Patch Tuesday — July 2025
2025-07-08 · 1031 CVEs
CVEs published or modified the week of 2025-07-08, partitioned by vendor.
Microsoft (184 CVEs)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47981 | Critical | 9.8 | — | 2025-07-08 | Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over a network. |
CVE-2025-49753 | High | 8.8 | — | 2025-07-08 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
CVE-2025-49740 | High | 8.8 | — | 2025-07-08 | Protection mechanism failure in Windows SmartScreen allows an unauthorized attacker to bypass a security feature over a network. |
CVE-2025-49739 | High | 8.8 | — | 2025-07-08 | Improper link resolution before file access ('link following') in Visual Studio allows an unauthorized attacker to elevate privileges over a network. |
CVE-2025-49729 | High | 8.8 | — | 2025-07-08 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
CVE-2025-49724 | High | 8.8 | — | 2025-07-08 | Use after free in Windows Connected Devices Platform Service allows an unauthorized attacker to execute code over a network. |
CVE-2025-49723 | High | 8.8 | — | 2025-07-08 | Missing authorization in Windows StateRepository API allows an authorized attacker to perform tampering locally. |
CVE-2025-49704 | High | 8.8 | KEV | 2025-07-08 | Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. |
CVE-2025-49701 | High | 8.8 | — | 2025-07-08 | Improper authorization in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. |
CVE-2025-49688 | High | 8.8 | — | 2025-07-08 | Double free in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
CVE-2025-49687 | High | 8.8 | — | 2025-07-08 | Out-of-bounds read in Microsoft Input Method Editor (IME) allows an authorized attacker to elevate privileges locally. |
CVE-2025-49676 | High | 8.8 | — | 2025-07-08 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
CVE-2025-49674 | High | 8.8 | — | 2025-07-08 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
CVE-2025-49673 | High | 8.8 | — | 2025-07-08 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
CVE-2025-49672 | High | 8.8 | — | 2025-07-08 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
CVE-2025-49669 | High | 8.8 | — | 2025-07-08 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
CVE-2025-49668 | High | 8.8 | — | 2025-07-08 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
CVE-2025-49663 | High | 8.8 | — | 2025-07-08 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
CVE-2025-49657 | High | 8.8 | — | 2025-07-08 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
CVE-2025-48824 | High | 8.8 | — | 2025-07-08 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
CVE-2025-48817 | High | 8.8 | — | 2025-07-08 | Relative path traversal in Remote Desktop Client allows an unauthorized attacker to execute code over a network. |
CVE-2025-47998 | High | 8.8 | — | 2025-07-08 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
CVE-2025-47986 | High | 8.8 | — | 2025-07-08 | Use after free in Universal Print Management Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-48822 | High | 8.6 | — | 2025-07-08 | Out-of-bounds read in Windows Hyper-V allows an unauthorized attacker to execute code locally. |
CVE-2025-49717 | High | 8.5 | — | 2025-07-08 | Heap-based buffer overflow in SQL Server allows an authorized attacker to execute code over a network. |
CVE-2025-49697 | High | 8.4 | — | 2025-07-08 | Heap-based buffer overflow in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2025-49696 | High | 8.4 | — | 2025-07-08 | Out-of-bounds read in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2025-49695 | High | 8.4 | — | 2025-07-08 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2025-49735 | High | 8.1 | — | 2025-07-08 | Use after free in Windows KDC Proxy Service (KPSSVC) allows an unauthorized attacker to execute code over a network. |
CVE-2025-33054 | High | 8.1 | — | 2025-07-08 | Insufficient UI warning of dangerous operations in Remote Desktop Client allows an unauthorized attacker to perform spoofing over a network. |
CVE-2025-49691 | High | 8.0 | — | 2025-07-08 | Heap-based buffer overflow in Windows Media allows an unauthorized attacker to execute code over an adjacent network. |
CVE-2025-47972 | High | 8.0 | — | 2025-07-08 | Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Input Method Editor (IME) allows an authorized attacker to elevate privileges over a network. |
CVE-2025-47178 | High | 8.0 | — | 2025-07-08 | Improper neutralization of special elements used in an sql command ('sql injection') in Microsoft Configuration Manager allows an authorized attacker to execute code over an adjacent network. |
CVE-2025-52521 | High | 7.8 | — | 2025-07-10 | Trend Micro Security 17.8 (Consumer) is vulnerable to a link following local privilege escalation vulnerability that could allow a local attacker to unintentionally delete privileged Trend Micro files including its own. |
CVE-2025-47133 | High | 7.8 | — | 2025-07-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-47132 | High | 7.8 | — | 2025-07-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-47131 | High | 7.8 | — | 2025-07-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-47130 | High | 7.8 | — | 2025-07-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-47129 | High | 7.8 | — | 2025-07-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-47128 | High | 7.8 | — | 2025-07-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-47127 | High | 7.8 | — | 2025-07-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-47126 | High | 7.8 | — | 2025-07-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-47125 | High | 7.8 | — | 2025-07-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-47124 | High | 7.8 | — | 2025-07-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-47123 | High | 7.8 | — | 2025-07-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-47122 | High | 7.8 | — | 2025-07-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-47121 | High | 7.8 | — | 2025-07-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-47099 | High | 7.8 | — | 2025-07-08 | InCopy versions 20.3, 19.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-47098 | High | 7.8 | — | 2025-07-08 | InCopy versions 20.3, 19.5.3 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-47097 | High | 7.8 | — | 2025-07-08 | InCopy versions 20.3, 19.5.3 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-49532 | High | 7.8 | — | 2025-07-08 | Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-49531 | High | 7.8 | — | 2025-07-08 | Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-49530 | High | 7.8 | — | 2025-07-08 | Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-49529 | High | 7.8 | — | 2025-07-08 | Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-49528 | High | 7.8 | — | 2025-07-08 | Illustrator versions 28.7.6, 29.5.1 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-49527 | High | 7.8 | — | 2025-07-08 | Illustrator versions 28.7.6, 29.5.1 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-49526 | High | 7.8 | — | 2025-07-08 | Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-47136 | High | 7.8 | — | 2025-07-08 | InDesign Desktop versions 19.5.3 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-47134 | High | 7.8 | — | 2025-07-08 | InDesign Desktop versions 19.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-47103 | High | 7.8 | — | 2025-07-08 | InDesign Desktop versions 19.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-43594 | High | 7.8 | — | 2025-07-08 | InDesign Desktop versions 19.5.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-43592 | High | 7.8 | — | 2025-07-08 | InDesign Desktop versions 19.5.3 and earlier are affected by an Access of Uninitialized Pointer vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-43591 | High | 7.8 | — | 2025-07-08 | InDesign Desktop versions 19.5.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-30312 | High | 7.8 | — | 2025-07-08 | Dimension versions 4.1.2 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-49742 | High | 7.8 | — | 2025-07-08 | Integer overflow or wraparound in Microsoft Graphics Component allows an authorized attacker to execute code locally. |
CVE-2025-49738 | High | 7.8 | — | 2025-07-08 | Improper link resolution before file access ('link following') in Microsoft PC Manager allows an authorized attacker to elevate privileges locally. |
CVE-2025-49733 | High | 7.8 | — | 2025-07-08 | Use after free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. |
CVE-2025-49732 | High | 7.8 | — | 2025-07-08 | Heap-based buffer overflow in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. |
CVE-2025-49730 | High | 7.8 | — | 2025-07-08 | Time-of-check time-of-use (toctou) race condition in Microsoft Windows QoS scheduler allows an authorized attacker to elevate privileges locally. |
CVE-2025-49726 | High | 7.8 | — | 2025-07-08 | Use after free in Windows Notification allows an authorized attacker to elevate privileges locally. |
CVE-2025-49725 | High | 7.8 | — | 2025-07-08 | Use after free in Windows Notification allows an authorized attacker to elevate privileges locally. |
CVE-2025-49721 | High | 7.8 | — | 2025-07-08 | Heap-based buffer overflow in Windows Fast FAT Driver allows an unauthorized attacker to elevate privileges locally. |
CVE-2025-49714 | High | 7.8 | — | 2025-07-08 | Trust boundary violation in Visual Studio Code - Python extension allows an unauthorized attacker to execute code locally. |
CVE-2025-49711 | High | 7.8 | — | 2025-07-08 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. |
CVE-2025-49705 | High | 7.8 | — | 2025-07-08 | Heap-based buffer overflow in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally. |
CVE-2025-49703 | High | 7.8 | — | 2025-07-08 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. |
CVE-2025-49702 | High | 7.8 | — | 2025-07-08 | Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2025-49700 | High | 7.8 | — | 2025-07-08 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. |
CVE-2025-49698 | High | 7.8 | — | 2025-07-08 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. |
CVE-2025-49694 | High | 7.8 | — | 2025-07-08 | Null pointer dereference in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. |
CVE-2025-49693 | High | 7.8 | — | 2025-07-08 | Double free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. |
CVE-2025-49689 | High | 7.8 | — | 2025-07-08 | Integer overflow or wraparound in Virtual Hard Disk (VHDX) allows an unauthorized attacker to elevate privileges locally. |
CVE-2025-49686 | High | 7.8 | — | 2025-07-08 | Null pointer dereference in Windows TCP/IP allows an authorized attacker to elevate privileges locally. |
CVE-2025-49683 | High | 7.8 | — | 2025-07-08 | Integer overflow or wraparound in Virtual Hard Disk (VHDX) allows an unauthorized attacker to execute code locally. |
CVE-2025-49679 | High | 7.8 | — | 2025-07-08 | Numeric truncation error in Windows Shell allows an authorized attacker to elevate privileges locally. |
CVE-2025-49675 | High | 7.8 | — | 2025-07-08 | Use after free in Kernel Streaming WOW Thunk Service Driver allows an authorized attacker to elevate privileges locally. |
CVE-2025-49667 | High | 7.8 | — | 2025-07-08 | Double free in Windows Win32K - ICOMP allows an authorized attacker to elevate privileges locally. |
CVE-2025-49665 | High | 7.8 | — | 2025-07-08 | Concurrent execution using shared resource with improper synchronization ('race condition') in Workspace Broker allows an authorized attacker to elevate privileges locally. |
CVE-2025-49661 | High | 7.8 | — | 2025-07-08 | Untrusted pointer dereference in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. |
CVE-2025-49660 | High | 7.8 | — | 2025-07-08 | Use after free in Windows Event Tracing allows an authorized attacker to elevate privileges locally. |
CVE-2025-49659 | High | 7.8 | — | 2025-07-08 | Buffer over-read in Windows TDX.sys allows an authorized attacker to elevate privileges locally. |
CVE-2025-48820 | High | 7.8 | — | 2025-07-08 | Improper link resolution before file access ('link following') in Windows AppX Deployment Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-48816 | High | 7.8 | — | 2025-07-08 | Integer overflow or wraparound in HID class driver allows an authorized attacker to elevate privileges locally. |
CVE-2025-48815 | High | 7.8 | — | 2025-07-08 | Access of resource using incompatible type ('type confusion') in Windows SSDP Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-48806 | High | 7.8 | — | 2025-07-08 | Use after free in Microsoft MPEG-2 Video Extension allows an authorized attacker to execute code locally. |
CVE-2025-48805 | High | 7.8 | — | 2025-07-08 | Heap-based buffer overflow in Microsoft MPEG-2 Video Extension allows an authorized attacker to execute code locally. |
CVE-2025-48799 | High | 7.8 | — | 2025-07-08 | Improper link resolution before file access ('link following') in Windows Update Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-48000 | High | 7.8 | — | 2025-07-08 | Use after free in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-47996 | High | 7.8 | — | 2025-07-08 | Integer underflow (wrap or wraparound) in Windows MBT Transport driver allows an authorized attacker to elevate privileges locally. |
