Pro can run shell commands as root through a vulnerable proprietary TCP protocol available on Port 16668. This vulnerability allows an attacker to run arbitrary commands on the Sight Bulb Pro by passing a well formed JSON string. | 2025-06-27 | 5.4 | CVE-2025-6522 |
| umbraco--Umbraco-CMS | Umbraco, a free and open source .NET content management system, has a vulnerability in versions 10.0.0 through 10.8.10 and 13.0.0 through 13.9.1. Via a request to an anonymously authenticated endpoint it's possible to retrieve information about the configured password requirements. The information available is limited but would perhaps give some additional detail useful for someone attempting to brute force derive a user's password. This information was not exposed in Umbraco 7 or 8, nor in 14 or higher versions. The vulnerability is patched in versions 10.8.11 and 13.9.2. | 2025-06-24 | 5.3 | CVE-2025-49147 |
| VaultDweller--Leyka | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VaultDweller Leyka allows DOM-Based XSS. This issue affects Leyka: from n/a through 3.31.9. | 2025-06-27 | 6.5 | CVE-2025-53275 |
| vgwort--VG WORT METIS | The VG WORT METIS plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the gutenberg_save_post() function in all versions up to, and including, 2.0.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update limited post settings. | 2025-06-26 | 4.3 | CVE-2025-5812 |
| videowhisper--MicroPayments Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet | The MicroPayments - Fans Paysite: Paid Creator Subscriptions, Digital Assets, Wallet plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.2.0. This is due to missing or incorrect nonce validation on the adminOptions() function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2025-06-28 | 4.3 | CVE-2025-5937 |
| webangon--The Pack Elementor addon | The The Pack Elementor addon plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slider_options' parameter in all versions up to, and including, 2.1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-27 | 6.4 | CVE-2025-6550 |
| webcraftic--Cyrlitera | Cross-Site Request Forgery (CSRF) vulnerability in webcraftic Cyrlitera allows Cross Site Request Forgery. This issue affects Cyrlitera: from n/a through 1.2.0. | 2025-06-27 | 4.3 | CVE-2025-53254 |
| WhiteBeam--WhiteBeam | In WhiteBeam 0.2.0 through 0.2.1 before 0.2.2, a user with local access to a server can bypass the allow-list functionality because a file can be truncated in the OpenFileDescriptor action before the VerifyCanWrite action is performed. | 2025-06-23 | 5.7 | CVE-2021-47688 |
| Wp Enhanced--Free Downloads EDD | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Wp Enhanced Free Downloads EDD allows DOM-Based XSS. This issue affects Free Downloads EDD: from n/a through 1.0.4. | 2025-06-27 | 6.5 | CVE-2025-53320 |
| WPeka--WP AdCenter | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPeka WP AdCenter allows Stored XSS. This issue affects WP AdCenter: from n/a through 2.6.0. | 2025-06-27 | 6.5 | CVE-2025-53278 |
| WPManiax--WP DB Booster | Missing Authorization vulnerability in WPManiax WP DB Booster allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP DB Booster: from n/a through 1.0.1. | 2025-06-27 | 5.4 | CVE-2025-53318 |
| wproyal--Royal Elementor Addons and Templates | The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widgets in all versions up to, and including, 1.7.1024 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-26 | 6.4 | CVE-2025-5338 |
| Writesonic--Writesonic | Cross-Site Request Forgery (CSRF) vulnerability in Writesonic Writesonic allows Cross Site Request Forgery. This issue affects Writesonic: from n/a through 1.0.4. | 2025-06-27 | 5.4 | CVE-2025-53262 |
| WSO2--WSO2 Enterprise Integrator | An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization. Successful exploitation of this vulnerability could lead to unauthorized disclosure of configuration or resource files that may be stored as registry versions, potentially aiding further attacks or system reconnaissance. | 2025-06-23 | 4.3 | CVE-2024-3511 |
| xiaoyunjie--openvpn-cms-flask | A vulnerability classified as critical has been found in xiaoyunjie openvpn-cms-flask up to 1.2.7. This affects the function create_user of the file /app/api/v1/openvpn.py of the component User Creation Endpoint. The manipulation of the argument Username leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.2.8 is able to address this issue. The patch is named e23559b98c8ea2957f09978c29f4e512ba789eb6. It is recommended to upgrade the affected component. | 2025-06-27 | 6.3 | CVE-2025-6775 |
| Xuxueli--xxl-sso | A vulnerability classified as problematic was found in Xuxueli xxl-sso 1.1.0. This vulnerability affects unknown code of the file /xxl-sso-server/login. The manipulation of the argument errorMsg leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-26 | 4.3 | CVE-2025-6700 |
| xxyopen--novel-plus | A vulnerability has been found in xxyopen/201206030 novel-plus up to 5.1.3 and classified as critical. This vulnerability affects the function list of the file novel-admin/src/main/resources/mybatis/system/UserMapper.xml of the component User Management Module. The manipulation of the argument sort/order leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-24 | 6.3 | CVE-2025-6535 |
| xxyopen--novel-plus | A vulnerability, which was classified as critical, has been found in xxyopen/201206030 novel-plus up to 5.1.3. Affected by this issue is the function ajaxLogin of the file novel-admin/src/main/java/com/java2nb/system/controller/LoginController.java of the component CATCHA Handler. The manipulation leads to authentication bypass by capture-replay. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-24 | 5.6 | CVE-2025-6533 |
| xxyopen--novel-plus | A vulnerability, which was classified as problematic, was found in xxyopen/201206030 novel-plus up to 5.1.3. This affects the function remove of the file novel-admin/src/main/java/com/java2nb/common/controller/FileController.java of the component File Handler. The manipulation leads to improper control of resource identifiers. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-24 | 4.2 | CVE-2025-6534 |
| yzcheng90--X-SpringBoot | A vulnerability was found in yzcheng90 X-SpringBoot up to 5.0 and classified as critical. Affected by this issue is the function uploadApk of the file /sys/oss/upload/apk of the component APK File Handler. The manipulation of the argument File leads to path traversal. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-26 | 6.3 | CVE-2025-6731 |
| ZealousWeb--Accept Authorize.NET Payments Using Contact Form 7 | Insertion of Sensitive Information Into Sent Data vulnerability in ZealousWeb Accept Authorize.NET Payments Using Contact Form 7 allows Retrieve Embedded Sensitive Data. This issue affects Accept Authorize.NET Payments Using Contact Form 7: from n/a through 2.5. | 2025-06-27 | 5.3 | CVE-2025-53322 |
| ZealousWeb--Accept Stripe Payments Using Contact Form 7 | Insertion of Sensitive Information Into Sent Data vulnerability in ZealousWeb Accept Stripe Payments Using Contact Form 7 allows Retrieve Embedded Sensitive Data. This issue affects Accept Stripe Payments Using Contact Form 7: from n/a through 3.0. | 2025-06-27 | 5.3 | CVE-2025-53309 |
| zourbuth--The Countdown Block Countdown Timer | The The Countdown plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'clientId' parameter in all versions up to, and including, 2.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2025-06-26 | 6.4 | CVE-2025-5929 |
Low Vulnerabilities
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 70mai--1S | A vulnerability classified as problematic has been found in 70mai 1S up to 20250611. This affects an unknown part of the component Video Services. The manipulation leads to improper authentication. Access to the local network is required for this attack to succeed. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-23 | 3.1 | CVE-2025-6524 |
| 70mai--M300 | A vulnerability, which was classified as problematic, has been found in 70mai M300 up to 20250611. This issue affects some unknown processing of the component HTTP Server. The manipulation leads to insufficiently protected credentials. The attack can only be done within the local network. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-23 | 3.1 | CVE-2025-6526 |
| 70mai--M300 | A vulnerability, which was classified as problematic, was found in 70mai M300 up to 20250611. Affected is an unknown function of the component Web Server. The manipulation leads to improper access controls. The attack can only be initiated within the local network. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-23 | 3.1 | CVE-2025-6527 |
| Adobe--Adobe Commerce | Adobe Commerce versions 2.4.8, 2.4.7-p5, 2.4.6-p10, 2.4.5-p12, 2.4.4-p13 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain limited unauthorized access. Exploitation of this issue does not require user interaction. | 2025-06-25 | 2.7 | CVE-2025-49549 |
| Advantech--Advantech Wireless Sensing and Equipment (WISE) | Successful exploitation of the vulnerability could allow an attacker to intercept data and conduct session hijacking on the exposed data as the vulnerable product uses unencrypted HTTP communication, potentially leading to unauthorised access or data tampering. | 2025-06-24 | 3.1 | CVE-2025-48463 |
| Bharti Airtel--Thanks App | A vulnerability classified as problematic has been found in Bharti Airtel Thanks App 4.105.4 on Android. Affected is an unknown function of the file /Android/data/com.myairtelapp/files/. The manipulation leads to cleartext storage in a file or on disk. It is possible to launch the attack on the physical device. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-27 | 2.1 | CVE-2025-6748 |
| ClickHouse--ClickHouse | ClickHouse 25.7.1.557 allows low-privileged users to execute shell commands by querying existing Executable() tables created by higher-privileged users. Although the CREATE TABLE privilege is restricted, there is no access control preventing low-privileged users from invoking Executable tables already present in the system. If an attacker can influence the contents of the script referenced by the Executable() engine through writable paths, they may execute controlled commands in the context of the ClickHouse server, leading to privilege escalation and unauthorized code execution. NOTE: the Supplier's position is that these types of executions by low-privileged users are the expected behavior. | 2025-06-23 | 2.8 | CVE-2025-52969 |
| code-projects--Food Distributor Site | A vulnerability, which was classified as problematic, was found in code-projects Food Distributor Site 1.0. Affected is an unknown function of the file /admin/save_settings.php. The manipulation of the argument site_phone/site_email/address leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-27 | 2.4 | CVE-2025-6778 |
| code-projects--Simple Forum | A vulnerability, which was classified as problematic, was found in code-projects Simple Forum 1.0. Affected is an unknown function of the file /forum_edit1.php. The manipulation of the argument text leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 3.5 | CVE-2025-6849 |
| Ethereum--RLPx | RLPx 5 has two CTR streams based on the same key, IV, and nonce. This can facilitate decryption on a private network. | 2025-06-29 | 3.4 | CVE-2015-20112 |
| Flock Safety--Gunshot Detection devices | Flock Safety Gunshot Detection devices before 1.3 have a hard-coded password for a connection. | 2025-06-27 | 2.2 | CVE-2025-47818 |
| Flock Safety--Gunshot Detection devices | Flock Safety Gunshot Detection devices before 1.3 have cleartext storage of code. | 2025-06-27 | 2 | CVE-2025-47820 |
| Flock Safety--Gunshot Detection devices | Flock Safety Gunshot Detection devices before 1.3 have a hardcoded password for a system. | 2025-06-27 | 2.2 | CVE-2025-47821 |
| Flock Safety--License Plate Reader | Flock Safety LPR (License Plate Reader) devices with firmware through 2.2 have a hardcoded password for a system. | 2025-06-27 | 2.2 | CVE-2025-47823 |
| Flock Safety--License Plate Reader | Flock Safety LPR (License Plate Reader) devices with firmware through 2.2 have cleartext storage of code. | 2025-06-27 | 2 | CVE-2025-47824 |
| GitLab--GitLab | An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to gain elevated project privileges by requesting access to projects where role modifications during the approval process resulted in unintended permission grants. | 2025-06-26 | 3.1 | CVE-2025-2938 |
| GitLab--GitLab | An issue has been discovered in GitLab EE affecting all versions from 16.10 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated users to assign unrelated compliance frameworks to projects by sending crafted GraphQL mutations that bypassed framework-specific permission checks. | 2025-06-26 | 2.7 | CVE-2025-5846 |
| gooaclok819--sublinkX | A vulnerability was found in gooaclok819 sublinkX up to 1.8. It has been declared as problematic. This vulnerability affects unknown code of the file middlewares/jwt.go. The manipulation with the input sublink leads to use of hard-coded cryptographic key . The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.9 is able to address this issue. The patch is identified as 778d26aef723daa58df98c8060c43f5bf5d1b10b. It is recommended to upgrade the affected component. | 2025-06-25 | 3.7 | CVE-2025-6669 |
| HashiCorp--Vault | Vault Community and Vault Enterprise rekey and recovery key operations can lead to a denial of service due to uncontrolled cancellation by a Vault operator. This vulnerability (CVE-2025-4656) has been remediated in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11, 1.17.17, and 1.16.22. | 2025-06-25 | 3.1 | CVE-2025-4656 |