CVE-2025-47994 | High | 7.8 | — | 2025-07-08 | Deserialization of untrusted data in Microsoft Office allows an unauthorized attacker to elevate privileges locally. |
CVE-2025-47993 | High | 7.8 | — | 2025-07-08 | Improper access control in Microsoft PC Manager allows an authorized attacker to elevate privileges locally. |
CVE-2025-47991 | High | 7.8 | — | 2025-07-08 | Use after free in Microsoft Input Method Editor (IME) allows an authorized attacker to elevate privileges locally. |
CVE-2025-47987 | High | 7.8 | — | 2025-07-08 | Heap-based buffer overflow in Windows Cred SSProvider Protocol allows an authorized attacker to elevate privileges locally. |
CVE-2025-47985 | High | 7.8 | — | 2025-07-08 | Untrusted pointer dereference in Windows Event Tracing allows an authorized attacker to elevate privileges locally. |
CVE-2025-47982 | High | 7.8 | — | 2025-07-08 | Improper input validation in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally. |
CVE-2025-47976 | High | 7.8 | — | 2025-07-08 | Use after free in Windows SSDP Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-47973 | High | 7.8 | — | 2025-07-08 | Buffer over-read in Virtual Hard Disk (VHDX) allows an unauthorized attacker to elevate privileges locally. |
CVE-2025-47971 | High | 7.8 | — | 2025-07-08 | Buffer over-read in Virtual Hard Disk (VHDX) allows an unauthorized attacker to elevate privileges locally. |
CVE-2025-47159 | High | 7.8 | — | 2025-07-08 | Protection mechanism failure in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally. |
CVE-2025-53378 | High | 7.6 | — | 2025-07-10 | A missing authentication vulnerability in Trend Micro Worry-Free Business Security Services (WFBSS) agent could have allowed an unauthenticated attacker to remotely take control of the agent on affected installations. Also note: this vu… |
CVE-2024-43394 | High | 7.5 | — | 2025-07-10 | Server-Side Request Forgery (SSRF) in Apache HTTP Server on Windows allows to potentially leak NTLM hashes to a malicious server via mod_rewrite or apache expressions that pass unvalidated request input. |
CVE-2025-49719 | High | 7.5 | — | 2025-07-08 | Improper input validation in SQL Server allows an unauthorized attacker to disclose information over a network. |
CVE-2025-49718 | High | 7.5 | — | 2025-07-08 | Use of uninitialized resource in SQL Server allows an unauthorized attacker to disclose information over a network. |
CVE-2025-49716 | High | 7.5 | — | 2025-07-08 | Uncontrolled resource consumption in Windows Netlogon allows an unauthorized attacker to deny service over a network. |
CVE-2025-48814 | High | 7.5 | — | 2025-07-08 | Missing authentication for critical function in Windows Remote Desktop Licensing Service allows an unauthorized attacker to bypass a security feature over a network. |
CVE-2025-47988 | High | 7.5 | — | 2025-07-08 | Improper control of generation of code ('code injection') in Azure Monitor Agent allows an unauthorized attacker to execute code over an adjacent network. |
CVE-2025-47984 | High | 7.5 | — | 2025-07-08 | Protection mechanism failure in Windows GDI allows an unauthorized attacker to disclose information over a network. |
CVE-2025-49690 | High | 7.4 | — | 2025-07-08 | Concurrent execution using shared resource with improper synchronization ('race condition') in Capability Access Management Service (camsvc) allows an unauthorized attacker to elevate privileges locally. |
CVE-2025-49682 | High | 7.3 | — | 2025-07-08 | Use after free in Windows Media allows an authorized attacker to elevate privileges locally. |
CVE-2025-49680 | High | 7.3 | — | 2025-07-08 | Improper link resolution before file access ('link following') in Windows Performance Recorder allows an authorized attacker to deny service locally. |
CVE-2025-49666 | High | 7.2 | — | 2025-07-08 | Heap-based buffer overflow in Windows Kernel allows an authorized attacker to execute code over a network. |
CVE-2025-48821 | High | 7.1 | — | 2025-07-08 | Use after free in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges over an adjacent network. |
CVE-2025-48819 | High | 7.1 | — | 2025-07-08 | Sensitive data storage in improperly locked memory in Windows Universal Plug and Play (UPnP) Device Host allows an authorized attacker to elevate privileges over an adjacent network. |
CVE-2025-49744 | High | 7.0 | — | 2025-07-08 | Heap-based buffer overflow in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. |
CVE-2025-49737 | High | 7.0 | — | 2025-07-08 | Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Teams allows an authorized attacker to elevate privileges locally. |
CVE-2025-49727 | High | 7.0 | — | 2025-07-08 | Heap-based buffer overflow in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally. |
CVE-2025-49699 | High | 7.0 | — | 2025-07-08 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. |
CVE-2025-49685 | High | 7.0 | — | 2025-07-08 | Use after free in Microsoft Windows Search Component allows an authorized attacker to elevate privileges locally. |
CVE-2025-49678 | High | 7.0 | — | 2025-07-08 | Null pointer dereference in Windows NTFS allows an authorized attacker to elevate privileges locally. |
CVE-2025-49677 | High | 7.0 | — | 2025-07-08 | Use after free in Microsoft Brokering File System allows an authorized attacker to elevate privileges locally. |
CVE-2025-47975 | High | 7.0 | — | 2025-07-08 | Double free in Windows SSDP Service allows an authorized attacker to elevate privileges locally. |
CVE-2025-7326 | High | 7.0 | — | 2025-07-08 | Weak authentication in EOL ASP.NET Core allows an unauthorized attacker to elevate privileges over a network. |
CVE-2025-48818 | Medium | 6.8 | — | 2025-07-08 | Time-of-check time-of-use (toctou) race condition in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. |
CVE-2025-48804 | Medium | 6.8 | — | 2025-07-08 | Acceptance of extraneous untrusted data with trusted data in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. |
CVE-2025-48800 | Medium | 6.8 | — | 2025-07-08 | Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. |
CVE-2025-48003 | Medium | 6.8 | — | 2025-07-08 | Protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. |
CVE-2025-48001 | Medium | 6.8 | — | 2025-07-08 | Time-of-check time-of-use (toctou) race condition in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. |
CVE-2025-47999 | Medium | 6.8 | — | 2025-07-08 | Missing synchronization in Windows Hyper-V allows an authorized attacker to deny service over an adjacent network. |
CVE-2025-48811 | Medium | 6.7 | — | 2025-07-08 | Missing support for integrity check in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally. |
CVE-2025-48803 | Medium | 6.7 | — | 2025-07-08 | Missing support for integrity check in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to elevate privileges locally. |
CVE-2025-49706 | Medium | 6.5 | KEV | 2025-07-08 | Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. |
CVE-2025-49681 | Medium | 6.5 | — | 2025-07-08 | Out-of-bounds read in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-49671 | Medium | 6.5 | — | 2025-07-08 | Exposure of sensitive information to an unauthorized actor in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to disclose information over a network. |
CVE-2025-49670 | Medium | 6.5 | — | 2025-07-08 | Heap-based buffer overflow in Windows Routing and Remote Access Service (RRAS) allows an unauthorized attacker to execute code over a network. |
CVE-2025-48802 | Medium | 6.5 | — | 2025-07-08 | Improper certificate validation in Windows SMB allows an authorized attacker to perform spoofing over a network. |
CVE-2025-47978 | Medium | 6.5 | — | 2025-07-08 | Out-of-bounds read in Windows Kerberos allows an authorized attacker to deny service over a network. |
CVE-2025-3630 | Medium | 6.4 | — | 2025-07-08 | IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.6, 6.2.0.0 through 6.2.0.4, IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4 is vulnerable to stored cross-site scripting. |
CVE-2025-47963 | Medium | 6.3 | — | 2025-07-11 | No cwe for this issue in Microsoft Edge (Chromium-based) allows an unauthorized attacker to perform spoofing over a network. |
CVE-2025-47980 | Medium | 6.2 | — | 2025-07-08 | Exposure of sensitive information to an unauthorized actor in Windows Imaging Component allows an unauthorized attacker to disclose information locally. |
CVE-2023-43039 | Medium | 6.1 | — | 2025-07-08 | IBM OpenPages with Watson 9.0 is vulnerable to cross-site scripting. |
CVE-2025-21195 | Medium | 6.0 | — | 2025-07-08 | Improper link resolution before file access ('link following') in Service Fabric allows an authorized attacker to elevate privileges locally. |
CVE-2025-48823 | Medium | 5.9 | — | 2025-07-08 | Cryptographic issues in Windows Cryptographic Services allows an unauthorized attacker to disclose information over a network. |
CVE-2025-49722 | Medium | 5.7 | — | 2025-07-08 | Uncontrolled resource consumption in Windows Print Spooler Components allows an authorized attacker to deny service over an adjacent network. |
CVE-2025-48002 | Medium | 5.7 | — | 2025-07-08 | Integer overflow or wraparound in Windows Hyper-V allows an authorized attacker to disclose information over an adjacent network. |
CVE-2025-47182 | Medium | 5.6 | — | 2025-07-11 | Improper input validation in Microsoft Edge (Chromium-based) allows an authorized attacker to bypass a security feature locally. |
CVE-2025-47120 | Medium | 5.5 | — | 2025-07-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-47119 | Medium | 5.5 | — | 2025-07-08 | Adobe Framemaker versions 2020.8, 2022.6 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. |
CVE-2025-49525 | Medium | 5.5 | — | 2025-07-08 | Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-49524 | Medium | 5.5 | — | 2025-07-08 | Illustrator versions 28.7.6, 29.5.1 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. |
CVE-2025-30313 | Medium | 5.5 | — | 2025-07-08 | Illustrator versions 28.7.6, 29.5.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-27165 | Medium | 5.5 | — | 2025-07-08 | Substance3D - Stager versions 3.1.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-47135 | Medium | 5.5 | — | 2025-07-08 | Dimension versions 4.1.2 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-49684 | Medium | 5.5 | — | 2025-07-08 | Buffer over-read in Storage Port Driver allows an authorized attacker to disclose information locally. |
CVE-2025-49664 | Medium | 5.5 | — | 2025-07-08 | Exposure of sensitive information to an unauthorized actor in Windows User-Mode Driver Framework Host allows an authorized attacker to disclose information locally. |
CVE-2025-49658 | Medium | 5.5 | — | 2025-07-08 | Out-of-bounds read in Windows TDX.sys allows an authorized attacker to disclose information locally. |
CVE-2025-48812 | Medium | 5.5 | — | 2025-07-08 | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. |
CVE-2025-48810 | Medium | 5.5 | — | 2025-07-08 | Processor optimization removal or modification of security-critical code in Windows Secure Kernel Mode allows an authorized attacker to disclose information locally. |
CVE-2025-48809 | Medium | 5.5 | — | 2025-07-08 | Processor optimization removal or modification of security-critical code in Windows Kernel allows an authorized attacker to disclose information locally. |
CVE-2025-48808 | Medium | 5.5 | — | 2025-07-08 | Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally. |
CVE-2025-47109 | Medium | 5.5 | — | 2025-07-08 | After Effects versions 25.2, 24.6.6 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. |
CVE-2025-43587 | Medium | 5.5 | — | 2025-07-08 | After Effects versions 25.2, 24.6.6 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-43580 | Medium | 5.5 | — | 2025-07-08 | Audition versions 25.2, 24.6.3 and earlier are affected by an Access of Memory Location After End of Buffer vulnerability that could result in application denial-of-service. |
CVE-2025-26636 | Medium | 5.5 | — | 2025-07-08 | Processor optimization removal or modification of security-critical code in Windows Kernel allows an authorized attacker to disclose information locally. |
CVE-2025-47964 | Medium | 5.4 | — | 2025-07-11 | Microsoft Edge (Chromium-based) Spoofing Vulnerability |
CVE-2025-2793 | Medium | 5.4 | — | 2025-07-08 | IBM Sterling B2B Integrator 6.0.0.0 through 6.1.2.6, 6.2.0.0 through 6.2.0.4, IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4 is vulnerable to cross-site scripting. |
CVE-2025-27367 | Medium | 5.3 | — | 2025-07-08 | IBM OpenPages with Watson 8.3 and 9.0 is vulnerable to improper input validation due to bypassing of client-side validation for the data types and requiredness of fields for GRC Objects when an authenticated user sends a specially cr… |
CVE-2024-49784 | Medium | 5.3 | — | 2025-07-08 | IBM OpenPages with Watson 8.3 and 9.0 could provide weaker than expected security in storage of encrypted data with AES encryption and CBC mode. |
CVE-2024-49783 | Medium | 5.3 | — | 2025-07-08 | IBM OpenPages with Watson 8.3 and 9.0 could provide weaker than expected security in storage of encrypted data. |
CVE-2025-1112 | Medium | 4.3 | — | 2025-07-09 | IBM OpenPages with Watson 8.3 and 9.0 could allow an authenticated user to obtain sensitive information that should only be available to privileged users. |
CVE-2025-27369 | Medium | 4.3 | — | 2025-07-08 | IBM OpenPages with Watson 8.3 and 9.0 is vulnerable to information disclosure of sensitive information due to a weaker than expected security for certain REST end points used for the administration of OpenPages. |
CVE-2025-2827 | Medium | 4.3 | — | 2025-07-08 | IBM Sterling File Gateway 6.0.0.0 through 6.1.2.6, and 6.2.0.0 through 6.2.0.4 could disclose sensitive installation directory information to an authenticated user that could be used in further attacks against the system. |
CVE-2025-49760 | Low | 3.5 | — | 2025-07-08 | External control of file name or path in Windows Storage allows an authorized attacker to perform spoofing over a network. |
CVE-2025-49756 | Low | 3.3 | — | 2025-07-08 | Use of a broken or risky cryptographic algorithm in Office Developer Platform allows an authorized attacker to bypass a security feature locally. |
CVE-2025-49731 | Low | 3.1 | — | 2025-07-08 | Improper handling of insufficient permissions or privileges in Microsoft Teams allows an authorized attacker to elevate privileges over a network. |
Other vendors (847 CVEs across 195 vendors)
Linux · 67 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-38341 | High | 7.8 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: eth: fbnic: avoid double free when failing to DMA-map FW msg The semantics are that caller of fbnic_mbx_map_msg() retains the ownership of the message on error. |
CVE-2025-38338 | High | 7.8 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio() Sometimes, when a file was read while it was being truncated by another NFS client, the kernel could deadl… |
CVE-2025-38317 | High | 7.8 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix buffer overflow in debugfs If the user tries to write more than 32 bytes then it results in memory corruption. |
CVE-2025-38295 | High | 7.8 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create() The Amlogic DDR PMU driver meson_ddr_pmu_create() function incorrectly use… |
CVE-2025-38289 | High | 7.8 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk Smatch detected a potential use-after-free of an ndlp oject in dev_loss_tmo_callbk during driver u… |
CVE-2025-38288 | High | 7.8 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Fix smp_processor_id() call trace for preemptible kernels Correct kernel call trace when calling smp_processor_id() when called in preemptible kernels by… |
CVE-2025-38279 | High | 7.8 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: bpf: Do not include stack ptr register in precision backtracking bookkeeping Yi Lai reported an issue ([1]) where the following warning appears in kernel dmesg: [ 60… |
CVE-2025-38270 | High | 7.8 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: net: drv: netdevsim: don't napi_complete() from netpoll netdevsim supports netpoll. |
CVE-2025-38267 | High | 7.8 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Do not trigger WARN_ON() due to a commit_overrun When reading a memory mapped buffer the reader page is just swapped out with the last page written in the w… |
CVE-2025-38250 | High | 7.8 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Fix use-after-free in vhci_flush() syzbot reported use-after-free in vhci_flush() without repro. |
CVE-2025-38248 | High | 7.8 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: bridge: mcast: Fix use-after-free during router port configuration The bridge maintains a global list of ports behind which a multicast router resides. |
CVE-2025-38340 | High | 7.1 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Fix OOB memory read access in KUnit test KASAN reported out of bounds access - cs_dsp_mock_bin_add_name_or_info(), because the source string length was… |
CVE-2025-38330 | High | 7.1 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Fix OOB memory read access in KUnit test (ctl cache) KASAN reported out of bounds access - cs_dsp_ctl_cache_init_multiple_offsets(). |
CVE-2025-38329 | High | 7.1 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: firmware: cs_dsp: Fix OOB memory read access in KUnit test (wmfw info) KASAN reported out of bounds access - cs_dsp_mock_wmfw_add_info(), because the source string lengt… |
CVE-2025-38292 | High | 7.1 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix invalid access to memory In ath12k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and boolean is_continuation is part of rxcb. |
CVE-2025-38343 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: drop fragments with multicast or broadcast RA IEEE 802.11 fragmentation can only be applied to unicast frames. |
CVE-2025-38339 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: powerpc/bpf: fix JIT code size calculation of bpf trampoline arch_bpf_trampoline_size() provides JIT size of the BPF trampoline before the buffer for JIT'ing it is alloc… |
CVE-2025-38333 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to bail out in get_new_segment() ------------[ cut here ]------------ WARNING: CPU: 3 PID: 579 at fs/f2fs/segment.c:2832 new_curseg+0x5e8/0x6dc pc : new_curseg… |
CVE-2025-38327 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: fgraph: Do not enable function_graph tracer when setting funcgraph-args When setting the funcgraph-args option when function graph tracer is net enabled, it incorrectly… |
CVE-2025-38325 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: ksmbd: add free_transport ops in ksmbd connection free_transport function for tcp connection can be called from smbdirect. |
CVE-2025-38321 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: smb: Log an error when close_all_cached_dirs fails Under low-memory conditions, close_all_cached_dirs() can't move the dentries to a separate list to dput() them once th… |
CVE-2025-38318 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: perf: arm-ni: Fix missing platform_set_drvdata() Add missing platform_set_drvdata in arm_ni_probe(), otherwise calling platform_get_drvdata() in remove returns NULL. |
CVE-2025-38316 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: avoid NULL pointer dereference in mt7996_set_monitor() The function mt7996_set_monitor() dereferences phy before the NULL sanity check. |
CVE-2025-38315 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: Check dsbr size from EFI variable Since the size of struct btintel_dsbr is already known, we can just start there instead of querying the EFI variabl… |
CVE-2025-38314 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: virtio-pci: Fix result size returned for the admin command completion The result size returned by virtio_pci_admin_dev_parts_get() is 8 bytes larger than the actual resu… |
CVE-2025-38311 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: iavf: get rid of the crit lock Get rid of the crit lock. |
CVE-2025-38309 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: drm/xe/vm: move xe_svm_init() earlier In xe_vm_close_and_put() we need to be able to call xe_svm_fini(), however during vm creation we can call this on the error path, b… |
CVE-2025-38308 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Fix possible null-ptr-deref when initing hw Search result of avs_dai_find_path_template() shall be verified before being used. |
CVE-2025-38307 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Verify content returned by parse_int_array() The first element of the returned array stores its length. |
CVE-2025-38303 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: eir: Fix possible crashes on eir_create_adv_data eir_create_adv_data may attempt to add EIR_FLAGS and EIR_TX_POWER without checking if that would fit. |
CVE-2025-38302 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: block: don't use submit_bio_noacct_nocheck in blk_zone_wplug_bio_work Bios queued up in the zone write plug have already gone through all all preparation in the submit_b… |
CVE-2025-38301 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: nvmem: zynqmp_nvmem: unbreak driver after cleanup Commit 29be47fcd6a0 ("nvmem: zynqmp_nvmem: zynqmp_nvmem_probe cleanup") changed the driver to expect the device pointer… |
CVE-2025-38299 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY() ETDM2_IN_BE and ETDM1_OUT_BE are defined as COMP_EMPTY(), in the case the codec dai_name will be null. |
CVE-2025-38297 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: PM: EM: Fix potential division-by-zero error in em_compute_costs() When the device is of a non-CPU type, table[i].performance won't be initialized in the previous em_ini… |
CVE-2025-38296 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: ACPI: platform_profile: Avoid initializing on non-ACPI platforms The platform profile driver is loaded even on platforms that do not have ACPI enabled. |
CVE-2025-38294 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix NULL access in assign channel context handler Currently, when ath12k_mac_assign_vif_to_vdev() fails, the radio handle (ar) gets accessed from the link… |
CVE-2025-38291 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash Currently, we encounter the following kernel call trace when a firmware crash occurs. |
CVE-2025-38290 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath12k_core_halt() only reinitializes the "arvifs" list head. |
CVE-2025-38287 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: IB/cm: Drop lockdep assert and WARN when freeing old msg The send completion handler can run after cm_id has advanced to another message. |
CVE-2025-38284 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: pci: configure manual DAC mode via PCI config API only To support 36-bit DMA, configure chip proprietary bit via PCI config API or chip DBI interface. |
CVE-2025-38283 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: bugfix live migration function without VF device driver If the VF device driver is not loaded in the Guest OS and we attempt to perform device data mi… |
CVE-2025-38281 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Add NULL check in mt7996_thermal_init devm_kasprintf() can return a NULL pointer on failure,but this returned value in mt7996_thermal_init() is not c… |
CVE-2025-38278 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback This patch addresses below issues, 1. |
CVE-2025-38276 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: fs/dax: Fix "don't skip locked entries when scanning entries" Commit 6be3e21d25ca ("fs/dax: don't skip locked entries when scanning entries") introduced a new function… |
CVE-2025-38274 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt() fpga_mgr_test_img_load_sgt() allocates memory for sgt using kunit_kzalloc() however it does not ch… |
CVE-2025-38272 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: net: dsa: b53: do not enable EEE on bcm63xx BCM63xx internal switches do not support EEE, but provide multiple RGMII ports where external PHYs may be connected. |
CVE-2025-38271 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: net: prevent a NULL deref in rtnl_create_link() At the time rtnl_create_link() is running, dev->netdev_ops is NULL, we must not use netdev_lock_ops() or risk a NULL dere… |
CVE-2025-38269 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: btrfs: exit after state insertion failure at btrfs_convert_extent_bit() If insert_state() state failed it returns an error pointer and we call extent_io_tree_panic() whi… |
CVE-2025-38268 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work A state check was previously added to tcpm_queue_vdm_unlocked to prevent a deadlock where the Display… |
CVE-2025-38266 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: pinctrl: mediatek: eint: Fix invalid pointer dereference for v1 platforms Commit 3ef9f710efcb ("pinctrl: mediatek: Add EINT support for multiple addresses") introduced a… |
CVE-2025-38265 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: serial: jsm: fix NPE during jsm_uart_port_init No device was set which caused serial_base_ctrl_add to crash. |
CVE-2025-38264 | Medium | 5.5 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: sanitize request list handling Validate the request in nvme_tcp_handle_r2t() to ensure it's not part of any list, otherwise a malicious R2T PDU might inject a… |
CVE-2025-38261 | Medium | 5.5 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: riscv: save the SR_SUM status over switches When threads/tasks are switched we need to ensure the old execution's SR_SUM state is saved and the new thread has the old SR… |
CVE-2025-38258 | Medium | 5.5 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write memcg_path_store() assigns a newly allocated memory buffer to filter->memcg_path, without… |
CVE-2025-38256 | Medium | 5.5 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: fix folio unpinning syzbot complains about an unmapping failure: [ 108.070381][ T14] kernel BUG at mm/gup.c:71! |
CVE-2025-38255 | Medium | 5.5 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() While testing null_blk with configfs, echo 0 > poll_queues will trigger following panic: BUG: kern… |