| HTACG--tidy-html5 | A vulnerability was found in HTACG tidy-html5 5.8.0. It has been declared as problematic. This vulnerability affects the function InsertNodeAsParent of the file src/parser.c. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. | 2025-06-23 | 3.3 | CVE-2025-6496 |
| HTACG--tidy-html5 | A vulnerability was found in HTACG tidy-html5 5.8.0. It has been rated as problematic. This issue affects the function prvTidyParseNamespace of the file src/parser.c. The manipulation leads to reachable assertion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. | 2025-06-23 | 3.3 | CVE-2025-6497 |
| HTACG--tidy-html5 | A vulnerability classified as problematic has been found in HTACG tidy-html5 5.8.0. Affected is the function defaultAlloc of the file src/alloc.c. The manipulation leads to memory leak. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. | 2025-06-23 | 3.3 | CVE-2025-6498 |
| java-aodeng--Hope-Boot | A vulnerability was found in java-aodeng Hope-Boot 1.0.0 and classified as problematic. This issue affects the function Login of the file /src/main/java/com/hope/controller/WebController.java. The manipulation of the argument errorMsg leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-24 | 3.5 | CVE-2025-6551 |
| Kubernetes--Kubernetes | A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation. | 2025-06-23 | 2.7 | CVE-2025-4563 |
| LabRedesCefetRJ--WeGIA | A vulnerability has been found in LabRedesCefetRJ WeGIA 3.4.0 and classified as problematic. This vulnerability affects unknown code of the file /html/matPat/adicionar_unidade.php of the component Adicionar Unidade. The manipulation of the argument Insira a nova unidade leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-26 | 3.5 | CVE-2025-6694 |
| LabRedesCefetRJ--WeGIA | A vulnerability was found in LabRedesCefetRJ WeGIA 3.4.0 and classified as problematic. This issue affects some unknown processing of the file /html/matPat/adicionar_categoria.php of the component Additional Categoria. The manipulation of the argument Insira a nova categoria leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-26 | 3.5 | CVE-2025-6695 |
| LabRedesCefetRJ--WeGIA | A vulnerability was found in LabRedesCefetRJ WeGIA 3.4.0. It has been classified as problematic. Affected is an unknown function of the file /html/atendido/Cadastro_Atendido.php of the component Cadastro de Atendio. The manipulation of the argument Nome/Sobrenome leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. This is a different issue than CVE-2025-22615. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-26 | 3.5 | CVE-2025-6696 |
| LabRedesCefetRJ--WeGIA | A vulnerability was found in LabRedesCefetRJ WeGIA 3.4.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /html/matPat/adicionar_tipoEntrada.php of the component Adicionar tipo. The manipulation of the argument Insira o novo tipo leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-26 | 3.5 | CVE-2025-6697 |
| LabRedesCefetRJ--WeGIA | A vulnerability was found in LabRedesCefetRJ WeGIA 3.4.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /html/matPat/adicionar_tipoSaida.php of the component Adicionar tipo. The manipulation of the argument Insira o novo tipo leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-26 | 3.5 | CVE-2025-6698 |
| LabRedesCefetRJ--WeGIA | A vulnerability classified as problematic has been found in LabRedesCefetRJ WeGIA 3.4.0. This affects an unknown part of the file /html/funcionario/cadastro_funcionario.php of the component Cadastro de Funcionário. The manipulation of the argument Nome/Sobrenome leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. This is a different issue than CVE-2025-23030. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-26 | 3.5 | CVE-2025-6699 |
| lxc--incus | Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus version 6.12 and 6.13 generates nftables rules for local services (DHCP, DNS...) that partially bypass security options `security.mac_filtering`, `security.ipv4_filtering` and `security.ipv6_filtering`. This can lead to DHCP pool exhaustion and opens the door for other attacks. A patch is available at commit 2516fb19ad8428454cb4edfe70c0a5f0dc1da214. | 2025-06-25 | 3.4 | CVE-2025-52889 |
| LycheeOrg--Lychee | Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery (SSRF) vulnerability exists in the `/api/v2/Photo::fromUrl` endpoint. This flaw lets an attacker instruct the application's backend to make HTTP requests to any URL they choose. Consequently, internal network resources-such as localhost services or cloud-provider metadata endpoints-become reachable. The endpoint takes a URL from the user and calls it server-side via fopen() without any safeguards. There is no IP address validation, nor are there any allow-list, timeout, or size restrictions. Because of this, attackers can point the application at internal targets. Using this flaw, an attacker can perform internal port scans or retrieve sensitive cloud metadata. Version 6.6.13 contains a patch for the issue. | 2025-06-27 | 3 | CVE-2025-53018 |
| n/a--HDF5 | A vulnerability, which was classified as problematic, has been found in HDF5 1.14.6. Affected by this issue is the function H5O__mtime_new_encode of the file src/H5Omtime.c. The manipulation leads to heap-based buffer overflow. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. | 2025-06-27 | 3.3 | CVE-2025-6750 |
| n/a--HDF5 | A vulnerability classified as problematic was found in HDF5 1.14.6. This vulnerability affects the function H5O__fsinfo_encode of the file /src/H5Ofsinfo.c. The manipulation leads to heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. | 2025-06-28 | 3.3 | CVE-2025-6816 |
| n/a--HDF5 | A vulnerability, which was classified as problematic, has been found in HDF5 1.14.6. This issue affects the function H5C__load_entry of the file /src/H5Centry.c. The manipulation leads to resource consumption. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. | 2025-06-28 | 3.3 | CVE-2025-6817 |
| n/a--HDF5 | A vulnerability, which was classified as problematic, was found in HDF5 1.14.6. Affected is the function H5O__chunk_protect of the file /src/H5Ochunk.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. | 2025-06-28 | 3.3 | CVE-2025-6818 |
| n/a--HDF5 | A vulnerability, which was classified as problematic, was found in HDF5 1.14.6. Affected is the function H5FL__reg_gc_list of the file src/H5FL.c. The manipulation leads to use after free. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 3.3 | CVE-2025-6856 |
| n/a--HDF5 | A vulnerability has been found in HDF5 1.14.6 and classified as problematic. Affected by this vulnerability is the function H5G__node_cmp3 of the file src/H5Gnode.c. The manipulation leads to stack-based buffer overflow. It is possible to launch the attack on the local host. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 3.3 | CVE-2025-6857 |
| n/a--HDF5 | A vulnerability was found in HDF5 1.14.6 and classified as problematic. Affected by this issue is the function H5C__flush_single_entry of the file src/H5Centry.c. The manipulation leads to null pointer dereference. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. | 2025-06-29 | 3.3 | CVE-2025-6858 |
| n/a--Tarantool | A vulnerability has been found in Tarantool up to 3.3.1 and classified as problematic. Affected by this vulnerability is the function tm_to_datetime in the library src/lib/core/datetime.c. The manipulation leads to reachable assertion. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. | 2025-06-24 | 3.3 | CVE-2025-6536 |
| NixOS--Nix | A race condition in the Nix, Lix, and Guix package managers allows the removal of content from arbitrary folders. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b. | 2025-06-27 | 3.2 | CVE-2025-46415 |
| NixOS--Nix | The Nix, Lix, and Guix package managers default to using temporary build directories in a world-readable and world-writable location. This allows standard users to deceive the package manager into using directories with pre-existing content, potentially leading to unauthorized actions or data manipulation. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b. | 2025-06-27 | 3.2 | CVE-2025-52991 |
| NixOS--Nix | The Nix, Lix, and Guix package managers fail to properly set permissions when a derivation build fails. This may allow arbitrary processes to modify the content of a store outside of the build sandbox. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b. | 2025-06-27 | 3.2 | CVE-2025-52992 |
| NixOS--Nix | The Nix, Lix, and Guix package managers allow a bypass of build isolation in which a user can elevate their privileges to the build user account (e.g., nixbld or guixbuild). This affects Nix through 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix through 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b. | 2025-06-27 | 2.9 | CVE-2025-46416 |
| PHPGurukul--Hospital Management System | A vulnerability classified as problematic was found in PHPGurukul Hospital Management System 4.0. Affected by this vulnerability is an unknown functionality of the file /doctor/manage-patient.php. The manipulation of the argument Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | 2025-06-25 | 3.5 | CVE-2025-6613 |
| Preh Car Connect GmbH (JOYNEXT GmbH)--Volkswagen MIB3 infotainment system MIB3 OI MQB | An integer underflow in the image processing binary of the MIB3 infotainment unit allows an attacker with local access to the vehicle to cause denial-of-service of the infotainment system. The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. The list of affected MIB3 OEM part numbers is provided in the referenced resources. | 2025-06-28 | 3.3 | CVE-2023-28902 |
| Preh Car Connect GmbH (JOYNEXT GmbH)--Volkswagen MIB3 infotainment system MIB3 OI MQB | An integer overflow in the image processing binary of the MIB3 infotainment unit allows an attacker with local access to the vehicle to cause a denial-of-service of the infotainment system. | 2025-06-28 | 3.3 | CVE-2023-28903 |
| seaswalker--spring-analysis | A vulnerability was found in seaswalker spring-analysis up to 4379cce848af96997a9d7ef91d594aa129be8d71. It has been declared as problematic. Affected by this vulnerability is the function echo of the file /src/main/java/controller/SimpleController.java. The manipulation of the argument Name leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. | 2025-06-23 | 3.5 | CVE-2025-6509 |
| spytrap-org--spytrap-adb | In scan.rs in spytrap-adb before 0.3.5, matches for known stalkerware are not rendered in the interactive user interface. | 2025-06-23 | 2.7 | CVE-2025-52926 |
| vstakhov--libucl | A vulnerability classified as problematic was found in vstakhov libucl up to 0.9.2. Affected by this vulnerability is the function ucl_parse_multiline_string of the file src/ucl_parser.c. The manipulation leads to heap-based buffer overflow. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. | 2025-06-23 | 3.3 | CVE-2025-6499 |
| Xuxueli--xxl-sso | A vulnerability, which was classified as problematic, has been found in Xuxueli xxl-sso 1.1.0. This issue affects some unknown processing of the file /xxl-sso-server/doLogin. The manipulation of the argument redirect_url leads to open redirect. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2025-06-26 | 3.5 | CVE-2025-6701 |
Severity Not Yet Assigned
| Primary Vendor -- Product |
Description | Published | CVSS Score | Source Info |
|---|---|---|---|---|
| 5VTechnologies--Blue Angel Software Suite | An OS command injection vulnerability exists in the Blue Angel Software Suite running on embedded Linux devices via the ping_addr parameter in the webctrl.cgi script. The application fails to properly sanitize input before passing it to the system-level ping command. An authenticated attacker can inject arbitrary commands by appending shell metacharacters to the ping_addr parameter in a crafted GET request to /cgi-bin/webctrl.cgi?action=pingtest_update. The command's output is reflected in the application's web interface, enabling attackers to view results directly. Default and backdoor credentials can be used to access the interface and exploit the issue. Successful exploitation results in arbitrary command execution as the root user. | 2025-06-24 | not yet calculated | CVE-2025-34033 |
| 5VTechnologies--Blue Angel Software Suite | A hardcoded credential vulnerability exists in the Blue Angel Software Suite deployed on embedded Linux systems. The application contains multiple known default and hardcoded user accounts that are not disclosed in public documentation. These accounts allow unauthenticated or low-privilege attackers to gain administrative access to the device's web interface. | 2025-06-24 | not yet calculated | CVE-2025-34034 |