CVE-2025-38254 | Medium | 5.5 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add sanity checks for drm_edid_raw() When EDID is retrieved via drm_edid_raw(), it doesn't guarantee to return proper EDID bytes the caller wants: it ma… |
CVE-2025-38253 | Medium | 5.5 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix crash in wacom_aes_battery_handler() Commit fd2a9b29dc9c ("HID: wacom: Remove AES power_supply after extended inactivity") introduced wacom_aes_battery_h… |
CVE-2025-38252 | Medium | 5.5 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: cxl/ras: Fix CPER handler device confusion By inspection, cxl_cper_handle_prot_err() is making a series of fragile assumptions that can lead to crashes: 1/ It assumes t… |
CVE-2025-38247 | Medium | 5.5 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: userns and mnt_idmap leak in open_tree_attr(2) Once want_mount_setattr() has returned a positive, it does require finish_mount_kattr() to release ->mnt_userns. |
CVE-2025-38246 | Medium | 5.5 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: bnxt: properly flush XDP redirect lists We encountered following crash when testing a XDP_REDIRECT feature in production: [56251.579676] list_add corruption. |
CVE-2025-38244 | Medium | 5.5 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential deadlock when reconnecting channels Fix cifs_signal_cifsd_for_reconnect() to take the correct lock order and prevent the following deadlock fr… |
CVE-2025-38243 | Medium | 5.5 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix invalid inode pointer dereferences during log replay In a few places where we call read_one_inode(), if we get a NULL pointer we end up jumping into an error… |
CVE-2025-38241 | Medium | 5.5 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: mm/shmem, swap: fix softlockup with mTHP swapin Following softlockup can be easily reproduced on my test machine with: echo always > /sys/kernel/mm/transparent_hugepage… |
CVE-2025-38238 | Medium | 5.5 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: scsi: fnic: Fix crash in fnic_wq_cmpl_handler when FDMI times out When both the RHBA and RPA FDMI requests time out, fnic reuses a frame to send ABTS for each of them. |
CVE-2025-38306 | Medium | 4.7 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: fs/fhandle.c: fix a race in call of has_locked_children() may_decode_fh() is calling has_locked_children() while holding no locks. |
CVE-2025-38242 | Medium | 4.7 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: mm: userfaultfd: fix race of userfaultfd_move and swap cache This commit fixes two kinds of races, they may have different results: Barry reported a BUG_ON in commit c5… |
Debian · 45 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-38348 | High | 7.8 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() Robert Morris reported: |If a malicious USB device pretends to be an Intersil p54 wifi |interface and gen… |
CVE-2025-38346 | High | 7.8 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: ftrace: Fix UAF when lookup kallsym after ftrace disabled The following issue happens with a buggy module: BUG: unable to handle page fault for address: ffffffffc05d021… |
CVE-2025-38323 | High | 7.8 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: net: atm: add lec_mutex syzbot found its way in net/atm/lec.c, and found an error path in lecd_attach() could leave a dangling pointer in dev_lec[]. |
CVE-2025-38313 | High | 7.8 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: fix double-free on mc_dev The blamed commit tried to simplify how the deallocations are done but, in the process, introduced a double-free on the mc_dev var… |
CVE-2025-38298 | High | 7.8 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: EDAC/skx_common: Fix general protection fault After loading i10nm_edac (which automatically loads skx_edac_common), if unload only i10nm_edac, then reload it and perform… |
CVE-2025-38280 | High | 7.8 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: bpf: Avoid __bpf_prog_ret0_warn when jit fails syzkaller reported an issue: WARNING: CPU: 3 PID: 217 at kernel/bpf/core.c:2357 __bpf_prog_ret0_warn+0xa/0x20 kernel/bpf/… |
CVE-2025-38259 | High | 7.8 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd9335: Fix missing free of regulator supplies Driver gets and enables all regulator supplies in probe path (wcd9335_parse_dt() and wcd9335_power_on_reset… |
CVE-2025-38257 | High | 7.8 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Prevent overflow in size calculation for memdup_user() Number of apqn target list entries contained in 'nr_apqns' variable is determined by userspace via an i… |
CVE-2025-38245 | High | 7.8 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). |
CVE-2025-38239 | High | 7.8 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: scsi: megaraid_sas: Fix invalid node index On a system with DRAM interleave enabled, out-of-bound access is detected: megaraid_sas 0000:3f:00.0: requested/available msi… |
CVE-2025-38236 | High | 7.8 | — | 2025-07-08 | In the Linux kernel, the following vulnerability has been resolved: af_unix: Don't leave consecutive consumed OOB skbs. |
CVE-2025-38342 | High | 7.1 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: software node: Correct a OOB check in software_node_get_reference_args() software_node_get_reference_args() wants to get @index-th element, so the property value require… |
CVE-2025-38320 | High | 7.1 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() KASAN reports a stack-out-of-bounds read in regs_get_kernel_stack_nth(). |
CVE-2025-38286 | High | 7.1 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: pinctrl: at91: Fix possible out-of-boundary access at91_gpio_probe() doesn't check that given OF alias is not available or something went wrong when trying to get it. |
CVE-2025-38249 | High | 7.1 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() In snd_usb_get_audioformat_uac3(), the length value returned from snd_usb_ctl_msg() is used dir… |
CVE-2025-38347 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to do sanity check on ino and xnid syzbot reported a f2fs bug as below: INFO: task syz-executor140:5308 blocked for more than 143 seconds. |
CVE-2025-38345 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi operand cache leak in dswstate.c ACPICA commit 987a3b5cf7175916e2a4b6ea5b8e70f830dfe732 I found an ACPI cache leak in ACPI early termination and boot c… |
CVE-2025-38344 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: ACPICA: fix acpi parse and parseext cache leaks ACPICA commit 8829e70e1360c81e7a5a901b5d4f48330e021ea5 I'm Seunghun Han, and I work for National Security Research Insti… |
CVE-2025-38337 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() Since handle->h_transaction may be a NULL pointer, so we should change it to call is_handle_abort… |
CVE-2025-38336 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 The controller has a hardware bug that can hard hang the system when doing ATAPI DMAs without any trace of wh… |
CVE-2025-38335 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT When enabling PREEMPT_RT, the gpio_keys_irq_timer() callback runs in hard irq context, but the input_event()… |
CVE-2025-38334 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: x86/sgx: Prevent attempts to reclaim poisoned pages TL;DR: SGX page reclaim touches the page to copy its contents to secondary storage. |
CVE-2025-38332 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Use memcpy() for BIOS version The strlcat() with FORTIFY support is triggering a panic because it thinks the target buffer will overflow although the correct… |
CVE-2025-38331 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: net: ethernet: cortina: Use TOE/TSO on all TCP It is desireable to push the hardware accelerator to also process non-segmented TCP frames: we pass the skb->len to the "T… |
CVE-2025-38328 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: jffs2: check jffs2_prealloc_raw_node_refs() result in few other places Fuzzing hit another invalid pointer dereference due to the lack of checking whether jffs2_prealloc… |
CVE-2025-38326 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: aoe: clean device rq_list in aoedev_downdev() An aoe device's rq_list contains accepted block requests that are waiting to be transmitted to the aoe target. |
CVE-2025-38324 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). |
CVE-2025-38322 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Fix crash in icl_update_topdown_event() The perf_fuzzer found a hard-lockup crash on a RaptorLake machine: Oops: general protection fault, maybe for a… |
CVE-2025-38319 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table The function atomctrl_initialize_mc_reg_table() and atomctrl_initialize_mc_reg_tab… |
CVE-2025-38312 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() In fb_find_mode_cvt(), iff mode->refresh somehow happens to be 0x80000000, cvt.f_refresh will become 0 when m… |
CVE-2025-38310 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: seg6: Fix validation of nexthop addresses The kernel currently validates that the length of the provided nexthop address does not exceed the specified length. |
CVE-2025-38305 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() There is no disagreement that we should check both ptp->is_virtual_clock and ptp->n_vclocks to check if the… |
CVE-2025-38304 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix NULL pointer deference on eir_get_service_data The len parameter is considered optional so it can be NULL so it cannot be used for skipping to next entry… |
CVE-2025-38300 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() Fix two DMA cleanup issues on the error path in sun8i_ce_cipher_prepare(): 1] If dma_map_sg()… |
CVE-2025-38293 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: fix node corruption in ar->arvifs list In current WLAN recovery code flow, ath11k_core_halt() only reinitializes the "arvifs" list head. |
CVE-2025-38285 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix WARN() in get_bpf_raw_tp_regs syzkaller reported an issue: WARNING: CPU: 3 PID: 5971 at kernel/trace/bpf_trace.c:1861 get_bpf_raw_tp_regs+0xa4/0x100 kernel/tra… |
CVE-2025-38282 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: kernfs: Relax constraint in draining guard The active reference lifecycle provides the break/unbreak mechanism but the active reference is not truly active after unbreak… |
CVE-2025-38277 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: mtd: nand: ecc-mxic: Fix use of uninitialized variable ret If ctx->steps is zero, the loop processing ECC steps is skipped, and the variable ret remains uninitialized. |
CVE-2025-38275 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug The qmp_usb_iomap() helper function currently returns the raw result of devm_ioremap() for non-exclusive mappings. |
CVE-2025-38273 | Medium | 5.5 | — | 2025-07-10 | In the Linux kernel, the following vulnerability has been resolved: net: tipc: fix refcount warning in tipc_aead_encrypt syzbot reported a refcount warning [1] caused by calling get_net() on a network namespace that is being destroyed (r… |
CVE-2025-38263 | Medium | 5.5 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: bcache: fix NULL pointer in cache_set_flush() 1. |
CVE-2025-38262 | Medium | 5.5 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: tty: serial: uartlite: register uart driver in init When two instances of uart devices are probing, a concurrency race can occur. |
CVE-2025-38260 | Medium | 5.5 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: btrfs: handle csum tree error with rescue=ibadroots correctly [BUG] There is syzbot based reproducer that can crash the kernel, with the following call trace: (With some… |
CVE-2025-38251 | Medium | 5.5 | — | 2025-07-09 | In the Linux kernel, the following vulnerability has been resolved: atm: clip: prevent NULL deref in clip_push() Blamed commit missed that vcc_destroy_socket() calls clip_push() with a NULL skb. |
CVE-2025-38237 | Medium | 5.5 | — | 2025-07-08 | In the Linux kernel, the following vulnerability has been resolved: media: platform: exynos4-is: Add hardware sync wait to fimc_is_hw_change_mode() In fimc_is_hw_change_mode(), the function changes camera modes without waiting for hardwa… |
Jenkins · 31 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53652 | High | 8.2 | — | 2025-07-09 | Jenkins Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices, allowing attackers with Item/Build permission to inject arbitrary values… |
CVE-2025-53650 | High | 7.3 | — | 2025-07-09 | Jenkins Credentials Binding Plugin 687.v619cb_15e923f and earlier does not properly mask (i.e., replace with asterisks) credentials present in exception error messages that are written to the build log. |
CVE-2025-53742 | Medium | 6.5 | — | 2025-07-09 | Jenkins Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins contr… |
CVE-2025-53678 | Medium | 6.5 | — | 2025-07-09 | Jenkins User1st uTester Plugin 1.1 and earlier stores the uTester JWT token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system. |