| anthropics--claude-code | Claude Code is an agentic coding tool. Claude Code extensions in VSCode and forks (e.g., Cursor, Windsurf, and VSCodium) and JetBrains IDEs (e.g., IntelliJ, Pycharm, and Android Studio) are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages. Claude Code for VSCode IDE extensions versions 0.2.116 through 1.0.23 are vulnerable. For Jetbrains IDE plugins, Claude Code [beta] versions 0.1.1 through 0.1.8 are vulnerable. In VSCode (and forks), exploitation would allow an attacker to read arbitrary files, see the list of files open in the IDE, get selection and diagnostics events from the IDE, or execute code in limited situations where a user has an open Jupyter Notebook and accepts a malicious prompt. In JetBrains IDEs, an attacker could get selection events, a list of open files, and a list of syntax errors. Claude released a patch for this issue on June 13th, 2025. Although Claude Code auto-updates when a user launch it and auto-updates the extensions, users should take the following steps, though the exact steps depend on one's integrated development environment (IDE). For VSCode, Cursor, Windsurf, VSCodium, and other VSCode forks, check the extension Claude Code for VSCode. Open the list of Extensions (View->Extensions), look for Claude Code for VSCode among installed extensions, update or uninstall any version prior to 1.0.24, and restart the IDE. For JetBrains IDEs including IntelliJ, PyCharm, and Android Studio, check the plugin Claude Code [Beta]. Open the Plugins list, look for Claude Code [Beta] among installed extensions, update or uninstall any version prior to 0.1.9, and restart the IDE. | 2025-06-24 | not yet calculated | CVE-2025-52882 |
| Apache Software Foundation--Apache Airflow Providers Snowflake | Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) vulnerability in Apache Airflow Providers Snowflake. This issue affects Apache Airflow Providers Snowflake: before 6.4.0. Sanitation of table and stage parameters were added in CopyFromExternalStageToSnowflakeOperator to prevent SQL injection Users are recommended to upgrade to version 6.4.0, which fixes the issue. | 2025-06-24 | not yet calculated | CVE-2025-50213 |
| Apache Software Foundation--Apache Seata (incubating) | Deserialization of Untrusted Data vulnerability in Apache Seata (incubating). This security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow. This issue affects Apache Seata (incubating): from 2.0.0 before 2.3.0. Users are recommended to upgrade to version 2.3.0, which fixes the issue. | 2025-06-28 | not yet calculated | CVE-2025-32897 |
| Autel--Autel MaxiCharger AC Wallbox Commercial | Autel MaxiCharger AC Wallbox Commercial Technician API Incorrect Authorization Privilege Escalation Vulnerability. This vulnerability allows remote attackers to escalate privileges on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. An attacker must first obtain a low-privileged authorization token in order to exploit this vulnerability. The specific flaw exists within the implementation of the Autel Technician API. The issue results from incorrect authorization. An attacker can leverage this vulnerability to escalate privileges to resources normally protected from the user. Was ZDI-CAN-26325. | 2025-06-25 | not yet calculated | CVE-2025-5822 |
| Autel--Autel MaxiCharger AC Wallbox Commercial | Autel MaxiCharger AC Wallbox Commercial Serial Number Exposed Dangerous Method Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Autel MaxiCharger AC Wallbox Commercial EV chargers. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the Autel Technician API. The issue results from an exposed dangerous method. An attacker can leverage this vulnerability to disclose credentials, leading to further compromise. Was ZDI-CAN-26351. | 2025-06-25 | not yet calculated | CVE-2025-5823 |
| Autel--Autel MaxiCharger AC Wallbox Commercial | Autel MaxiCharger AC Wallbox Commercial Origin Validation Error Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Autel MaxiCharger AC Wallbox Commercial. An attacker must first obtain the ability to pair a malicious Bluetooth device with the target system in order to exploit this vulnerability. The specific flaw exists within the handling of bluetooth pairing requests. The issue results from insufficient validation of the origin of commands. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26353. | 2025-06-25 | not yet calculated | CVE-2025-5824 |
| Autel--Autel MaxiCharger AC Wallbox Commercial | Autel MaxiCharger AC Wallbox Commercial Firmware Downgrade Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. An attacker must first obtain the ability to pair a malicious Bluetooth device with the target system in order to exploit this vulnerability. The specific flaw exists within the firmware update process. The issue results from the lack of proper validation of a firmware image before using it to perform an upgrade. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the device. Was ZDI-CAN-26354. | 2025-06-25 | not yet calculated | CVE-2025-5825 |
| Autel--Autel MaxiCharger AC Wallbox Commercial | Autel MaxiCharger AC Wallbox Commercial ble_process_esp32_msg Misinterpretation of Input Vulnerability. This vulnerability allows network-adjacent attackers to inject arbitrary AT commands on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ble_process_esp32_msg function. The issue results from misinterpretation of input data. An attacker can leverage this vulnerability to execute AT commands in the context of the device. Was ZDI-CAN-26368. | 2025-06-25 | not yet calculated | CVE-2025-5826 |
| Autel--Autel MaxiCharger AC Wallbox Commercial | Autel MaxiCharger AC Wallbox Commercial ble_process_esp32_msg Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Wallbox Commercial EV chargers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ble_process_esp32_msg function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-26369. | 2025-06-25 | not yet calculated | CVE-2025-5827 |
| Autel--Autel MaxiCharger AC Wallbox Commercial | Autel MaxiCharger AC Wallbox Commercial wLength Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Wallbox Commercial EV chargers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of USB frame packets. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-26328. | 2025-06-25 | not yet calculated | CVE-2025-5828 |
| Autel--Autel MaxiCharger AC Wallbox Commercial | Autel MaxiCharger AC Wallbox Commercial autocharge Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected affected installations of Autel MaxiCharger AC Wallbox Commercial EV chargers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of JSON messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-26330. | 2025-06-25 | not yet calculated | CVE-2025-5829 |
| Autel--Autel MaxiCharger AC Wallbox Commercial | Autel MaxiCharger AC Wallbox Commercial DLB_SlaveRegister Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Autel MaxiCharger AC Wallbox Commercial EV chargers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of DLB_SlaveRegister messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-26327. | 2025-06-25 | not yet calculated | CVE-2025-5830 |
| Autel--Autel MaxiCharger AC Wallbox Commercial | Autel MaxiCharger AC Wallbox Commercial PIN Missing Authentication Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Autel MaxiCharger AC Wallbox Commercial charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Pile API. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to disclose credentials, leading to further compromise. Was ZDI-CAN-26352. | 2025-06-25 | not yet calculated | CVE-2025-6678 |
| Aviatrix--Controller | Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0 do not enforce rate limiting on password reset attempts, allowing adversaries to brute force guess the 6-digit password reset PIN | 2025-06-23 | not yet calculated | CVE-2025-2171 |
| Aviatrix--Controller | Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0 fail to sanitize user input prior to passing the input to command line utilities, allowing command injection via special characters in filenames | 2025-06-23 | not yet calculated | CVE-2025-2172 |
| Backdrop--Backdrop CMS | A Cross-Site Scripting (XSS) vulnerability exists in the node creation form of Backdrop CMS 1.30. | 2025-06-26 | not yet calculated | CVE-2025-44141 |
| Beakon Software--Beakon Learning Management System Sharable Content Object Reference Model (SCORM) | SQL Injection vulnerability in Beakon Software Beakon Learning Management System Sharable Content Object Reference Model (SCORM) version before 5.4.3 allows a remote attacker to obtain sensitive information via the ks parameter in json_scorm.php file | 2025-06-23 | not yet calculated | CVE-2025-46101 |
| Beijing NetGuard Nebula Information Technology Co., Ltd.--Leadsec SSL VPN | A path traversal vulnerability exists in the Leadsec SSL VPN (formerly Lenovo NetGuard), allowing unauthenticated attackers to read arbitrary files on the underlying system via the ostype parameter in the /vpn/user/download/client endpoint. This flaw arises from insufficient input sanitation, enabling traversal sequences to escape the intended directory and access sensitive files. | 2025-06-26 | not yet calculated | CVE-2025-34047 |
| Beijing Zhiyuan Internet Software Co., Ltd.--OA | An arbitrary file upload vulnerability exists in the Zhiyuan OA platform 5.0, 5.1 - 5.6sp1, 6.0 - 6.1sp2, 7.0, 7.0sp1 - 7.1, 7.1sp1, and 8.0 - 8.0sp2 via the wpsAssistServlet interface. The realFileType and fileId parameters are improperly validated during multipart file uploads, allowing unauthenticated attackers to upload crafted JSP files outside of intended directories using path traversal. Successful exploitation enables remote code execution as the uploaded file can be accessed and executed through the web server. | 2025-06-24 | not yet calculated | CVE-2025-34040 |
| Beward--N100 IP Camera | An authenticated command injection vulnerability exists in the Beward N100 IP Camera firmware version M2.1.6.04C014 via the ServerName and TimeZone parameters in the servetest CGI page. An attacker with access to the web interface can inject arbitrary system commands into these parameters, which are unsafely embedded into backend system calls without proper input sanitization. Successful exploitation results in remote code execution with root privileges. | 2025-06-26 | not yet calculated | CVE-2025-34042 |
| BROTHER INDUSTRIES, LTD.--Multiple driver installers for Windows | Multiple Brother driver installers for Windows contain a privilege escalation vulnerability. If exploited, an arbitrary program may be executed with the administrative privilege. As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed under [References]. | 2025-06-25 | not yet calculated | CVE-2025-49797 |
| CADClick--CADClick ccCatalog | Cross-Site Scripting (XSS) vulnerability in CADClick v1.13.0 and before allows remote attackers to inject arbitrary web script or HTML via the "tree" parameter. | 2025-06-25 | not yet calculated | CVE-2025-25905 |
| Canon USA Inc.--Canon EOS Webcam Utility Pro | Canon EOS Webcam Utility Pro for MAC OS version 2.3d (2.3.29) and earlier contains an improper directory permissions vulnerability. Exploitation of this vulnerability requires administrator access by a malicious user. An attacker could modify the directory, potentially resulting in code execution and ultimately leading to privilege escalation. | 2025-06-26 | not yet calculated | CVE-2025-5995 |
| ControlID--iDSecure On-premises | ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to an improper authentication vulnerability which could allow an attacker to bypass authentication and gain permissions in the product. | 2025-06-24 | not yet calculated | CVE-2025-49851 |
| cvat-ai--cvat | CVAT is an open source interactive video and image annotation tool for computer vision. Versions 2.2.0 through 2.39.0 have no validation during the import process of a project or task backup to check that the filename specified in the query parameter refers to a TUS-uploaded file belonging to the same user. As a result, if an attacker with a CVAT account and a `user` role knows the filenames of other users' uploads, they could potentially access and steal data by creating projects or tasks using those files. This issue does not affect annotation or dataset TUS uploads, since in this case object-specific temporary directories are used. Users should upgrade to CVAT 2.40.0 or a later version to receive a patch. No known workarounds are available. | 2025-06-25 | not yet calculated | CVE-2025-49135 |
| Cypress (Infineon)--Cypress PSoC4 | A state machine transition flaw in the Bluetooth Low Energy (BLE) stack of Cypress PSoC4 v3.66 allows attackers to bypass the pairing process and authentication via a crafted pairing_failed packet. | 2025-06-27 | not yet calculated | CVE-2025-44557 |
| D-Link--DIR-823-Pro | D-Link DIR-823-Pro 1.02 has improper permission control, allowing unauthorized users to turn on and access Telnet services. | 2025-06-27 | not yet calculated | CVE-2025-45729 |
| D-Link--DSL-2730U | A path traversal vulnerability exists in the web management interface of D-Link DSL-2730U, DSL-2750U, and DSL-2750E ADSL routers with firmware versions IN_1.02, SEA_1.04, and SEA_1.07. The vulnerability is due to insufficient input validation on the getpage parameter within the /cgi-bin/webproc CGI script. This flaw allows an unauthenticated remote attacker to perform path traversal attacks by supplying crafted requests, enabling arbitrary file read on the affected device. | 2025-06-26 | not yet calculated | CVE-2025-34048 |
| dail8859--NotepadNext | Out-of-bounds Read vulnerability in dail8859 NotepadNext (src/lua/src modules). This vulnerability is associated with program files lparser.C. This issue affects NotepadNext: through v0.11. The singlevar() in lparser.c lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code. | 2025-06-23 | not yet calculated | CVE-2025-52938 |
| dail8859--NotepadNext | Out-of-bounds Write vulnerability in dail8859 NotepadNext (src/lua/src modules). This vulnerability is associated with program files ldebug.C, lvm.C. This issue affects NotepadNext: through v0.11. | 2025-06-23 | not yet calculated | CVE-2025-52939 |