CVE-2025-53676 | Medium | 6.5 | — | 2025-07-09 | Jenkins Xooa Plugin 0.0.7 and earlier stores the Xooa Deployment Token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system. |
CVE-2025-53675 | Medium | 6.5 | — | 2025-07-09 | Jenkins Warrior Framework Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file… |
CVE-2025-53673 | Medium | 6.5 | — | 2025-07-09 | Jenkins Sensedia Api Platform tools Plugin 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller… |
CVE-2025-53672 | Medium | 6.5 | — | 2025-07-09 | Jenkins Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system. |
CVE-2025-53671 | Medium | 6.5 | — | 2025-07-09 | Jenkins Nouvola DiveCloud Plugin 1.08 and earlier does not mask DiveCloud API Keys and Credentials Encryption Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. |
CVE-2025-53670 | Medium | 6.5 | — | 2025-07-09 | Jenkins Nouvola DiveCloud Plugin 1.08 and earlier stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission… |
CVE-2025-53668 | Medium | 6.5 | — | 2025-07-09 | Jenkins VAddy Plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file… |
CVE-2025-53666 | Medium | 6.5 | — | 2025-07-09 | Jenkins Dead Man's Snitch Plugin 0.1 stores Dead Man's Snitch tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller fi… |
CVE-2025-53664 | Medium | 6.5 | — | 2025-07-09 | Jenkins Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to… |
CVE-2025-53663 | Medium | 6.5 | — | 2025-07-09 | Jenkins IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the… |
CVE-2025-53662 | Medium | 6.5 | — | 2025-07-09 | Jenkins IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkin… |
CVE-2025-53659 | Medium | 6.5 | — | 2025-07-09 | Jenkins QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the J… |
CVE-2025-53656 | Medium | 6.5 | — | 2025-07-09 | Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended R… |
CVE-2025-53654 | Medium | 6.5 | — | 2025-07-09 | Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access to the Jenkins controller file system. |
CVE-2025-53651 | Medium | 6.3 | — | 2025-07-09 | Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the bui… |
CVE-2025-53658 | Medium | 5.4 | — | 2025-07-09 | Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission. |
CVE-2025-53743 | Medium | 5.3 | — | 2025-07-09 | Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not mask Applitools API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. |
CVE-2025-53677 | Medium | 5.3 | — | 2025-07-09 | Jenkins Xooa Plugin 0.0.7 and earlier does not mask the Xooa Deployment Token on the global configuration form, increasing the potential for attackers to observe and capture it. |
CVE-2025-53674 | Medium | 5.3 | — | 2025-07-09 | Jenkins Sensedia Api Platform tools Plugin 1.0 does not mask the Sensedia API Manager integration token on the global configuration form, increasing the potential for attackers to observe and capture it. |
CVE-2025-53667 | Medium | 5.3 | — | 2025-07-09 | Jenkins Dead Man's Snitch Plugin 0.1 does not mask Dead Man's Snitch tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. |
CVE-2025-53655 | Medium | 5.3 | — | 2025-07-09 | Jenkins Statistics Gatherer Plugin 2.0.3 and earlier does not mask the AWS Secret Key on the global configuration form, increasing the potential for attackers to observe and capture it. |
CVE-2025-53669 | Medium | 4.3 | — | 2025-07-09 | Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. |
CVE-2025-53665 | Medium | 4.3 | — | 2025-07-09 | Jenkins Apica Loadtest Plugin 1.10 and earlier does not mask Apica Loadtest LTP authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. |
CVE-2025-53661 | Medium | 4.3 | — | 2025-07-09 | Jenkins Testsigma Test Plan run Plugin 1.6 and earlier does not mask Testsigma API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. |
CVE-2025-53660 | Medium | 4.3 | — | 2025-07-09 | Jenkins QMetry Test Management Plugin 1.13 and earlier does not mask Qmetry Automation API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. |
CVE-2025-53657 | Medium | 4.3 | — | 2025-07-09 | Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier does not mask SLM License Access Keys, client secrets, and passwords displayed on the job configuration form, increasing the potential for attackers to observe and capture them. |
CVE-2025-53653 | Medium | 4.3 | — | 2025-07-09 | Jenkins Aqua Security Scanner Plugin 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the… |
Campcodes · 29 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7457 | High | 7.3 | — | 2025-07-11 | A vulnerability, which was classified as critical, was found in Campcodes Online Movie Theater Seat Reservation System 1.0. |
CVE-2025-7456 | High | 7.3 | — | 2025-07-11 | A vulnerability, which was classified as critical, has been found in Campcodes Online Movie Theater Seat Reservation System 1.0. |
CVE-2025-7455 | High | 7.3 | — | 2025-07-11 | A vulnerability classified as critical was found in Campcodes Online Movie Theater Seat Reservation System 1.0. |
CVE-2025-7454 | High | 7.3 | — | 2025-07-11 | A vulnerability classified as critical has been found in Campcodes Online Movie Theater Seat Reservation System 1.0. |
CVE-2025-7436 | High | 7.3 | — | 2025-07-11 | A vulnerability was found in Campcodes Online Recruitment Management System 1.0. |
CVE-2025-7220 | High | 7.3 | — | 2025-07-09 | A vulnerability was found in Campcodes Payroll Management System 1.0. |
CVE-2025-7219 | High | 7.3 | — | 2025-07-09 | A vulnerability was found in Campcodes Payroll Management System 1.0. |
CVE-2025-7218 | High | 7.3 | — | 2025-07-09 | A vulnerability was found in Campcodes Payroll Management System 1.0 and classified as critical. |
CVE-2025-7217 | High | 7.3 | — | 2025-07-09 | A vulnerability has been found in Campcodes Payroll Management System 1.0 and classified as critical. |
CVE-2025-7183 | High | 7.3 | — | 2025-07-08 | A vulnerability was found in Campcodes Sales and Inventory System 1.0 and classified as critical. |
CVE-2025-7165 | High | 7.3 | — | 2025-07-08 | A vulnerability was found in PHPGurukul/Campcodes Cyber Cafe Management System 1.0 and classified as critical. |
CVE-2025-7164 | High | 7.3 | — | 2025-07-08 | A vulnerability has been found in PHPGurukul/Campcodes Cyber Cafe Management System 1.0 and classified as critical. |
CVE-2025-7136 | High | 7.3 | — | 2025-07-07 | A vulnerability, which was classified as critical, was found in Campcodes Online Recruitment Management System 1.0. |
CVE-2025-7135 | High | 7.3 | — | 2025-07-07 | A vulnerability, which was classified as critical, has been found in Campcodes Online Recruitment Management System 1.0. |
CVE-2025-7134 | High | 7.3 | — | 2025-07-07 | A vulnerability classified as critical was found in Campcodes Online Recruitment Management System 1.0. |
CVE-2025-7132 | High | 7.3 | — | 2025-07-07 | A vulnerability was found in Campcodes Payroll Management System 1.0. |
CVE-2025-7131 | High | 7.3 | — | 2025-07-07 | A vulnerability was found in Campcodes Payroll Management System 1.0. |
CVE-2025-7130 | High | 7.3 | — | 2025-07-07 | A vulnerability was found in Campcodes Payroll Management System 1.0. |
CVE-2025-7129 | High | 7.3 | — | 2025-07-07 | A vulnerability was found in Campcodes Payroll Management System 1.0 and classified as critical. |
CVE-2025-7128 | High | 7.3 | — | 2025-07-07 | A vulnerability has been found in Campcodes Payroll Management System 1.0 and classified as critical. |
CVE-2025-7122 | High | 7.3 | — | 2025-07-07 | A vulnerability was found in Campcodes Complaint Management System 1.0. |
CVE-2025-7120 | High | 7.3 | — | 2025-07-07 | A vulnerability was found in Campcodes Complaint Management System 1.0 and classified as critical. |
CVE-2025-7119 | High | 7.3 | — | 2025-07-07 | A vulnerability has been found in Campcodes Complaint Management System 1.0 and classified as critical. |
CVE-2025-7152 | Medium | 6.3 | — | 2025-07-08 | A vulnerability classified as critical has been found in Campcodes Advanced Online Voting System 1.0. |
CVE-2025-7151 | Medium | 6.3 | — | 2025-07-07 | A vulnerability was found in Campcodes Advanced Online Voting System 1.0. |
CVE-2025-7150 | Medium | 6.3 | — | 2025-07-07 | A vulnerability was found in Campcodes Advanced Online Voting System 1.0. |
CVE-2025-7149 | Medium | 6.3 | — | 2025-07-07 | A vulnerability was found in Campcodes Advanced Online Voting System 1.0. |
CVE-2025-7121 | Medium | 6.3 | — | 2025-07-07 | A vulnerability was found in Campcodes Complaint Management System 1.0. |
CVE-2025-7123 | Medium | 4.7 | — | 2025-07-07 | A vulnerability was found in Campcodes Complaint Management System 1.0. |
N/a · 27 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-45065 | Critical | 9.8 | — | 2025-07-07 | employee record management system in php and mysql v1 was discovered to contain a SQL injection vulnerability via the loginerms.php endpoint. |
CVE-2025-43933 | Critical | 9.8 | — | 2025-07-07 | fblog through 983bede allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header. |
CVE-2025-43932 | Critical | 9.8 | — | 2025-07-07 | JobCenter through 7e7b0b2 allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header. |
CVE-2025-43931 | Critical | 9.8 | — | 2025-07-07 | flask-boilerplate through a170e7c allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header. |
CVE-2025-43930 | Critical | 9.8 | — | 2025-07-07 | Hashview 0.8.1 allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header. |
CVE-2025-47202 | Critical | 9.1 | — | 2025-07-07 | In RRC in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400, the lack of a length check leads… |
CVE-2025-52089 | High | 8.8 | — | 2025-07-11 | A hidden remote support feature protected by a static secret in TOTOLINK N300RB firmware version 8.54 allows an authenticated attacker to execute arbitrary OS commands with root privileges. |
CVE-2025-44177 | High | 8.2 | — | 2025-07-09 | A directory traversal vulnerability was discovered in White Star Software Protop version 4.4.2-2024-11-27, specifically in the /pt3upd/ endpoint. |
CVE-2025-44251 | High | 7.5 | — | 2025-07-10 | Ecovacs Deebot T10 1.7.2 transmits Wi-Fi credentials in cleartext during the pairing process. |
CVE-2025-53645 | High | 7.5 | — | 2025-07-09 | Zimbra Collaboration (ZCS) before 9.0.0 Patch 46, 10.0.x before 10.0.15, and 10.1.x before 10.1.9 is vulnerable to a denial of service condition due to improper handling of excessive, comma-separated path segments in the Admin Console. |
CVE-2025-52364 | High | 7.5 | — | 2025-07-09 | Insecure Permissions vulnerability in Tenda CP3 Pro Firmware V22.5.4.93 allows the telnet service (telnetd) by default at boot via the initialization script /etc/init.d/eth.sh. |
CVE-2025-47422 | High | 7.5 | — | 2025-07-08 | Advanced Installer before 22.6 has an uncontrolled search path element local privilege escalation vulnerability. |
CVE-2025-52492 | High | 7.5 | — | 2025-07-07 | A vulnerability has been discovered in the firmware of Paxton Paxton10 before 4.6 SR6. |
CVE-2025-26780 | High | 7.5 | — | 2025-07-07 | An issue was discovered in L2 in Samsung Mobile Processor and Modem Exynos 2400 and Modem 5400. |
CVE-2023-51232 | High | 7.5 | — | 2025-07-07 | Directory Traversal vulnerability in dagster-webserver Dagster thru 1.5.11 allows remote attackers to obtain sensitive information via crafted request to the /logs endpoint. |
CVE-2021-27961 | Medium | 6.5 | — | 2025-07-09 | evesys 7.1 (2152) through 8.0 (2202) allows Reflected XSS via the indexeva.php action parameter. |
CVE-2025-44525 | Medium | 6.5 | — | 2025-07-09 | Texas Instruments CC2652RB LaunchPad SimpleLink CC13XX CC26XX SDK 7.41.00.17 was discovered to utilize insufficient permission checks on critical fields within Bluetooth Low Energy (BLE) data packets. |
CVE-2025-44526 | Medium | 6.5 | — | 2025-07-09 | Realtek RTL8762EKF-EVB RTL8762E SDK V1.4.0 was discovered to utilize insufficient permission checks on critical fields within Bluetooth Low Energy (BLE) data packets. |
CVE-2025-29267 | Medium | 6.5 | — | 2025-07-08 | SQL Injection vulnerability in Abis, Inc Adjutant Core Accounting ERP build v.PreBeta250F allows a remote attacker to obtain a sensitive information via the cid parameter in the GET request. |
CVE-2025-45662 | Medium | 6.1 | — | 2025-07-10 | A cross-site scripting (XSS) vulnerability in the component /master/login.php of mpgram-web commit 94baadb allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload. |
CVE-2024-36697 | Medium | 6.1 | — | 2025-07-10 | A cross-site scripting (XSS) vulnerability in the Admin Login page of Allworx System Software v9.1.9.12 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the SessionID parameter at query.asp. |
CVE-2024-37658 | Medium | 6.1 | — | 2025-07-07 | An open redirect vulnerability in gnuboard5 v.5.5.16 allows a remote attacker to obtain sensitive information via the bbs/member_confirm.php. |
CVE-2024-37657 | Medium | 6.1 | — | 2025-07-07 | An open redirect vulnerability in gnuboard5 v.5.5.16 allows a remote attacker to obtain sensitive information via thebbs/login.php component. |
CVE-2024-37656 | Medium | 6.1 | — | 2025-07-07 | An open redirect vulnerability in gnuboard5 v.5.5.16 allows a remote attacker to obtain sensitive information via the insufficient URL parameter verification in bbs/logout.php. |
CVE-2025-49604 | Medium | 5.4 | — | 2025-07-09 | For Realtek AmebaD devices, a heap-based buffer overflow was discovered in Ameba-AIoT ameba-arduino-d before version 3.1.9 and ameba-rtos-d before commit c2bfd8216a1cbc19ad2ab5f48f372ecea756d67a on 2025/07/03. |
CVE-2025-52357 | Medium | 4.1 | — | 2025-07-09 | Cross-Site Scripting (XSS) vulnerability exists in the ping diagnostic feature of FiberHome FD602GW-DX-R410 router (firmware V2.2.14), allowing an authenticated attacker to execute arbitrary JavaScript code in the context of the router s w… |
CVE-2025-51591 | Low | 3.7 | — | 2025-07-11 | A Server-Side Request Forgery (SSRF) in JGM Pandoc v3.6.4 allows attackers to gain access to and compromise the whole infrastructure via injecting a crafted iframe. |
Qualcomm · 26 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-21450 | Critical | 9.1 | — | 2025-07-08 | Cryptographic issue occurs due to use of insecure connection method while downloading. |
CVE-2025-21427 | High | 8.2 | — | 2025-07-08 | Information disclosure while decoding this RTP packet Payload when UE receives the RTP packet from the network. |
CVE-2025-27061 | High | 7.8 | — | 2025-07-08 | Memory corruption whhile handling the subsystem failure memory during the parsing of video packets received from the video firmware. |
CVE-2025-27058 | High | 7.8 | — | 2025-07-08 | Memory corruption while processing packet data with exceedingly large packet. |
CVE-2025-27056 | High | 7.8 | — | 2025-07-08 | Memory corruption during sub-system restart while processing clean-up to free up resources. |
CVE-2025-27055 | High | 7.8 | — | 2025-07-08 | Memory corruption during the image encoding process. |
CVE-2025-27052 | High | 7.8 | — | 2025-07-08 | Memory corruption while processing data packets in diag received from Unix clients. |
CVE-2025-27051 | High | 7.8 | — | 2025-07-08 | Memory corruption while processing command message in WLAN Host. |
CVE-2025-27050 | High | 7.8 | — | 2025-07-08 | Memory corruption while processing event close when client process terminates abruptly. |
CVE-2025-27047 | High | 7.8 | — | 2025-07-08 | Memory corruption while processing the TESTPATTERNCONFIG escape path. |
CVE-2025-27046 | High | 7.8 | — | 2025-07-08 | Memory corruption while processing multiple simultaneous escape calls. |
CVE-2025-27044 | High | 7.8 | — | 2025-07-08 | Memory corruption while executing timestamp video decode command with large input values. |
CVE-2025-27043 | High | 7.8 | — | 2025-07-08 | Memory corruption while processing manipulated payload in video firmware. |
CVE-2025-27042 | High | 7.8 | — | 2025-07-08 | Memory corruption while processing video packets received from video firmware. |
CVE-2025-21466 | High | 7.8 | — | 2025-07-08 | Memory corruption while processing a private escape command in an event trigger. |
CVE-2025-21445 | High | 7.8 | — | 2025-07-08 | Memory corruption while copying the result to the transmission queue which is shared between the virtual machine and the host. |
CVE-2025-21444 | High | 7.8 | — | 2025-07-08 | Memory corruption while copying the result to the transmission queue in EMAC. |
CVE-2025-21432 | High | 7.8 | — | 2025-07-08 | Memory corruption while retrieving the CBOR data from TA. |
CVE-2025-27057 | High | 7.5 | — | 2025-07-08 | Transient DOS while handling beacon frames with invalid IE header length. |
CVE-2025-21454 | High | 7.5 | — | 2025-07-08 | Transient DOS while processing received beacon frame. |
CVE-2025-21449 | High | 7.5 | — | 2025-07-08 | Transient DOS may occur while processing malformed length field in SSID IEs. |
CVE-2025-21446 | High | 7.5 | — | 2025-07-08 | Transient DOS may occur when processing vendor-specific information elements while parsing a WLAN frame for BTM requests. |
CVE-2025-21422 | High | 7.1 | — | 2025-07-08 | Cryptographic issue while processing crypto API calls, missing checks may lead to corrupted key usage or IV reuses. |
CVE-2025-21426 | Medium | 6.6 | — | 2025-07-08 | Memory corruption while processing camera TPG write request. |
CVE-2025-21433 | Medium | 6.2 | — | 2025-07-08 | Transient DOS when importing a PKCS#8-encoded RSA private key with a zero-sized modulus. |
CVE-2024-53009 | Medium | 5.3 | — | 2025-07-08 | Memory corruption while operating the mailbox in Automotive. |
Adobe · 25 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-49533 | Critical | 9.8 | — | 2025-07-08 | Adobe Experience Manager (MS) versions 6.5.23.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. |
CVE-2025-27203 | Critical | 9.6 | — | 2025-07-08 | Adobe Connect versions 24.0 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could lead to arbitrary code execution by an attacker. |
CVE-2025-49535 | Critical | 9.3 | — | 2025-07-08 | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. |
CVE-2025-49551 | High | 8.8 | — | 2025-07-08 | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Use of Hard-coded Credentials vulnerability that could result in privilege escalation. |
CVE-2025-49537 | High | 7.9 | — | 2025-07-08 | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability that could lead to arbitrary code execution by a high-priv… |
CVE-2025-43582 | High | 7.8 | — | 2025-07-08 | Substance3D - Viewer versions 0.22 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user, scope unchanged. |
CVE-2025-21166 | High | 7.8 | — | 2025-07-08 | Substance3D - Designer versions 14.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-21165 | High | 7.8 | — | 2025-07-08 | Substance3D - Designer versions 14.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-21164 | High | 7.8 | — | 2025-07-08 | Substance3D - Designer versions 14.1 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. |
CVE-2025-49538 | High | 7.4 | — | 2025-07-08 | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XML Injection vulnerability that could lead to arbitrary file system read. |
CVE-2025-49536 | High | 7.3 | — | 2025-07-08 | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. |
CVE-2025-49544 | Medium | 6.8 | — | 2025-07-08 | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a Security feature bypass. |
CVE-2025-49545 | Medium | 6.2 | — | 2025-07-08 | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a Server-Side Request Forgery (SSRF) vulnerability that could lead to arbitrary file system read. |
CVE-2025-43584 | Medium | 5.5 | — | 2025-07-08 | Substance3D - Viewer versions 0.22 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-43583 | Medium | 5.5 | — | 2025-07-08 | Substance3D - Viewer versions 0.22 and earlier are affected by a NULL Pointer Dereference vulnerability that could lead to application denial-of-service. |
CVE-2025-21168 | Medium | 5.5 | — | 2025-07-08 | Substance3D - Designer versions 14.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-21167 | Medium | 5.5 | — | 2025-07-08 | Substance3D - Designer versions 14.1 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. |
CVE-2025-49547 | Medium | 5.4 | — | 2025-07-08 | Adobe Experience Manager versions FP11.4 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-49534 | Medium | 5.4 | — | 2025-07-08 | Adobe Experience Manager versions FP11.4 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low-privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-49542 | Medium | 5.2 | — | 2025-07-08 | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a reflected Cross-Site Scripting (XSS) vulnerability. |
CVE-2025-49539 | Medium | 4.5 | — | 2025-07-08 | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in a security feature bypass. |
CVE-2025-49543 | Medium | 4.3 | — | 2025-07-08 | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-49541 | Medium | 4.3 | — | 2025-07-08 | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-49540 | Medium | 4.3 | — | 2025-07-08 | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a high-privileged attacker to inject malicious scripts into vulnerable form fields. |
CVE-2025-49546 | Low | 2.4 | — | 2025-07-08 | ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an Improper Access Control vulnerability that could lead to a partial application denial-of-service. |
Sap_se · 25 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-42967 | Critical | 9.9 | — | 2025-07-08 | SAP S/4HANA and SAP SCM Characteristic Propagation has remote code execution vulnerability. |
CVE-2025-42980 | Critical | 9.1 | — | 2025-07-08 | SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and ava… |
CVE-2025-42966 | Critical | 9.1 | — | 2025-07-08 | SAP NetWeaver XML Data Archiving Service allows an authenticated attacker with administrative privileges to exploit an insecure Java deserialization vulnerability by sending a specially crafted serialized Java object. |
CVE-2025-42964 | Critical | 9.1 | — | 2025-07-08 | SAP NetWeaver Enterprise Portal Administration is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability… |
CVE-2025-42963 | Critical | 9.1 | — | 2025-07-08 | A critical vulnerability in SAP NetWeaver Application server for Java Log Viewer enables authenticated administrator users to exploit unsafe Java object deserialization. |
CVE-2025-42959 | High | 8.1 | — | 2025-07-08 | An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. |
CVE-2025-42953 | High | 8.1 | — | 2025-07-08 | SAP Netweaver System Configuration does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. |
CVE-2025-42952 | High | 7.7 | — | 2025-07-08 | SAP Business Warehouse and SAP Plug-In Basis allows an authenticated attacker to add fields to arbitrary SAP database tables and/or structures, potentially rendering the system unusable. |
CVE-2025-43001 | Medium | 6.9 | — | 2025-07-08 | SAPCAR allows an attacker logged in with high privileges to override the permissions of the current and parent directories of the user or process extracting the archive, leading to privilege escalation. |
CVE-2025-42992 | Medium | 6.9 | — | 2025-07-08 | SAPCAR allows an attacker logged in with high privileges to create a malicious SAR archive in SAPCAR. |
CVE-2025-42985 | Medium | 6.1 | — | 2025-07-08 | Due to insufficient sanitization in the SAP BusinessObjects Content Administrator Workbench, attackers could craft malicious URLs and execute scripts in a victim�s browser. |
CVE-2025-42981 | Medium | 6.1 | — | 2025-07-08 | Due to an open redirect vulnerability in SAP NetWeaver Application Server ABAP, an unauthenticated attacker could craft a URL link embedding a malicious script at a location not properly sanitized. |
CVE-2025-42969 | Medium | 6.1 | — | 2025-07-08 | SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to inject a malicious script into a dynamically crafted URL. |
CVE-2025-42962 | Medium | 6.1 | — | 2025-07-08 | SAP Business Warehouse (Business Explorer Web) allows an attacker to create a malicious link. |
CVE-2025-42970 | Medium | 5.8 | — | 2025-07-08 | SAPCAR improperly sanitizes the file paths while extracting SAPCAR archives. |
CVE-2025-42979 | Medium | 5.6 | — | 2025-07-08 | The GuiXT application, which is integrated with SAP GUI for Windows, uses obfuscation algorithms instead of secure symmetric ciphers for storing the credentials of an RFC user on the client PC. |
CVE-2025-42973 | Medium | 5.4 | — | 2025-07-08 | Due to a Cross-Site Scripting vulnerability in SAP Data Services Management Console, an authenticated attacker could exploit the search functionality associated with DQ job status reports. |
CVE-2025-42961 | Medium | 4.9 | — | 2025-07-08 | Due to a missing authorization check in SAP NetWeaver Application server for ABAP, an authenticated user with high privileges could exploit the insufficient validation of user permissions to access sensitive database tables. |
CVE-2025-42974 | Medium | 4.3 | — | 2025-07-08 | Due to missing authorization check, an attacker authenticated as a non-administrative user could call a remote-enabled function module. |
CVE-2025-42960 | Medium | 4.3 | — | 2025-07-08 | SAP Business Warehouse and SAP BW/4HANA BEx Tools allow an authenticated attacker to gain higher access levels than intended by exploiting improper authorization checks. |
CVE-2025-42965 | Medium | 4.1 | — | 2025-07-08 | SAP CMC Promotion Management allows an authenticated attacker to enumerate internal network systems by submitting crafted requests during job source configuration. |
CVE-2025-31326 | Medium | 4.1 | — | 2025-07-08 | SAP�BusinessObjects Business�Intelligence Platform (Web Intelligence) is vulnerable to HTML Injection, allowing an attacker with basic user privileges to inject malicious code into specific input fields. |
CVE-2025-42971 | Medium | 4.0 | — | 2025-07-08 | A memory corruption vulnerability exists in SAPCAR allowing an attacker to craft malicious SAPCAR archives. |
CVE-2025-42978 | Low | 3.5 | — | 2025-07-08 | The widely used component that establishes outbound TLS connections in SAP NetWeaver Application Server Java does not reliably match the hostname that is used for the connection against the wildcard hostname defined in the received certifi… |