| dataease--dataease | DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.11, a threat actor may take advantage of a feature in Java in which the character "ı" becomes "I" when converted to uppercase, and the character "ſ" becomes "S" when converted to uppercase. A threat actor who uses a carefully crafted message that exploits this character conversion can cause remote code execution. The vulnerability has been fixed in v2.10.11. No known workarounds are available. | 2025-06-26 | not yet calculated | CVE-2025-49003 |
| Debian--pdns | pdns specific as packaged in Debian in version before 3.3.1-1 creates a too privileged MySQL user. It was discovered that the maintainer scripts of pdns-backend-mysql grant too wide database permissions for the pdns user. Other backends are not affected. | 2025-06-26 | not yet calculated | CVE-2014-7210 |
| dgtlmoon--changedetection.io | changedetection.io is a free open source web page change detection, website watcher, restock monitor and notification service. Prior to version 0.50.4, errors in filters from website page change detection watches were not being filtered resulting in a cross-site scripting (XSS) vulnerability. This issue has been patched in version 0.50.4 | 2025-06-23 | not yet calculated | CVE-2025-52558 |
| discourse--discourse | Discourse is an open-source discussion platform. The visibility of posts typed `whisper` is controlled via the `whispers_allowed_groups` site setting. Only users that belong to groups specified in the site setting are allowed to view posts typed `whisper`. However, it has been discovered that users of versions prior to 3.4.6 on the `stable` branch and prior to 3.5.0.beta8-dev on the `tests-passed` branch can continue to see their own whispers even after losing visibility of posts typed `whisper`. This issue is patched in versions 3.4.6 and 3.5.0.beta8-dev. No known workarounds are available. | 2025-06-25 | not yet calculated | CVE-2025-49845 |
| dragonflydb--dragonfly | Integer Overflow or Wraparound vulnerability in dragonflydb dragonfly (src/redis/lua/struct modules). This vulnerability is associated with program files lua_struct.C. This issue affects dragonfly: 1.30.1, 1.30.0, 1.28.18. | 2025-06-23 | not yet calculated | CVE-2025-52935 |
| Drupal--CKEditor5 Youtube | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal CKEditor5 Youtube allows Cross-Site Scripting (XSS).This issue affects CKEditor5 Youtube: from 0.0.0 before 1.0.3. | 2025-06-26 | not yet calculated | CVE-2025-6674 |
| Drupal--Enterprise MFA - TFA for Drupal | Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Enterprise MFA - TFA for Drupal allows Authentication Bypass.This issue affects Enterprise MFA - TFA for Drupal: from 0.0.0 before 4.8.0, from 5.2.0 before 5.2.1, from 0.0.0 before 5.0.*, from 0.0.0 before 5.1.*. | 2025-06-26 | not yet calculated | CVE-2025-6675 |
| Drupal--GLightbox | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal GLightbox allows Cross-Site Scripting (XSS).This issue affects GLightbox: from 0.0.0 before 1.0.16. | 2025-06-26 | not yet calculated | CVE-2025-48922 |
| Drupal--Klaro Cookie & Consent Management | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Klaro Cookie & Consent Management allows Cross-Site Scripting (XSS).This issue affects Klaro Cookie & Consent Management: from 0.0.0 before 3.0.7. | 2025-06-26 | not yet calculated | CVE-2025-5682 |
| Drupal--Open Social | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Open Social allows Cross Site Request Forgery.This issue affects Open Social: from 0.0.0 before 12.3.14, from 12.4.0 before 12.4.13. | 2025-06-26 | not yet calculated | CVE-2025-48921 |
| Drupal--Paragraphs table | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Paragraphs table allows Cross-Site Scripting (XSS).This issue affects Paragraphs table: from 2.0.0 before 2.0.5. | 2025-06-26 | not yet calculated | CVE-2025-6677 |
| Drupal--Simple XML sitemap | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Simple XML sitemap allows Cross-Site Scripting (XSS).This issue affects Simple XML sitemap: from 0.0.0 before 4.2.2. | 2025-06-26 | not yet calculated | CVE-2025-6676 |
| Drupal--Toc.js | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Toc.Js allows Cross-Site Scripting (XSS).This issue affects Toc.Js: from 0.0.0 before 3.2.1. | 2025-06-26 | not yet calculated | CVE-2025-48923 |
| Eclipse Foundation--Eclipse Open VSX | On open-vsx.org https://open-vsx.org/ it was possible to run an arbitrary build scripts for auto-published extensions because of missing sandboxing of CI job runs. An attacker who had access to an existing extension could take over the service account of the marketplace. The issue has been fixed on June 24th, 2025 and the vulnerable code present in the publish-extension code repository. | 2025-06-27 | not yet calculated | CVE-2025-6705 |
| ELECOM CO.,LTD.--WRC-1167GHBK2-S | WRC-1167GHBK2-S contains a stored cross-site scripting vulnerability in WebGUI. If exploited, an arbitrary script may be executed on the web browser of the user who accessed WebGUI of the product. | 2025-06-24 | not yet calculated | CVE-2025-43877 |
| ELECOM CO.,LTD.--WRC-2533GST2 | Unrestricted upload of file with dangerous type issue exists in WRC-2533GST2 and WRC-1167GST2. If a specially crafted file is uploaded by a remote authenticated attacker, arbitrary code may be executed on the product. | 2025-06-24 | not yet calculated | CVE-2025-36519 |
| ELECOM CO.,LTD.--WRC-X3000GS | WRC-X3000GS, WRC-X3000GSA, and WRC-X3000GSN contain an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Connection Diagnostics page. If a remote authenticated attacker sends a specially crafted request to the affected product, an arbitrary OS command may be executed. | 2025-06-24 | not yet calculated | CVE-2025-41427 |
| ELECOM CO.,LTD.--WRH-733GBK | WRH-733GBK and WRH-733GWH contain an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in the telnet function. If a remote unauthenticated attacker sends a specially crafted request to the affected product, an arbitrary OS command may be executed. | 2025-06-24 | not yet calculated | CVE-2025-43879 |
| ELECOM CO.,LTD.--WRH-733GBK | WRH-733GBK and WRH-733GWH contain an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in miniigd SOAP service. If a remote unauthenticated attacker sends a specially crafted request to the affected product, an arbitrary OS command may be executed. | 2025-06-24 | not yet calculated | CVE-2025-48890 |
| EnGenius--EnShare IoT Gigabit Cloud Service | An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands. The injected commands are executed with root privileges, leading to full system compromise. | 2025-06-24 | not yet calculated | CVE-2025-34035 |
| ESP32Async--ESPAsyncWebServer | ESPAsyncWebServer is an asynchronous HTTP and WebSocket server library for ESP32, ESP8266, RP2040 and RP2350. In versions up to and including 3.7.8, a CRLF (Carriage Return Line Feed) injection vulnerability exists in the construction and output of HTTP headers within `AsyncWebHeader.cpp`. Unsanitized input allows attackers to inject CR (`\r`) or LF (`\n`) characters into header names or values, leading to arbitrary header or response manipulation. Manipulation of HTTP headers and responses can enable a wide range of attacks, making the severity of this vulnerability high. A fix is available at pull request 211 and is expected to be part of version 3.7.9. | 2025-06-27 | not yet calculated | CVE-2025-53094 |
| espressif--arduino-esp32 | arduino-esp32 provides an Arduino core for the ESP32. Versions prior to 3.3.0-RC1 and 3.2.1 contain a HTTP Response Splitting vulnerability. The `sendHeader` function takes arbitrary input for the HTTP header name and value, concatenates them into an HTTP header line, and appends this to the outgoing HTTP response headers. There is no validation or sanitization of the `name` or `value` parameters before they are included in the HTTP response. If an attacker can control the input to `sendHeader` (either directly or indirectly), they could inject carriage return (`\r`) or line feed (`\n`) characters into either the header name or value. This could allow the attacker to inject additional headers, manipulate the structure of the HTTP response, potentially inject an entire new HTTP response (HTTP Response Splitting), and/or ause header confusion or other HTTP protocol attacks. Versions 3.3.0-RC1 and 3.2.1 contain a fix for the issue. | 2025-06-26 | not yet calculated | CVE-2025-53007 |
| espressif--esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. An integer underflow vulnerability has been identified in the ESP-NOW protocol implementation within the ESP Wi-Fi component of versions 5.4.1, 5.3.3, 5.2.5, and 5.1.6 of the ESP-IDF framework. This issue stems from insufficient validation of user-supplied data length in the packet receive function. Under certain conditions, this may lead to out-of-bounds memory access and may allow arbitrary memory write operations. On systems without a memory protection scheme, this behavior could potentially be used to achieve remote code execution (RCE) on the target device. In versions 5.4.2, 5.3.4, 5.2.6, and 5.1.6, ESP-NOW has added more comprehensive validation logic on user-supplied data length during packet reception to prevent integer underflow caused by negative value calculations. For ESP-IDF v5.3 and earlier, a workaround can be applied by validating that the `data_len` parameter received in the RX callback (registered via `esp_now_register_recv_cb()`) is a positive value before further processing. For ESP-IDF v5.4 and later, no application-level workaround is available. Users are advised to upgrade to a patched version of ESP-IDF to take advantage of the built-in mitigation. | 2025-06-24 | not yet calculated | CVE-2025-52471 |
| FasterXML--jackson-core | jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources. | 2025-06-25 | not yet calculated | CVE-2025-52999 |
| fusionforge--fusionforge | Vulnerability in fusionforge in the shipped Apache configuration, where the web server may execute scripts that the users would have uploaded in their raw SCM repositories (SVN, Git, Bzr...). This issue affects fusionforge: before 5.3+20140506. | 2025-06-26 | not yet calculated | CVE-2014-0468 |
| git-annex--git-annex | git-annex had a bug in the S3 and Glacier remotes where if embedcreds=yes was set, and the remote used encryption=pubkey or encryption=hybrid, the embedded AWS credentials were stored in the git repository in (effectively) plaintext, not encrypted as they were supposed to be. This issue affects git-annex: from 3.20121126 before 5.20140919. | 2025-06-26 | not yet calculated | CVE-2014-6274 |
| goauthentik--authentik | authentik is an open-source identity provider. After authorizing access to a RAC endpoint, authentik creates a token which is used for a single connection and is sent to the client in the URL. This token is intended to only be valid for the session of the user who authorized the connection, however this check is missing in versions prior to 2025.6.3 and 2025.4.3. When, for example, using RAC during a screenshare, a malicious user could access the same session by copying the URL from the shown browser. authentik 2025.4.3 and 2025.6.3 fix this issue. As a workaround, it is recommended to decrease the duration a token is valid for (in the RAC Provider settings, set Connection expiry to `minutes=5` for example). The maintainers of authentik also recommend enabling the option Delete authorization on disconnect. | 2025-06-27 | not yet calculated | CVE-2025-52553 |
| Google--Chrome | Use after free in Animation in Google Chrome prior to 138.0.7204.49 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) | 2025-06-24 | not yet calculated | CVE-2025-6555 |
| Google--Chrome | Insufficient policy enforcement in Loader in Google Chrome prior to 138.0.7204.49 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low) | 2025-06-24 | not yet calculated | CVE-2025-6556 |
| Google--Chrome | Insufficient data validation in DevTools in Google Chrome on Windows prior to 138.0.7204.49 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low) | 2025-06-24 | not yet calculated | CVE-2025-6557 |
| GROWI, Inc.--GROWI | Inefficient regular expression complexity issue exists in GROWI prior to v7.1.6. If exploited, a logged-in user may cause a denial of service (DoS) condition. | 2025-06-25 | not yet calculated | CVE-2025-43880 |
| Hikvision--DS-2CD1321-I | An issue in Hikvision DS-2CD1321-I V5.7.21 build 230819 allows attackers to cause a Denial of Service (DoS) via sending a crafted POST request to the endpoint /ISAPI/Security/challenge. | 2025-06-27 | not yet calculated | CVE-2025-45851 |
| Imagination Technologies--Graphics DDK | Software installed and running inside a Guest VM may override Firmware's state and gain access to the GPU. | 2025-06-27 | not yet calculated | CVE-2025-46707 |
| Imagination Technologies--Graphics DDK | Software installed and running inside a Guest VM may conduct improper GPU system calls to prevent other Guests from running work on the GPU. | 2025-06-27 | not yet calculated | CVE-2025-46708 |
| IROAD--IROAD Dashcam FX2 | An issue was discovered on IROAD Dashcam FX2 devices. An unauthenticated file upload endpoint can be leveraged to execute arbitrary commands by uploading a CGI-based webshell. Once a file is uploaded, the attacker can execute commands with root privileges, gaining full control over the dashcam. Additionally, by uploading a netcat (nc) binary, the attacker can establish a reverse shell, maintaining persistent remote and privileged access to the device. This allows complete device takeover. | 2025-06-26 | not yet calculated | CVE-2025-30131 |
| iroha Soft Co., Ltd.--iroha Board | Direct request ('Forced Browsing') issue exists in iroha Board versions v0.10.12 and earlier. If this vulnerability is exploited, non-public contents may be viewed by an attacker who can log in to the affected product. | 2025-06-26 | not yet calculated | CVE-2025-41404 |
| iroha Soft Co., Ltd.--iroha Board | Cross-site request forgery vulnerability exists in iroha Board versions v0.10.12 and earlier. If a user accesses a specially crafted URL while being logged in to the affected product, arbitrary learning histories may be registered. | 2025-06-26 | not yet calculated | CVE-2025-48497 |
| JuliaComputing--HTMLSanitizer.jl | HTMLSanitizer.jl is a Whitelist-based HTML sanitizer. Prior to version 0.2.1, when adding the style tag to the whitelist, content inside the tag is incorrectly unescaped, and closing tags injected as content are interpreted as real HTML, enabling tag injection and JavaScript execution. This could result in possible cross-site scripting (XSS) in any HTML that is sanitized with this library. This issue has been patched in version 0.2.1. A workaround involves adding the math and svg elements to the whitelist manually. | 2025-06-23 | not yet calculated | CVE-2025-52561 |
| JuliaRegistries--Registrator.jl | Registrator is a GitHub app that automates creation of registration pull requests for julia packages to the General registry. Prior to version 1.9.5, if the clone URL returned by GitHub is malicious (or can be injected using upstream vulnerabilities), an argument injection is possible in the `gettreesha()` function. This can then lead to a potential remote code execution. Users should upgrade immediately to v1.9.5 to receive a patch. All prior versions are vulnerable. No known workarounds are available. | 2025-06-25 | not yet calculated | CVE-2025-52480 |
| JuliaRegistries--Registrator.jl | Registrator is a GitHub app that automates creation of registration pull requests for julia packages to the General registry. Prior to version 1.9.5, if the clone URL returned by GitHub is malicious (or can be injected using upstream vulnerabilities) a shell script injection can occur within the `withpasswd` function. Alternatively, an argument injection is possible in the `gettreesha `function. either of these can then lead to a potential RCE. Users should upgrade immediately to v1.9.5 to receive a fix. All prior versions are vulnerable. No known workarounds are available. | 2025-06-25 | not yet calculated | CVE-2025-52483 |
| JuliaWeb--GitForge.jl | GitForge.jl is a unified interface for interacting with Git "forges." Versions prior to 0.4.3 lack input validation for user provided values in certain functions. In the `GitForge.get_repo` function for GitHub, the user can provide any string for the owner and repo fields. These inputs are not validated or safely encoded and are sent directly to the server. This means a user can add path traversal patterns like `../` in the input to access any other endpoints on api.github.com that were not intended. Version 0.4.3 contains a patch for the issue. No known workarounds are available. | 2025-06-25 | not yet calculated | CVE-2025-50178 |
| JuliaWeb--GitHub.jl | GitForge.jl is a unified interface for interacting with Git "forges." Versions prior to 5.9.1 lack input validation of input validation for user-provided values in certain functions. In the `GitHub.repo()` function, the user can provide any string for the `repo_name` field. These inputs are not validated or safely encoded and are sent directly to the server. This means a user can add path traversal patterns like `../` in the input to access any other endpoints on `api.github.com` that were not intended. Users should upgrade immediately to v5.9.1 or later to receive a patch. All prior versions are vulnerable. No known workarounds are available. | 2025-06-25 | not yet calculated | CVE-2025-52569 |
| JuliaWeb--HTTP.jl | HTTP.jl provides HTTP client and server functionality for Julia, and URIs.jl parses and works with Uniform Resource Identifiers (URIs). URIs.jl prior to version 1.6.0 and HTTP.jl prior to version 1.10.17 allows the construction of URIs containing CR/LF characters. If user input was not otherwise escaped or protected, this can lead to a CRLF injection attack. Users of HTTP.jl should upgrade immediately to HTTP.jl v1.10.17, and users of URIs.jl should upgrade immediately to URIs.jl v1.6.0. The check for valid URIs is now in the URI.jl package, and the latest version of HTTP.jl incorporates that fix. As a workaround, manually validate any URIs before passing them on to functions in this package. | 2025-06-25 | not yet calculated | CVE-2025-52479 |
| Kaleris--Navis N4 | Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server. | 2025-06-24 | not yet calculated | CVE-2025-2566 |
| Kaleris--Navis N4 | Kaleris NAVIS N4 ULC (Ultra Light Client) communicates insecurely using zlib-compressed data over HTTP. An attacker capable of observing network traffic between Ultra Light Clients and N4 servers can extract sensitive information, including plaintext credentials. | 2025-06-24 | not yet calculated | CVE-2025-5087 |
| LabRedesCefetRJ--WeGIA | WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Time-Based Blind SQL Injection vulnerability was discovered in version 3.3.3 the almox parameter of the `/controle/getProdutosPorAlmox.php` endpoint. This issue allows any unauthenticated attacker to inject arbitrary SQL queries, potentially leading to unauthorized data access or further exploitation depending on database configuration. Version 3.4.0 fixes the issue. | 2025-06-27 | not yet calculated | CVE-2025-53091 |
| langchain-ai--langchain-ai/langchain | A Server-Side Request Forgery (SSRF) vulnerability exists in the RequestsToolkit component of the langchain-community package (specifically, langchain_community.agent_toolkits.openapi.toolkit.RequestsToolkit) in langchain-ai/langchain version 0.0.27. This vulnerability occurs because the toolkit does not enforce restrictions on requests to remote internet addresses, allowing it to also access local addresses. As a result, an attacker could exploit this flaw to perform port scans, access local services, retrieve instance metadata from cloud environments (e.g., Azure, AWS), and interact with servers on the local network. This issue has been fixed in version 0.0.28. | 2025-06-23 | not yet calculated | CVE-2025-2828 |
| Linksys--E4200 | An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on port 8080. The CGI scripts improperly process user-supplied input passed to the ttcp_ip parameter without sanitization, allowing unauthenticated attackers to inject shell commands. This vulnerability is exploited in the wild by the "TheMoon" worm to deploy a MIPS ELF payload, enabling arbitrary code execution on the router. This vulnerability may affect other Linksys products to include, but not limited to, WAG/WAP/WES/WET/WRT-series router models and Wireless-N access points and routers. | 2025-06-24 | not yet calculated | CVE-2025-34037 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: unshare page tables during VMA split, not before Currently, __split_vma() triggers hugetlb page table unsharing through vm_ops->may_split(). This happens before the VMA lock and rmap locks are taken - which is too early, it allows racing VMA-locked page faults in our process and racing rmap walks from other processes to cause page tables to be shared again before we actually perform the split. Fix it by explicitly calling into the hugetlb unshare logic from __split_vma() in the same place where THP splitting also happens. At that point, both the VMA and the rmap(s) are write-locked. An annoying detail is that we can now call into the helper hugetlb_unshare_pmds() from two different locking contexts: 1. from hugetlb_split(), holding: - mmap lock (exclusively) - VMA lock - file rmap lock (exclusively) 2. hugetlb_unshare_all_pmds(), which I think is designed to be able to call us with only the mmap lock held (in shared mode), but currently only runs while holding mmap lock (exclusively) and VMA lock Backporting note: This commit fixes a racy protection that was introduced in commit b30c14cd6102 ("hugetlb: unshare some PMDs when splitting VMAs"); that commit claimed to fix an issue introduced in 5.13, but it should actually also go all the way back. [jannh@google.com: v2] | 2025-06-28 | not yet calculated | CVE-2025-38084 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race huge_pmd_unshare() drops a reference on a page table that may have previously been shared across processes, potentially turning it into a normal page table used in another process in which unrelated VMAs can afterwards be installed. If this happens in the middle of a concurrent gup_fast(), gup_fast() could end up walking the page tables of another process. While I don't see any way in which that immediately leads to kernel memory corruption, it is really weird and unexpected. Fix it with an explicit broadcast IPI through tlb_remove_table_sync_one(), just like we do in khugepaged when removing page tables for a THP collapse. | 2025-06-28 | not yet calculated | CVE-2025-38085 |
| Linux--Linux | In the Linux kernel, the following vulnerability has been resolved: net: ch9200: fix uninitialised access during mii_nway_restart In mii_nway_restart() the code attempts to call mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read() utilises a local buffer called "buff", which is initialised with control_read(). However "buff" is conditionally initialised inside control_read(): if (err == size) { memcpy(data, buf, size); } If the condition of "err == size" is not met, then "buff" remains uninitialised. Once this happens the uninitialised "buff" is accessed and returned during ch9200_mdio_read(): return (buff[0] | buff[1] << 8); The problem stems from the fact that ch9200_mdio_read() ignores the return value of control_read(), leading to uinit-access of "buff". To fix this we should check the return value of control_read() and return early on error. | 2025-06-28 | not yet calculated | CVE-2025-38086 |
| Materialise--OrthoView | Meridian Technique Materialise OrthoView through 7.5.1 allows OS Command Injection when servlet sharing is enabled. | 2025-06-23 | not yet calculated | CVE-2025-23049 |
| matplotlib--matplotlib | Buffer overflow vulnerability in matplotlib.This issue affects matplotlib: before upstream commit ba4016014cb4fb4927e36ce8ea429fed47dcb787. | 2025-06-26 | not yet calculated | CVE-2013-1424 |
| mbuesch--letmein | Letmein is an authenticating port knocker. Prior to version 10.2.1, The connection limiter is implemented incorrectly. It allows an arbitrary amount of simultaneously incoming connections (TCP, UDP and Unix socket) for the services letmeind and letmeinfwd. Therefore, the command line option num-connections is not effective and does not limit the number of simultaneously incoming connections. This issue has been patched in version 10.2.1. | 2025-06-24 | not yet calculated | CVE-2025-52570 |
| Mikrotik--RouterOS | Mikrotik RouterOS VXLAN Source IP Improper Access Control Vulnerability. This vulnerability allows remote attackers to bypass access restrictions on affected installations of Mikrotik RouterOS. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of remote IP addresses when processing VXLAN traffic. The issue results from the lack of validation of the remote IP address against configured values prior to allowing ingress traffic into the internal network. An attacker can leverage this vulnerability to gain access to internal network resources. Was ZDI-CAN-26415. | 2025-06-25 | not yet calculated | CVE-2025-6443 |
| Mitel--MiContact Center Business | A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.2.0.3 could allow an unauthenticated attacker to conduct an information disclosure attack due to improper handling of session data. A successful exploit requires user interaction and could allow an attacker to access sensitive information, leading to unauthorized access to active chat rooms, reading chat data, and sending messages during an active chat session. | 2025-06-24 | not yet calculated | CVE-2025-27827 |
| Mitel--MiContact Center Business | A vulnerability in the legacy chat component of Mitel MiContact Center Business through 10.0.0.4, 10.1.0.0 through 10.1.0.5, and 10.2.0.0 through 10.2.0.4 could allow an unauthenticated attacker to conduct a reflected cross-site scripting (XSS) attack due to insufficient input validation. A successful exploit requires user interaction and could allow an attacker to execute arbitrary scripts with a limited impact on the confidentiality and the integrity. | 2025-06-24 | not yet calculated | CVE-2025-27828 |
| Mitel--OpenScape Accounting Management | Mitel OpenScape Accounting Management through V5 R1.1.0 could allow an authenticated attacker with administrative privileges to conduct a path traversal attack due to insufficient sanitization of user input. A successful exploit could allow an attacker to upload arbitrary files and execute unauthorized commands. | 2025-06-23 | not yet calculated | CVE-2025-23092 |
| Mitel--OpenScapeXpressions | A vulnerability in the WebApl component of Mitel OpenScape Xpressions through V7R1 FR5 HF43 P913 could allow an unauthenticated attacker to conduct a path traversal attack due to insufficient input validation. A successful exploit could allow an attacker to read files from the underlying OS and obtain sensitive information. | 2025-06-23 | not yet calculated | CVE-2025-48026 |