CVE-2025-42954 | Low | 2.7 | — | 2025-07-08 | SAP NetWeaver Business Warehouse CCAW application allows a privileged attacker to cause a high CPU load by executing a RFC enabled function modules without any input parameters, which results in reduced performance or interrupted operation… |
Code-projects · 24 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7199 | High | 7.3 | — | 2025-07-08 | A vulnerability, which was classified as critical, has been found in code-projects Library System 1.0. |
CVE-2025-7191 | High | 7.3 | — | 2025-07-08 | A vulnerability has been found in code-projects Student Enrollment System 1.0 and classified as critical. |
CVE-2025-7185 | High | 7.3 | — | 2025-07-08 | A vulnerability was found in code-projects Library System 1.0. |
CVE-2025-7184 | High | 7.3 | — | 2025-07-08 | A vulnerability was found in code-projects Library System 1.0. |
CVE-2025-7179 | High | 7.3 | — | 2025-07-08 | A vulnerability classified as critical was found in code-projects Library System 1.0. |
CVE-2025-7178 | High | 7.3 | — | 2025-07-08 | A vulnerability classified as critical has been found in code-projects Food Distributor Site 1.0. |
CVE-2025-7174 | High | 7.3 | — | 2025-07-08 | A vulnerability was found in code-projects Library System 1.0 and classified as critical. |
CVE-2025-7173 | High | 7.3 | — | 2025-07-08 | A vulnerability has been found in code-projects Library System 1.0 and classified as critical. |
CVE-2025-7172 | High | 7.3 | — | 2025-07-08 | A vulnerability, which was classified as critical, was found in code-projects Crime Reporting System 1.0. |
CVE-2025-7171 | High | 7.3 | — | 2025-07-08 | A vulnerability, which was classified as critical, has been found in code-projects Crime Reporting System 1.0. |
CVE-2025-7170 | High | 7.3 | — | 2025-07-08 | A vulnerability classified as critical was found in code-projects Crime Reporting System 1.0. |
CVE-2025-7169 | High | 7.3 | — | 2025-07-08 | A vulnerability classified as critical has been found in code-projects Crime Reporting System 1.0. |
CVE-2025-7168 | High | 7.3 | — | 2025-07-08 | A vulnerability was found in code-projects Crime Reporting System 1.0. |
CVE-2025-7413 | Medium | 6.3 | — | 2025-07-10 | A vulnerability classified as critical has been found in code-projects Library System 1.0. |
CVE-2025-7412 | Medium | 6.3 | — | 2025-07-10 | A vulnerability was found in code-projects Library System 1.0. |
CVE-2025-7210 | Medium | 6.3 | — | 2025-07-09 | A vulnerability was found in code-projects/Fabian Ros Library Management System 2.0 and classified as critical. |
CVE-2025-7190 | Medium | 6.3 | — | 2025-07-08 | A vulnerability, which was classified as critical, was found in code-projects Library Management System 2.0. |
CVE-2025-7189 | Medium | 6.3 | — | 2025-07-08 | A vulnerability, which was classified as critical, has been found in code-projects Chat System 1.0. |
CVE-2025-7188 | Medium | 6.3 | — | 2025-07-08 | A vulnerability classified as critical was found in code-projects Chat System 1.0. |
CVE-2025-7187 | Medium | 6.3 | — | 2025-07-08 | A vulnerability classified as critical has been found in code-projects Chat System 1.0. |
CVE-2025-7186 | Medium | 6.3 | — | 2025-07-08 | A vulnerability was found in code-projects Chat System 1.0. |
CVE-2025-7175 | Medium | 6.3 | — | 2025-07-08 | A vulnerability was found in code-projects E-Commerce Site 1.0. |
CVE-2025-7167 | Medium | 6.3 | — | 2025-07-08 | A vulnerability was found in code-projects Responsive Blog Site 1.0. |
CVE-2025-7166 | Medium | 6.3 | — | 2025-07-08 | A vulnerability was found in code-projects Responsive Blog Site 1.0. |
Juniper · 24 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-52950 | Critical | 9.6 | — | 2025-07-11 | A Missing Authorization vulnerability in Juniper Networks Security Director allows an unauthenticated network-based attacker to read or tamper with multiple sensitive resources via the web interface. |
CVE-2025-52954 | High | 7.8 | — | 2025-07-11 | A Missing Authorization vulnerability in the internal virtual routing and forwarding (VRF) of Juniper Networks Junos OS Evolved allows a local, low-privileged user to gain root privileges, leading to a system compromise. |
CVE-2025-52981 | High | 7.5 | — | 2025-07-11 | An Improper Check for Unusual or Exceptional Conditions vulnerability in the flow processing daemon (flowd) of Juniper Networks Junos OS on SRX1600, SRX2300, SRX 4000 Series, and SRX5000 Series with SPC3 allows an unauthenticat… |
CVE-2025-52980 | High | 7.5 | — | 2025-07-11 | A Use of Incorrect Byte Ordering vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS on SRX300 Series allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). |
CVE-2025-52946 | High | 7.5 | — | 2025-07-11 | A Use After Free vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Juniper Networks Junos OS Evolved allows an attacker sending a BGP update with a specifically malformed AS PATH to cause rpd to crash, res… |
CVE-2025-30661 | High | 7.3 | — | 2025-07-11 | An Incorrect Permission Assignment for Critical Resource vulnerability in line card script processing of Juniper Networks Junos OS allows a local, low-privileged user to install scripts to be executed as root, leading to privilege escalati… |
CVE-2025-52983 | High | 7.2 | — | 2025-07-11 | A UI Discrepancy for Security Feature vulnerability in the UI of Juniper Networks Junos OS on VM Host systems allows a network-based, unauthenticated attacker to access the device. |
CVE-2025-52988 | Medium | 6.7 | — | 2025-07-11 | An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in the CLI of Juniper Networks Junos OS and Junos OS Evolved allows a high privileged, local attacker to escalated their privileges… |
CVE-2025-6549 | Medium | 6.5 | — | 2025-07-11 | An Incorrect Authorization vulnerability in the web server of Juniper Networks Junos OS on SRX Series allows an unauthenticated, network-based attacker to reach the Juniper Web Device Manager (J-Web). |
CVE-2025-52964 | Medium | 6.5 | — | 2025-07-11 | A Reachable Assertion vulnerability in the Routing Protocol Daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause a Denial of Service (DoS). |
CVE-2025-52955 | Medium | 6.5 | — | 2025-07-11 | An Incorrect Calculation of Buffer Size vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent unauthenticated attacker to cause a memory corruption that leads to a rpd crash… |
CVE-2025-52953 | Medium | 6.5 | — | 2025-07-11 | An Expected Behavior Violation vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated adjacent attacker sending a valid BGP UPDATE packet to cause a BGP session reset… |
CVE-2025-52952 | Medium | 6.5 | — | 2025-07-11 | An Out-of-bounds Write vulnerability in the connectivity fault management (CFM) daemon of Juniper Networks Junos OS on MX Series with MPC-BUILTIN, MPC1 through MPC9 line cards allows an unauthenticated adjacent attacker to send a malformed… |
CVE-2025-52949 | Medium | 6.5 | — | 2025-07-11 | An Improper Handling of Length Parameter Inconsistency vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a logically adjacent BGP peer sending a specifically malformed BGP packet to… |
CVE-2025-52947 | Medium | 6.5 | — | 2025-07-11 | An Improper Handling of Exceptional Conditions vulnerability in route processing of Juniper Networks Junos OS on specific end-of-life (EOL) ACX Series platforms allows an attacker to crash the Forwarding Engine Board (FEB) by flapping an i… |
CVE-2025-52984 | Medium | 5.9 | — | 2025-07-11 | A NULL Pointer Dereference vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an unauthenticated, network-based attacker to cause impact to the availability of the device. |
CVE-2025-52982 | Medium | 5.9 | — | 2025-07-11 | An Improper Resource Shutdown or Release vulnerability in the SIP ALG of Juniper Networks Junos OS on MX Series with MS-MPC allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). |
CVE-2025-52948 | Medium | 5.9 | — | 2025-07-11 | An Improper Handling of Exceptional Conditions vulnerability in Berkeley Packet Filter (BPF) processing of Juniper Networks Junos OS allows an attacker, in rare cases, sending specific, unknown traffic patterns to cause the FPC and system… |
CVE-2025-52951 | Medium | 5.8 | — | 2025-07-11 | A Protection Mechanism Failure vulnerability in kernel filter processing of Juniper Networks Junos OS allows an attacker sending IPv6 traffic destined to the device to effectively bypass any firewall filtering configured on the interface. |
CVE-2025-52986 | Medium | 5.5 | — | 2025-07-11 | A Missing Release of Memory after Effective Lifetime vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, low privileged user to cause an impact to the availability of the dev… |
CVE-2025-52963 | Medium | 5.5 | — | 2025-07-11 | An Improper Access Control vulnerability in the User Interface (UI) of Juniper Networks Junos OS allows a local, low-privileged attacker to bring down an interface, leading to a Denial-of-Service. |
CVE-2025-52985 | Medium | 5.3 | — | 2025-07-11 | A Use of Incorrect Operator vulnerability in the Routing Engine firewall of Juniper Networks Junos OS Evolved allows an unauthenticated, network-based attacker to bypass security restrictions. |
CVE-2025-52958 | Medium | 5.3 | — | 2025-07-11 | A Reachable Assertion vulnerability in the routing protocol daemon (rpd) of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker to cause a Denial of Service (DoS).On all Junos OS and Junos OS Evolved… |
CVE-2025-52989 | Medium | 5.1 | — | 2025-07-11 | An Improper Neutralization of Delimiters vulnerability in the UI of Juniper Networks Junos OS and Junos OS Evolved allows a local, authenticated attacker with high privileges to modify the system configuration. |
Huawei · 21 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53169 | High | 7.6 | — | 2025-07-07 | Vulnerability of bypassing the process to start SA and use related functions on distributed cameras Impact: Successful exploitation of this vulnerability may allow the peer device to use the camera without user awareness. |
CVE-2025-53167 | Medium | 6.9 | — | 2025-07-07 | Authentication vulnerability in the distributed collaboration framework module Impact: Successful exploitation of this vulnerability may affect service confidentiality. |
CVE-2025-53185 | Medium | 6.6 | — | 2025-07-07 | Virtual address reuse issue in the memory management module, which can be exploited by non-privileged users to access released memory Impact: Successful exploitation of this vulnerability may affect service integrity. |
CVE-2025-53184 | Medium | 6.5 | — | 2025-07-07 | Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability. |
CVE-2025-53183 | Medium | 6.5 | — | 2025-07-07 | Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability. |
CVE-2025-53182 | Medium | 6.5 | — | 2025-07-07 | Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability. |
CVE-2025-53181 | Medium | 6.5 | — | 2025-07-07 | Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability. |
CVE-2025-53180 | Medium | 6.5 | — | 2025-07-07 | Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability. |
CVE-2025-53179 | Medium | 6.5 | — | 2025-07-07 | Null pointer dereference vulnerability in the PDF preview module Impact: Successful exploitation of this vulnerability may affect function stability. |
CVE-2025-53186 | Medium | 5.9 | — | 2025-07-07 | Vulnerability that allows third-party call apps to send broadcasts without verification in the audio framework module Impact: Successful exploitation of this vulnerability may affect availability. |
CVE-2025-53168 | Medium | 5.7 | — | 2025-07-07 | Vulnerability of bypassing the process to start SA and use related functions on distributed cameras Impact: Successful exploitation of this vulnerability may allow the peer device to use the camera without user awareness. |
CVE-2025-53173 | Medium | 5.3 | — | 2025-07-07 | Stack overflow risk when vector images are parsed during file preview Impact: Successful exploitation of this vulnerability may affect the file preview function. |
CVE-2025-53178 | Medium | 4.8 | — | 2025-07-07 | Permission bypass vulnerability in the calendar storage module Impact: Successful exploitation of this vulnerability may affect the schedule reminder function of head units. |
CVE-2025-53175 | Medium | 4.0 | — | 2025-07-07 | Stack overflow risk when vector images are parsed during file preview Impact: Successful exploitation of this vulnerability may affect the file preview function. |
CVE-2025-53174 | Medium | 4.0 | — | 2025-07-07 | Stack overflow risk when vector images are parsed during file preview Impact: Successful exploitation of this vulnerability may affect the file preview function. |
CVE-2025-53172 | Medium | 4.0 | — | 2025-07-07 | Stack overflow risk when vector images are parsed during file preview Impact: Successful exploitation of this vulnerability may affect the file preview function. |
CVE-2025-53171 | Medium | 4.0 | — | 2025-07-07 | Stack overflow risk when vector images are parsed during file preview Impact: Successful exploitation of this vulnerability may affect the file preview function. |
CVE-2025-53170 | Medium | 4.0 | — | 2025-07-07 | Null pointer dereference vulnerability in the application exit cause module Impact: Successful exploitation of this vulnerability may affect function stability. |