| Moodle--Jmol Plugin | A path traversal vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the query parameter in jsmol.php. The script directly passes user input to the file_get_contents() function without proper validation, allowing attackers to read arbitrary files from the server's filesystem by crafting a malicious query value. This vulnerability can be exploited without authentication and may expose sensitive configuration data, including database credentials. | 2025-06-24 | not yet calculated | CVE-2025-34031 |
| Moodle--Jmol Plugin | A reflected cross-site scripting (XSS) vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the data parameter in jsmol.php. The application fails to properly sanitize user input before embedding it into the HTTP response, allowing an attacker to execute arbitrary JavaScript in the victim's browser by crafting a malicious link. This can be used to hijack user sessions or manipulate page content. | 2025-06-24 | not yet calculated | CVE-2025-34032 |
| Mozilla--Firefox | A use-after-free in FontFaceSet resulted in a potentially exploitable crash. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, and Firefox ESR < 128.12. | 2025-06-24 | not yet calculated | CVE-2025-6424 |
| Mozilla--Firefox | An attacker who enumerated resources from the WebCompat extension could have obtained a persistent UUID that identified the browser, and persisted between containers and normal/private browsing mode, but not profiles. This vulnerability affects Firefox < 140, Firefox ESR < 115.25, and Firefox ESR < 128.12. | 2025-06-24 | not yet calculated | CVE-2025-6425 |
| Mozilla--Firefox | The executable file warning did not warn users before opening files with the `terminal` extension. *This bug only affects Firefox for macOS. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140 and Firefox ESR < 128.12. | 2025-06-24 | not yet calculated | CVE-2025-6426 |
| Mozilla--Firefox | An attacker was able to bypass the `connect-src` directive of a Content Security Policy by manipulating subdocuments. This would have also hidden the connections from the Network tab in Devtools. This vulnerability affects Firefox < 140. | 2025-06-24 | not yet calculated | CVE-2025-6427 |
| Mozilla--Firefox | When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL instead of the correct URL, potentially leading to phishing attacks. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140. | 2025-06-24 | not yet calculated | CVE-2025-6428 |
| Mozilla--Firefox | Firefox could have incorrectly parsed a URL and rewritten it to the youtube.com domain when parsing the URL specified in an `embed` tag. This could have bypassed website security checks that restricted which domains users were allowed to embed. This vulnerability affects Firefox < 140 and Firefox ESR < 128.12. | 2025-06-24 | not yet calculated | CVE-2025-6429 |
| Mozilla--Firefox | When a file download is specified via the `Content-Disposition` header, that directive would be ignored if the file was included via a `<embed>` or `<object>` tag, potentially making a website vulnerable to a cross-site scripting attack. This vulnerability affects Firefox < 140 and Firefox ESR < 128.12. | 2025-06-24 | not yet calculated | CVE-2025-6430 |
| Mozilla--Firefox | When a link can be opened in an external application, Firefox for Android will, by default, prompt the user before doing so. An attacker could have bypassed this prompt, potentially exposing the user to security vulnerabilities or privacy leaks in external applications. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.* This vulnerability affects Firefox < 140. | 2025-06-24 | not yet calculated | CVE-2025-6431 |
| Mozilla--Firefox | When Multi-Account Containers was enabled, DNS requests could have bypassed a SOCKS proxy when the domain name was invalid or the SOCKS proxy was not responding. This vulnerability affects Firefox < 140. | 2025-06-24 | not yet calculated | CVE-2025-6432 |
| Mozilla--Firefox | If a user visited a webpage with an invalid TLS certificate, and granted an exception, the webpage was able to provide a WebAuthn challenge that the user would be prompted to complete. This is in violation of the WebAuthN spec which requires "a secure transport established without errors". This vulnerability affects Firefox < 140. | 2025-06-24 | not yet calculated | CVE-2025-6433 |
| Mozilla--Firefox | The exception page for the HTTPS-Only feature, displayed when a website is opened via HTTP, lacked an anti-clickjacking delay, potentially allowing an attacker to trick a user into granting an exception and loading a webpage over HTTP. This vulnerability affects Firefox < 140. | 2025-06-24 | not yet calculated | CVE-2025-6434 |
| Mozilla--Firefox | If a user saved a response from the Network tab in Devtools using the Save As context menu option, that file may not have been saved with the `.download` file extension. This could have led to the user inadvertently running a malicious executable. This vulnerability affects Firefox < 140. | 2025-06-24 | not yet calculated | CVE-2025-6435 |
| Mozilla--Firefox | Memory safety bugs present in Firefox 139 and Thunderbird 139. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 140. | 2025-06-24 | not yet calculated | CVE-2025-6436 |
| Mozilla--neqo | Improper Input Validation vulnerability in Mozilla neqo leads to an unexploitable crash..This issue affects neqo: from 0.4.24 through 0.13.2. | 2025-06-26 | not yet calculated | CVE-2025-6703 |
| n/a-- MHSanaei 3x-ui | An issue in MHSanaei 3x-ui before v.2.5.3 and before allows a remote attacker to execute arbitrary code via the management script x-ui passes the no check certificate option to wget when downloading updates | 2025-06-26 | not yet calculated | CVE-2025-29331 |
| n/a--berkeley-abc | berkeley-abc abc 1.1 contains a Null Pointer Dereference (NPD) vulnerability in the Abc_NtkCecFraigPart function of its data processing module, leading to unpredictable program behavior, causing segmentation faults, and program crashes. | 2025-06-25 | not yet calculated | CVE-2025-45333 |
| n/a--c3CRM | A cross-site scripting (XSS) vulnerability in the component /Login.php of c3crm up to v3.0.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the login_error parameter. | 2025-06-25 | not yet calculated | CVE-2023-44915 |
| n/a--KnowledgeGPT | An issue in mmzdev KnowledgeGPT V.0.0.5 allows a remote attacker to execute arbitrary code via the Document Display Component. | 2025-06-24 | not yet calculated | CVE-2024-37743 |
| n/a--Netbox Community | Netbox Community v4.1.7 and fixed in v.4.2.2 is vulnerable to Cross Site Scripting (XSS) via the RSS feed widget. | 2025-06-26 | not yet calculated | CVE-2024-56915 |
| n/a--Netbox Community | In Netbox Community 4.1.7, once authenticated, Configuration History > Add`is vulnerable to cross-site scripting (XSS) due to the `current value` field rendering user supplied html. An authenticated attacker can leverage this to add malicious JavaScript to the any banner field. Once a victim edits a Configuration History version or attempts to Add a new version, the XSS payload will trigger. | 2025-06-24 | not yet calculated | CVE-2024-56916 |
| n/a--Netbox Community | Netbox Community 4.1.7 is vulnerable to Cross Site Scripting (XSS) via the maintenance banner` in maintenance mode. | 2025-06-24 | not yet calculated | CVE-2024-56917 |
| n/a--Netbox Community | In Netbox Community 4.1.7, the login page is vulnerable to cross-site scripting (XSS), which allows a privileged, authenticated attacker to exfiltrate user input from the login form. | 2025-06-24 | not yet calculated | CVE-2024-56918 |
| N/A--pbkdf2 | Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js. This issue affects pbkdf2: from 3.0.10 through 3.1.2. | 2025-06-23 | not yet calculated | CVE-2025-6545 |
| N/A--pbkdf2 | Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2. | 2025-06-23 | not yet calculated | CVE-2025-6547 |
| n/a--Student Record System | SQL Injection vulnerability in Student Record system Using PHP and MySQL v.3.20 allows a remote attacker to obtain sensitive information via a crafted payload to the $cshortname, $cfullname, and $cdate variables. | 2025-06-25 | not yet calculated | CVE-2024-27685 |
| n/a--vkoskiv c-ray | vkoskiv c-ray 1.1 contains a Null Pointer Dereference (NPD) vulnerability in the parse_mtllib function of its data processing module, leading to unpredictable program behavior, causing segmentation faults, and program crashes. | 2025-06-25 | not yet calculated | CVE-2025-45332 |
| NCR Corporation--NCR ITM Web Terminal | An issue in NCR ITM Web terminal v.4.4.0 and v.4.4.4 allows a remote attacker to execute arbitrary code via a crafted script to the IP camera URL component. | 2025-06-23 | not yet calculated | CVE-2023-48978 |
| NCR Corporation--Terminal Handler | An issue in NCR Terminal Handler v.1.5.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via a crafted POST request to the UserService component | 2025-06-23 | not yet calculated | CVE-2023-47029 |
| NCR Corporation--Terminal Handler | An issue in NCR Terminal Handler v.1.5.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via a GET request to a UserService SOAP API endpoint to validate if a user exists. | 2025-06-23 | not yet calculated | CVE-2023-47030 |
| NCR Corporation--Terminal Handler | An issue in NCR Terminal Handler v.1.5.1 allows a remote attacker to escalate privileges via a crafted POST request to the grantRolesToUsers, grantRolesToGroups, and grantRolesToOrganization SOAP API component. | 2025-06-23 | not yet calculated | CVE-2023-47031 |
| NCR Corporation--Terminal Handler | Password Vulnerability in NCR Terminal Handler v.1.5.1 allows a remote attacker to execute arbitrary code via a crafted script to the UserService SOAP API function. | 2025-06-23 | not yet calculated | CVE-2023-47032 |
| NCR Corporation--Terminal Handler | An issue in NCR Terminal Handler v1.5.1 allows low-level privileged authenticated attackers to arbitrarily deactivate, lock, and delete user accounts via a crafted session cookie. | 2025-06-23 | not yet calculated | CVE-2023-47294 |
| NCR Corporation--Terminal Handler | A CSV injection vulnerability in NCR Terminal Handler v1.5.1 allows attackers to execute arbitrary commands via injecting a crafted payload into any text field that accepts strings. | 2025-06-23 | not yet calculated | CVE-2023-47295 |
| NCR Corporation--Terminal Handler | A settings manipulation vulnerability in NCR Terminal Handler v1.5.1 allows attackers to execute arbitrary commands, including editing system security auditing configurations. | 2025-06-23 | not yet calculated | CVE-2023-47297 |
| NCR Corporation--Terminal Handler | An issue in NCR Terminal Handler 1.5.1 allows a low-level privileged authenticated attacker to query the SOAP API endpoint to obtain information about all of the users of the application including their usernames, roles, security groups and account statuses. | 2025-06-23 | not yet calculated | CVE-2023-47298 |
| nekernel-org--nekernel | NeKernal is a free and open-source operating system stack. Prior to version 0.0.3, there are several memory safety issues that can lead to memory corruption, disk image corruption, denial of service, and potential code execution. These issues stem from unchecked memory operations, unsafe typecasting, and improper input validation. This issue has been patched in version 0.0.3. | 2025-06-24 | not yet calculated | CVE-2025-52568 |
| NetEase (Hangzhou) Network Co., Ltd--NeacSafe64 Driver | An issue in NetEase (Hangzhou) Network Co., Ltd NeacSafe64 Driver before v1.0.0.8 allows attackers to escalate privileges via sending crafted IOCTL commands to the NeacSafe64.sys component. | 2025-06-27 | not yet calculated | CVE-2025-45737 |
| NetScaler--ADC | Memory overflow vulnerability leading to unintended control flow and Denial of Service in NetScaler ADC and NetScaler Gateway when configured as Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server | 2025-06-25 | not yet calculated | CVE-2025-6543 |
| Northern.tech--Mender Server | Northern.tech Mender Server before 3.7.11 and 4.x before 4.0.1 has Incorrect Access Control. | 2025-06-26 | not yet calculated | CVE-2025-49603 |
| Open Solutions for Education, Inc.--openSIS | A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v8.0 via the "student_id" and "TRANSFER{SCHOOL]" parameters in POST request sent to /TransferredOutModal.php. | 2025-06-24 | not yet calculated | CVE-2021-41691 |
| openbao--openbao | OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of service. In OpenBao v2.2.0 and later, manually setting the configuration option `disable_unauthed_rekey_endpoints=true` allows an operator to deny these rarely-used endpoints on global listeners. A patch is available at commit fe75468822a22a88318c6079425357a02ae5b77b. In a future OpenBao release communicated on OpenBao's website, the maintainers will set this to `true` for all users and provide an authenticated alternative. As a workaround, if an active proxy or load balancer sits in front of OpenBao, an operator can deny requests to these endpoints from unauthorized IP ranges. | 2025-06-25 | not yet calculated | CVE-2025-52894 |
| OptiLink--ONT1GEW GPON | An OS command injection vulnerability exists in the OptiLink ONT1GEW GPON router firmware version V2.1.11_X101 Build 1127.190306 and earlier. The router's web management interface fails to properly sanitize user input in the target_addr parameter of the formTracert and formPing administrative endpoints. An authenticated attacker can inject arbitrary operating system commands, which are executed with root privileges, leading to remote code execution. Successful exploitation enables full compromise of the device. | 2025-06-26 | not yet calculated | CVE-2025-34049 |
| Pandora FMS--Pandora FMS | Improper Neutralization of Special Elements in the Netflow directory field may allow OS command injection. This issue affects Pandora FMS 774 through 778 | 2025-06-27 | not yet calculated | CVE-2025-5306 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor U3D File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26527. | 2025-06-25 | not yet calculated | CVE-2025-6640 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-26528. | 2025-06-25 | not yet calculated | CVE-2025-6641 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor U3D File Parsing Out-Of-Bounds Read Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26530. | 2025-06-25 | not yet calculated | CVE-2025-6642 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-26532. | 2025-06-25 | not yet calculated | CVE-2025-6643 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor U3D File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26536. | 2025-06-25 | not yet calculated | CVE-2025-6644 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor U3D File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26642. | 2025-06-25 | not yet calculated | CVE-2025-6645 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor U3D File Parsing Use-After-Free Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-26643. | 2025-06-25 | not yet calculated | CVE-2025-6646 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor U3D File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26644. | 2025-06-25 | not yet calculated | CVE-2025-6647 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-26671. | 2025-06-25 | not yet calculated | CVE-2025-6648 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-26709. | 2025-06-25 | not yet calculated | CVE-2025-6649 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor U3D File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of U3D files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-26712. | 2025-06-25 | not yet calculated | CVE-2025-6650 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor JP2 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JP2 files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26713. | 2025-06-25 | not yet calculated | CVE-2025-6651 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PRC files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-26724. | 2025-06-25 | not yet calculated | CVE-2025-6652 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PRC files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-26726. | 2025-06-25 | not yet calculated | CVE-2025-6653 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PRC files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26729. | 2025-06-25 | not yet calculated | CVE-2025-6654 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PRC files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-26730. | 2025-06-25 | not yet calculated | CVE-2025-6655 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PRC files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-26731. | 2025-06-25 | not yet calculated | CVE-2025-6656 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PRC files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-26732. | 2025-06-25 | not yet calculated | CVE-2025-6657 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PRC files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-26733. | 2025-06-25 | not yet calculated | CVE-2025-6658 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PRC files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26734. | 2025-06-25 | not yet calculated | CVE-2025-6659 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor GIF File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of GIF files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26763. | 2025-06-25 | not yet calculated | CVE-2025-6660 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor App Object Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of App objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26823. | 2025-06-25 | not yet calculated | CVE-2025-6661 |
| PDF-XChange--PDF-XChange Editor | PDF-XChange Editor PRC File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of PDF-XChange Editor. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PRC files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-26985. | 2025-06-25 | not yet calculated | CVE-2025-6662 |
| Perforce--Puppet Enterprise | A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary host. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3 and has been resolved in versions 2023.8.4 and 2025.4.0. | 2025-06-26 | not yet calculated | CVE-2025-5459 |
| PHPGurukul--Dairy Farm Shop Management System | A SQL injection vulnerability was discovered in the PHPGurukul Dairy Farm Shop Management System 1.3. The vulnerability allows remote attackers to execute arbitrary SQL code via the category and categorycode parameters in a POST request to the manage-categories.php file. | 2025-06-26 | not yet calculated | CVE-2025-51671 |
| PHPGurukul--Dairy Farm Shop Management System | A time-based blind SQL injection vulnerability was identified in the PHPGurukul Dairy Farm Shop Management System 1.3. The vulnerability exists in the manage-companies.php file and allows remote attackers to execute arbitrary SQL code via the companyname parameter in a POST request. | 2025-06-26 | not yet calculated | CVE-2025-51672 |
| PHPGurukul--Online DJ Booking Management System | PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Insecure Direct Object Reference (IDOR) in odms/request-details.php. | 2025-06-24 | not yet calculated | CVE-2025-50693 |
| PHPGurukul--Online DJ Booking Management System | PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Cross Site Scripting (XSS) in /admin/view-booking-detail.php and /admin/invoice-generating.php. | 2025-06-24 | not yet calculated | CVE-2025-50695 |
| PHPGurukul--Online DJ Booking Management System | PHPGurukul Online DJ Booking Management System 2.0 is vulnerable to Cross Site Scripting (XSS) in odms/admin/view-user-queries.php. | 2025-06-24 | not yet calculated | CVE-2025-50699 |
| PHPGurukul--Phpgurukul Medical Card Generation System | A stored blind XSS vulnerability exists in the Contact Page of the Phpgurukul Medical Card Generation System 1.0 mcgs/contact.php. The name field fails to properly sanitize user input, allowing an attacker to inject malicious JavaScript. | 2025-06-27 | not yet calculated | CVE-2025-50367 |
| PHPGurukul--Phpgurukul Medical Card Generation System | A Cross-Site Request Forgery (CSRF) vulnerability exists in the Manage Card functionality (/mcgs/admin/manage-card.php) of PHPGurukul Medical Card Generation System 1.0. The vulnerable endpoint allows an authorized admin to delete medical card records by sending a simple GET request without verifying the origin of the request. | 2025-06-27 | not yet calculated | CVE-2025-50369 |
| PHPGurukul--Phpgurukul Medical Card Generation System | A Cross-Site Request Forgery (CSRF) vulnerability exists in the Inquiry Management functionality /mcgs/admin/readenq.php of the Phpgurukul Medical Card Generation System 1.0. The vulnerable endpoint allows an authenticated admin to delete inquiry records via a simple GET request, without requiring a CSRF token or validating the origin of the request. | 2025-06-27 | not yet calculated | CVE-2025-50370 |
| PHPGurukul--PHPGurukul Pre-School Enrollment System Project | PHPGurukul Pre-School Enrollment System Project V1.0 is vulnerable to Directory Traversal in update-class-pic.php. | 2025-06-23 | not yet calculated | CVE-2025-50348 |
| PHPGurukul--PHPGurukul Pre-School Enrollment System Project | PHPGurukul Pre-School Enrollment System Project V1.0 is vulnerable to Directory Traversal in update-teacher-pic.php. | 2025-06-23 | not yet calculated | CVE-2025-50349 |
| PHPGurukul--PHPGurukul Pre-School Enrollment System Project | PHPGurukul Pre-School Enrollment System Project v1.0 is vulnerable to Directory Traversal in manage-classes.php. | 2025-06-26 | not yet calculated | CVE-2025-50350 |
| Pioneer--DMH-WT7600NEX | Pioneer DMH-WT7600NEX Software Update Signing Insufficient Verification of Data Authenticity Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of Pioneer DMH-WT7600NEX devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the software update verification process. The issue results from the lack of validating all the data in the software update. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-26079. | 2025-06-25 | not yet calculated | CVE-2025-5832 |
| Pioneer--DMH-WT7600NEX | Pioneer DMH-WT7600NEX Root Filesystem Insufficient Verification of Data Authenticity Vulnerability. This vulnerability allows physically present attackers to bypass authentication on affected installations of Pioneer DMH-WT7600NEX devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the operating system. The issue results from the lack of properly configured protection for the root file system. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26077. | 2025-06-25 | not yet calculated | CVE-2025-5833 |
| Pioneer--DMH-WT7600NEX | Pioneer DMH-WT7600NEX Missing Immutable Root of Trust in Hardware Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to bypass authentication on affected installations of Pioneer DMH-WT7600NEX devices. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the configuration of the application system-on-chip (SoC). The issue results from the lack of a properly configured hardware root of trust. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the boot process. Was ZDI-CAN-26078. | 2025-06-25 | not yet calculated | CVE-2025-5834 |
| PointCloudLibrary--pcl | Vulnerability in PointCloudLibrary PCL (surface/src/3rdparty/opennurbs modules). This vulnerability is associated with program files crc32.C. This vulnerability is only relevant if the PCL version is older than 1.14.0 or the user specifically requests to not use the system zlib (WITH_SYSTEM_ZLIB=FALSE). | 2025-06-23 | not yet calculated | CVE-2025-52937 |
| pycode-browser--pycode-browser | pycode-browser before version 1.0 is prone to a predictable temporary file vulnerability. | 2025-06-26 | not yet calculated | CVE-2015-0849 |
| Quest--KACE Systems Management Appliance | Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains an authentication bypass vulnerability that allows attackers to impersonate legitimate users without valid credentials. The vulnerability exists in the SSO authentication handling mechanism and can lead to complete administrative takeover. | 2025-06-24 | not yet calculated | CVE-2025-32975 |
| Quest--KACE Systems Management Appliance | Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) contains a logic flaw in its two-factor authentication implementation that allows authenticated users to bypass TOTP-based 2FA requirements. The vulnerability exists in the 2FA validation process and can be exploited to gain elevated access. | 2025-06-24 | not yet calculated | CVE-2025-32976 |
| Quest--KACE Systems Management Appliance | Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) allows unauthenticated users to upload backup files to the system. While signature validation is implemented, weaknesses in the validation process can be exploited to upload malicious backup content that could compromise system integrity. | 2025-06-24 | not yet calculated | CVE-2025-32977 |
| Quest--KACE Systems Management Appliance | Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x before 14.1.101 (Patch 4) allows unauthenticated users to replace system licenses through a web interface intended for license renewal. Attackers can exploit this to replace valid licenses with expired or trial licenses, causing denial of service. | 2025-06-24 | not yet calculated | CVE-2025-32978 |
| RaspAP--RaspAP WebGUI | RaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST request with a path traversal payload in the `entity` parameter to overwrite arbitrary files writable by the web server via abuse of the `tee` command used in shell execution. | 2025-06-27 | not yet calculated | CVE-2025-44163 |
| Realtek--RTL8762E | An issue in the Bluetooth Low Energy (BLE) stack of Realtek RTL8762E BLE SDK v1.4.0 allows attackers within Bluetooth range to cause a Denial of Service (DoS) via sending a specific sequence of crafted control packets. | 2025-06-27 | not yet calculated | CVE-2025-44559 |
| Realtek--RTL8762EKF-EVB | An issue in Realtek RTL8762EKF-EVB RTL8762E SDK v1.4.0 allows attackers to cause a Denial of Service (DoS) via sending a crafted before a pairing public key is received during a Bluetooth connection attempt. | 2025-06-24 | not yet calculated | CVE-2025-44531 |
| risc0--risc0-ethereum | RISC Zero is a zero-knowledge verifiable general computing platform, with Ethereum integration. The risc0-ethereum repository contains Solidity verifier contracts, Steel EVM view call library, and supporting code. Prior to versions 2.1.1 and 2.2.0, the `Steel.validateCommitment` Solidity library function will return `true` for a crafted commitment with a digest value of zero. This violates the semantics of `validateCommitment`, as this does not commitment to a block that is in the current chain. Because the digest is zero, it does not correspond to any block and there exist no known openings. As a result, this commitment will never be produced by a correct zkVM guest using Steel and leveraging this bug to compromise the soundness of a program using Steel would require a separate bug or misuse of the Steel library, which is expected to be used to validate the root of state opening proofs. A fix has been released as part of `risc0-ethereum` 2.1.1 and 2.2.0. Users for the `Steel` Solidity library versions 2.1.0 or earlier should ensure they are using `Steel.validateCommitment` in tandem with zkVM proof verification of a Steel program, as shown in the ERC-20 counter example, and documentation. This is the correct usage of Steel, and users following this pattern are not at risk, and do not need to take action. Users not verifying a zkVM proof of a Steel program should update their application to do so, as this is incorrect usage of Steel. | 2025-06-24 | not yet calculated | CVE-2025-52884 |