CVE-2024-58117 | Medium | 4.0 | — | 2025-07-07 | Stack overflow risk when vector images are parsed during file preview Impact: Successful exploitation of this vulnerability may affect the file preview function. |
CVE-2025-53177 | Low | 3.9 | — | 2025-07-07 | Permission bypass vulnerability in the calendar storage module Impact: Successful exploitation of this vulnerability may affect the schedule syncing function of watches. |
CVE-2025-53176 | Low | 3.3 | — | 2025-07-07 | Stack overflow risk when vector images are parsed during file preview Impact: Successful exploitation of this vulnerability may affect the file preview function. |
Siemens · 18 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-40736 | Critical | 9.8 | — | 2025-07-08 | A vulnerability has been identified in SINEC NMS (All versions < V4.0). |
CVE-2025-41224 | High | 8.8 | — | 2025-07-08 | A vulnerability has been identified in RUGGEDCOM RMC8388 V5.X (All versions < V5.10.0), RUGGEDCOM RMC8388NC V5.X (All versions < V5.10.0), RUGGEDCOM RS416NCv2 V5.X (All versions < V5.10.0), RUGGEDCOM RS416PNCv2 V5.X (All versions < V5.10.0… |
CVE-2025-40738 | High | 8.8 | — | 2025-07-08 | A vulnerability has been identified in SINEC NMS (All versions < V4.0). |
CVE-2025-40737 | High | 8.8 | — | 2025-07-08 | A vulnerability has been identified in SINEC NMS (All versions < V4.0). |
CVE-2025-40735 | High | 8.8 | — | 2025-07-08 | A vulnerability has been identified in SINEC NMS (All versions < V4.0). |
CVE-2024-31854 | High | 8.1 | — | 2025-07-08 | A vulnerability has been identified in SICAM TOOLBOX II (All versions < V07.11). |
CVE-2024-31853 | High | 8.1 | — | 2025-07-08 | A vulnerability has been identified in SICAM TOOLBOX II (All versions < V07.11). |
CVE-2025-40741 | High | 7.8 | — | 2025-07-08 | A vulnerability has been identified in Solid Edge SE2025 (All versions < V225.0 Update 5). |
CVE-2025-40740 | High | 7.8 | — | 2025-07-08 | A vulnerability has been identified in Solid Edge SE2025 (All versions < V225.0 Update 5). |
CVE-2025-40739 | High | 7.8 | — | 2025-07-08 | A vulnerability has been identified in Solid Edge SE2025 (All versions < V225.0 Update 5). |
CVE-2025-23365 | High | 7.8 | — | 2025-07-08 | A vulnerability has been identified in TIA Administrator (All versions < V3.0.6). |
CVE-2023-52236 | High | 7.0 | — | 2025-07-08 | A vulnerability has been identified in RUGGEDCOM i800 (All versions), RUGGEDCOM i801 (All versions), RUGGEDCOM i802 (All versions), RUGGEDCOM i803 (All versions), RUGGEDCOM M2100 (All versions), RUGGEDCOM M2200 (All versions), RUGGEDCOM M9… |
CVE-2025-40593 | Medium | 6.5 | — | 2025-07-08 | A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0). |
CVE-2025-23364 | Medium | 6.2 | — | 2025-07-08 | A vulnerability has been identified in TIA Administrator (All versions < V3.0.6). |
CVE-2025-41222 | Medium | 5.3 | — | 2025-07-08 | A vulnerability has been identified in RUGGEDCOM i800 (All versions), RUGGEDCOM i801 (All versions), RUGGEDCOM i802 (All versions), RUGGEDCOM i803 (All versions), RUGGEDCOM M2100 (All versions), RUGGEDCOM M2200 (All versions), RUGGEDCOM M9… |
CVE-2025-40742 | Medium | 5.3 | — | 2025-07-08 | A vulnerability has been identified in SIPROTEC 5 6MD84 (CP300) (All versions < V11.0), SIPROTEC 5 6MD85 (CP200) (All versions), SIPROTEC 5 6MD85 (CP300) (All versions < V11.0), SIPROTEC 5 6MD86 (CP200) (All versions), SIPROTEC 5 6MD86 (CP… |
CVE-2025-41223 | Medium | 4.8 | — | 2025-07-08 | A vulnerability has been identified in RUGGEDCOM i800 (All versions), RUGGEDCOM i801 (All versions), RUGGEDCOM i802 (All versions), RUGGEDCOM i803 (All versions), RUGGEDCOM M2100 (All versions), RUGGEDCOM M2200 (All versions), RUGGEDCOM M9… |
CVE-2025-27127 | Medium | 4.3 | — | 2025-07-08 | A vulnerability has been identified in TIA Project-Server (All versions < V2.1.1), TIA Project-Server V17 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions), Totally Integrated Automation Portal (TIA Porta… |
Wikimedia Foundation · 16 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53499 | Critical | 9.1 | — | 2025-07-07 | Missing Authorization vulnerability in Wikimedia Foundation Mediawiki - AbuseFilter Extension allows Unauthorized Access.This issue affects Mediawiki - AbuseFilter Extension: from 1.43.X before 1.43.2. |
CVE-2025-53495 | Critical | 9.1 | — | 2025-07-07 | Missing Authorization vulnerability in Wikimedia Foundation Mediawiki - AbuseFilter Extension allows Unauthorized Access.This issue affects Mediawiki - AbuseFilter Extension: from 1.43.X before 1.43.2. |
CVE-2025-7056 | Medium | 6.3 | — | 2025-07-07 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - UrlShortener Extension allows Stored XSS.This issue affects Mediawiki - UrlShortener Extension: f… |
CVE-2025-53488 | Medium | 6.1 | — | 2025-07-07 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - WikiHiero Extension allows Stored XSS.This issue affects Mediawiki - WikiHiero Extension: from 1… |
CVE-2025-7363 | Medium | 5.4 | — | 2025-07-08 | The TitleIcon extension for MediaWiki is vulnerable to stored XSS through the #titleicon_unicode parser function. |
CVE-2025-7362 | Medium | 5.4 | — | 2025-07-08 | The MsUpload extension for MediaWiki is vulnerable to stored XSS via the msu-continue system message, which is inserted into the DOM without proper sanitization. |
CVE-2025-53479 | Medium | 5.4 | — | 2025-07-08 | The CheckUser extension’s Special:CheckUser interface is vulnerable to reflected XSS via the rev-deleted-user message. |
CVE-2025-53480 | Medium | 5.4 | — | 2025-07-08 | The CheckUser extension’s Special:Investigate page has a vulnerability in the Account information tab, where specific internationalized messages are rendered without proper escaping. |
CVE-2025-53496 | Medium | 5.4 | — | 2025-07-07 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - MediaSearch Extension allows Stored XSS.This issue affects Mediawiki - MediaSearch Extension: fro… |
CVE-2025-53478 | Medium | 5.4 | — | 2025-07-07 | The CheckUser extension’s Special:Investigate interface is vulnerable to reflected XSS due to improper escaping of certain internationalized system messages rendered on the “IPs and User agents” tab. |
CVE-2025-53497 | Medium | 5.4 | — | 2025-07-07 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - RelatedArticles Extension allows Stored XSS.This issue affects Mediawiki - RelatedArticles Extens… |
CVE-2025-53491 | Medium | 5.4 | — | 2025-07-07 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - FlaggedRevs Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - FlaggedRev… |
CVE-2025-7057 | Medium | 5.4 | — | 2025-07-07 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation Mediawiki - Quiz Extension allows Stored XSS.This issue affects Mediawiki - Quiz Extension: from 1.39.X befor… |
CVE-2025-53487 | Medium | 5.4 | — | 2025-07-07 | The ApprovedRevs extension for MediaWiki is vulnerable to stored XSS in multiple locations where system messages are inserted into raw HTML without proper escaping. |
CVE-2025-53486 | Medium | 5.4 | — | 2025-07-07 | The WikiCategoryTagCloud extension is vulnerable to reflected XSS via the linkstyle attribute, which is improperly concatenated into inline HTML without escaping. |
CVE-2025-53498 | Medium | 5.3 | — | 2025-07-07 | Insufficient Logging vulnerability in Wikimedia Foundation Mediawiki - AbuseFilter Extension allows Data Leakage Attacks.This issue affects Mediawiki - AbuseFilter Extension: from 1.43.X before 1.43.2. |
Marvell · 15 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6802 | Critical | 9.8 | — | 2025-07-07 | Marvell QConvergeConsole getFileFromURL Unrestricted File Upload Remote Code Execution Vulnerability. |
CVE-2025-6794 | Critical | 9.8 | — | 2025-07-07 | Marvell QConvergeConsole saveAsText Directory Traversal Remote Code Execution Vulnerability. |
CVE-2025-6793 | Critical | 9.4 | — | 2025-07-07 | Marvell QConvergeConsole QLogicDownloadImpl Directory Traversal Arbitrary File Deletion and Information Disclosure Vulnerability. |
CVE-2025-6805 | Critical | 9.1 | — | 2025-07-07 | Marvell QConvergeConsole deleteEventLogFile Directory Traversal Arbitrary File Deletion Vulnerability. |
CVE-2025-6798 | Critical | 9.1 | — | 2025-07-07 | Marvell QConvergeConsole deleteAppFile Directory Traversal Arbitrary File Deletion Vulnerability. |
CVE-2025-6807 | High | 7.5 | — | 2025-07-07 | Marvell QConvergeConsole getDriverTmpPath Directory Traversal Information Disclosure Vulnerability. |
CVE-2025-6806 | High | 7.5 | — | 2025-07-07 | Marvell QConvergeConsole decryptFile Directory Traversal Arbitrary File Write Vulnerability. |
CVE-2025-6804 | High | 7.5 | — | 2025-07-07 | Marvell QConvergeConsole compressFirmwareDumpFiles Directory Traversal Information Disclosure Vulnerability. |
CVE-2025-6803 | High | 7.5 | — | 2025-07-07 | Marvell QConvergeConsole compressDriverFiles Directory Traversal Information Disclosure Vulnerability. |
CVE-2025-6801 | High | 7.5 | — | 2025-07-07 | Marvell QConvergeConsole saveNICParamsToFile Directory Traversal Arbitrary File Write Vulnerability. |
CVE-2025-6800 | High | 7.5 | — | 2025-07-07 | Marvell QConvergeConsole restoreESwitchConfig Directory Traversal Information Disclosure Vulnerability. |
CVE-2025-6799 | High | 7.5 | — | 2025-07-07 | Marvell QConvergeConsole getFileUploadBytes Directory Traversal Information Disclosure Vulnerability. |
CVE-2025-6797 | High | 7.5 | — | 2025-07-07 | Marvell QConvergeConsole getFileUploadBytes Directory Traversal Information Disclosure Vulnerability. |
CVE-2025-6796 | High | 7.5 | — | 2025-07-07 | Marvell QConvergeConsole getAppFileBytes Directory Traversal Information Disclosure Vulnerability. |
CVE-2025-6795 | High | 7.5 | — | 2025-07-07 | Marvell QConvergeConsole getFileUploadSize Directory Traversal Information Disclosure Vulnerability. |
Samsung · 15 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-21006 | High | 7.0 | — | 2025-07-08 | Out-of-bounds write in handling of macro blocks for MPEG4 codec in libsavsvc.so prior to Android 15 allows local attackers to write out-of-bounds memory. |
CVE-2025-20983 | Medium | 6.4 | — | 2025-07-08 | Out-of-bounds write in checking auth secret in KnoxVault trustlet prior to SMR Jul-2025 Release 1 allows local privileged attackers to write out-of-bounds memory. |
CVE-2025-20982 | Medium | 6.4 | — | 2025-07-08 | Out-of-bounds write in setting auth secret in KnoxVault trustlet prior to SMR Jul-2025 Release 1 allows local privileged attackers to write out-of-bounds memory. |
CVE-2025-21004 | Medium | 6.2 | — | 2025-07-08 | Improper verification of intent by broadcast receiver in System UI for Galaxy Watch prior to SMR Jul-2025 Release 1 allows local attackers to power off the device. |
CVE-2025-21002 | Medium | 6.2 | — | 2025-07-08 | Improper access control in LeAudioService prior to SMR Jul-2025 Release 1 allows local attackers to manipulate broadcasting Auracast. |
CVE-2025-21001 | Medium | 6.2 | — | 2025-07-08 | Improper access control in LeAudioService prior to SMR Jul-2025 Release 1 allows local attackers to stop broadcasting Auracast. |
CVE-2025-21000 | Medium | 6.2 | — | 2025-07-08 | Improper privilege management in Bluetooth prior to SMR Jul-2025 Release 1 allows local attackers to enable Bluetooth. |
CVE-2025-20997 | Medium | 6.2 | — | 2025-07-08 | Incorrect default permission in Framework for Galaxy Watch prior to SMR Jul-2025 Release 1 allows local attackers to reset some configuration of Galaxy Watch. |
CVE-2025-21009 | Medium | 5.5 | — | 2025-07-08 | Out-of-bounds read in decoding malformed frame header in libsavsvc.so prior to Android 15 allows local attackers to cause memory corruption. |
CVE-2025-21008 | Medium | 5.5 | — | 2025-07-08 | Out-of-bounds read in decoding frame header in libsavsvc.so prior to Android 15 allows local attackers to cause memory corruption. |
CVE-2025-21007 | Medium | 5.5 | — | 2025-07-08 | Out-of-bounds write in accessing uninitialized memory in libsavsvc.so prior to Android 15 allows local attackers to cause memory corruption. |
CVE-2025-21005 | Medium | 5.5 | — | 2025-07-08 | Improper access control in isemtelephony prior to Android 15 allows local attackers to access sensitive information. |
CVE-2025-20998 | Medium | 5.5 | — | 2025-07-08 | Improper access control in SamsungAccount for Galaxy Watch prior to SMR Jul-2025 Release 1 allows local attackers to access phone number. |
CVE-2025-20999 | Medium | 4.1 | — | 2025-07-08 | Improper authorization in accessing saved Wi-Fi password for Galaxy Tablet prior to SMR Jul-2025 Release 1 allows secondary users to access owner's saved Wi-Fi password. |
CVE-2025-21003 | Medium | 4.0 | — | 2025-07-08 | Insecure storage of sensitive information in Emergency SOS prior to SMR Jul-2025 Release 1 allows local attackers to access sensitive information. |
Mediatek · 13 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-20684 | Critical | 9.8 | — | 2025-07-08 | In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. |
CVE-2025-20683 | Critical | 9.8 | — | 2025-07-08 | In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. |
CVE-