| Ruby--WEBrick | Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific conditions. The specific flaw exists within the read_headers method. The issue results from the inconsistent parsing of terminators of HTTP headers. An attacker can leverage this vulnerability to smuggle arbitrary HTTP requests. Was ZDI-CAN-21876. | 2025-06-25 | not yet calculated | CVE-2025-6442 |
| Sangfor Technologies Co., Ltd.--Endpoint Detection and Response Platform | An OS command injection vulnerability exists in the Chinese versions of Sangfor Endpoint Detection and Response (EDR) management platform versions 3.2.16, 3.2.17, and 3.2.19. The vulnerability allows unauthenticated attackers to construct and send malicious HTTP requests to the EDR Manager interface, leading to arbitrary command execution with elevated privileges. This flaw only affects the Chinese-language EDR builds. | 2025-06-24 | not yet calculated | CVE-2025-34041 |
| Sensopart--VISOR Vision Sensors | An issue was discovered in Sensopart VISOR Vision Sensors before 2.10.0.2 allows local users to perform unspecified actions with elevated privileges. | 2025-06-23 | not yet calculated | CVE-2023-50450 |
| ServiceStack--ServiceStack | ServiceStack GetErrorResponse Improper Input Validation NTLM Relay Vulnerability. This vulnerability allows remote attackers to relay NTLM credentials on affected installations of ServiceStack. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the implementation of the GetErrorResponse method. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to relay NTLM credentials in the context of the current user. Was ZDI-CAN-25834. | 2025-06-25 | not yet calculated | CVE-2025-6444 |
| ServiceStack--ServiceStack | ServiceStack FindType Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ServiceStack. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the implementation of the FindType method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-25837. | 2025-06-25 | not yet calculated | CVE-2025-6445 |
| Shanghai Fanwei Network Technology--e-cology | A SQL injection vulnerability exists in Fanwei e-cology 8.0 via the getdata.jsp endpoint. The application directly passes unsanitized user input from the sql parameter into a database query within the getSelectAllIds(sql, type) method, reachable through the cmd=getSelectAllId workflow in the AjaxManager. This allows unauthenticated attackers to execute arbitrary SQL queries, potentially exposing sensitive data such as administrator password hashes. | 2025-06-24 | not yet calculated | CVE-2025-34038 |
| Shanghai Fanwei Network Technology--E-Office | An unauthenticated file upload vulnerability exists in the Fanwei E-Office <= v9.4 web management interface. The vulnerability affects the /general/index/UploadFile.php endpoint, which improperly validates uploaded files when invoked with certain parameters (uploadType=eoffice_logo or uploadType=theme). An attacker can exploit this flaw by sending a crafted HTTP POST request to upload arbitrary files without requiring authentication. Successful exploitation could enable remote code execution on the affected server, leading to complete compromise of the web application and potentially the underlying system. | 2025-06-26 | not yet calculated | CVE-2025-34046 |
| Shenzhen Lingkong Technology--WIFISKY 7-layer flow control router | A remote command injection vulnerability exists in the confirm.php interface of the WIFISKY 7-layer Flow Control Router via a specially-crafted HTTP GET request to the t parameter. Insufficient input validation allows unauthenticated attackers to execute arbitrary OS commands. | 2025-06-26 | not yet calculated | CVE-2025-34044 |
| Shenzhen TVT--CCTV-DVR | An OS command injection vulnerability exists in white-labeled DVRs manufactured by TVT, affecting a custom HTTP service called "Cross Web Server" that listens on TCP ports 81 and 82. The web interface fails to sanitize input in the URI path passed to the language extraction functionality. When the server processes a request to /language/[lang]/index.html, it uses the [lang] input unsafely in a tar extraction command without proper escaping. This allows an unauthenticated remote attacker to inject shell commands and achieve arbitrary command execution as root. | 2025-06-24 | not yet calculated | CVE-2025-34036 |
| Shenzhen Yuanmengyun Technology Co., Ltd.--WeiPHP | A path traversal vulnerability exists in WeiPHP 5.0, an open source WeChat public account platform development framework by Shenzhen Yuanmengyun Technology Co., Ltd. The flaw occurs in the picUrl parameter of the /public/index.php/material/Material/_download_imgage endpoint, where insufficient input validation allows unauthenticated remote attackers to perform directory traversal via crafted POST requests. This enables arbitrary file read on the server, potentially exposing sensitive information such as configuration files and source code. | 2025-06-26 | not yet calculated | CVE-2025-34045 |
| Tenda--AC6 | A buffer overflow vulnerability exists in the fromNatStaticSetting function of Tenda AC6 <=V15.03.05.19 via the page parameter. | 2025-06-27 | not yet calculated | CVE-2025-50528 |
| Texas Instruments--LP-CC2652RB | An issue in Texas Instruments LP-CC2652RB SimpleLink CC13XX CC26XX SDK 7.41.00.17 allows attackers to cause a Denial of Service (DoS) via sending a crafted LL_Pause_Enc_Req packet during the authentication and connection phase, causing a Denial of Service (DoS). | 2025-06-23 | not yet calculated | CVE-2025-44528 |
| The OpenNMS Group--Horizon | Multiple stored XSS were found on different nodes with unsanitized parameters in OpenMNS Horizon 33.0.8 and versions earlier than 33.1.6 on multiple platforms that allow an attacker to store on database and then inject HTML and/or Javascript on the page. The solution is to upgrade to Horizon 33.1.6, 33.1.7 or Meridian 2024.2.6, 2024.2.7 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. OpenNMS thanks Fábio Tomé for reporting this issue. | 2025-06-26 | not yet calculated | CVE-2025-53121 |
| The OpenNMS Group--Horizon | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in OpenNMS Horizon and Meridian applications allows SQL Injection. Users should upgrade to Meridian 2024.2.6 or newer, or Horizon 33.16 or newer. Meridian and Horizon installation instructions state that they are intended for installation within an organization's private networks and should not be directly accessible from the Internet. | 2025-06-26 | not yet calculated | CVE-2025-53122 |
| TPODER--Net::IP::LPM | Net::IP::LPM version 1.10 for Perl does not properly consider leading zero characters in IP CIDR address strings, which could allow attackers to bypass access control that is based on IP addresses. Leading zeros are used to indicate octal numbers, which can confuse users who are intentionally using octal notation, as well as users who believe they are using decimal notation. | 2025-06-27 | not yet calculated | CVE-2025-40910 |
| Trellix--System Information Reporter | A path traversal vulnerability in System Information Reporter (SIR) 1.0.3 and prior allowed an authenticated high privileged user to issue malicious ePO post requests to System Information Reporter, leading to creation of files anywhere on the filesystem and possibly overwriting existing files and exposing sensitive information disclosure. | 2025-06-26 | not yet calculated | CVE-2025-3722 |
| Trellix--System Information Reporter | A path or symbolic link manipulation vulnerability in SIR 1.0.3 and prior versions allows an authenticated non-admin local user to overwrite system files with SIR backup files, which can potentially cause a system crash. This was achieved by adding a malicious entry to the registry under the Trellix SIR registry folder or via policy or with a junction symbolic link to files that the user would not normally have permission to acces | 2025-06-26 | not yet calculated | CVE-2025-3771 |
| Trellix--System Information Reporter | A sensitive information exposure vulnerability in System Information Reporter (SIR) 1.0.3 and prior allows an authenticated non-admin local user to extract sensitive information stored in a registry backup folder. | 2025-06-26 | not yet calculated | CVE-2025-3773 |
| Ubiquiti Inc--UCRM Client Signup Plugin | A Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) vulnerability in the UCRM Client Signup Plugin (v1.3.4 and earlier) could allow privilege escalation if an Administrator is tricked into visiting a crafted malicious page. The plugin is disabled by default. | 2025-06-29 | not yet calculated | CVE-2025-24289 |
| Ubiquiti Inc--UISP Application | Multiple Authenticated SQL Injection vulnerabilities found in UISP Application (Version 2.4.206 and earlier) could allow a malicious actor with low privileges to escalate privileges. | 2025-06-29 | not yet calculated | CVE-2025-24290 |
| Ubiquiti Inc--UniFi Network Application | A misconfigured query in UniFi Network (v9.1.120 and earlier) could allow users to authenticate to Enterprise WiFi or VPN Server (l2tp and OpenVPN) using a device's MAC address from 802.1X or MAC Authentication, if both services are enabled and share the same RADIUS profile. | 2025-06-29 | not yet calculated | CVE-2025-24292 |
| Unknown--BuddyPress Docs | The BuddyPress Docs WordPress plugin before 2.2.5 lacks proper access controls and allows a logged in user to view and download files belonging to another user | 2025-06-27 | not yet calculated | CVE-2025-5526 |
| Unknown--Firelight Lightbox | The Firelight Lightbox WordPress plugin before 2.3.16 does not sanitise and escape title attributes before outputting them in the page, which could allow users with a role as low as contributors to perform stored Cross-Site Scripting attacks. | 2025-06-27 | not yet calculated | CVE-2025-5035 |
| Unknown--Responsive Lightbox & Gallery | The Responsive Lightbox & Gallery WordPress plugin before 2.5.2 use the Swipebox library which does not validate and escape title attributes before outputting them back in a page/post where used, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 2025-06-27 | not yet calculated | CVE-2025-5093 |
| Unknown--WP Map Block | The WP Map Block WordPress plugin before 2.0.3 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 2025-06-27 | not yet calculated | CVE-2025-5194 |
| Unknown--ZoomSounds | The ZoomSounds plugin before 6.05 contains a PHP file allowing unauthenticated users to upload an arbitrary file anywhere on the web server. | 2025-06-25 | not yet calculated | CVE-2021-4457 |
| Vacron--Network Video Recorder (NVR) | A remote command injection vulnerability exists in Vacron Network Video Recorder (NVR) devices v1.4 due to improper input sanitization in the board.cgi script. The vulnerability allows unauthenticated attackers to pass arbitrary commands to the underlying operating system via crafted HTTP requests. These commands are executed with the privileges of the web server process, enabling remote code execution and potential full device compromise. | 2025-06-26 | not yet calculated | CVE-2025-34043 |
| Yonyou Co., Ltd.--UFIDA NC | A code injection vulnerability exists in Yonyou UFIDA NC v6.5 and prior due to the exposure of the BeanShell testing servlet (bsh.servlet.BshServlet) without proper access controls. The servlet allows unauthenticated remote attackers to execute arbitrary Java code via the bsh.script parameter. This can be exploited to run system commands and ultimately gain full control over the target server. The issue is rooted in a third-party JAR component bundled with the application, and the servlet is accessible without authentication on vulnerable installations. | 2025-06-24 | not yet calculated | CVE-2025-34039 |
| yrutschle--sslh | Improper Link Resolution Before File Access ('Link Following') vulnerability in yrutschle sslh.This issue affects sslh: before 2.2.2. | 2025-06-23 | not yet calculated | CVE-2025-52936 |
| yubiserver--yubiserver | yubiserver before 0.6 is prone to SQL injection issues, potentially leading to an authentication bypass. | 2025-06-26 | not yet calculated | CVE-2015-0842 |
| yubiserver--yubiserver | yubiserver before 0.6 is prone to buffer overflows due to misuse of sprintf. | 2025-06-26 | not yet calculated | CVE-2015-0843 |
| Zimbra--Zimbra Collaboration (ZCS) | An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0 and 10.0 and 10.1. A Cross-Site Scripting (XSS) vulnerability in the Zimbra Classic UI allows attackers to execute arbitrary JavaScript within the user's session, potentially leading to unauthorized access to sensitive information. This issue arises from insufficient sanitization of HTML content, specifically involving crafted tag structures and attribute values that include an @import directive and other script injection vectors. The vulnerability is triggered when a user views a crafted e-mail message in the Classic UI, requiring no additional user interaction. | 2025-06-23 | not yet calculated | CVE-2025-48700 |
請即與我們聯絡: fix@hk-computer-repair.com
有用連結:
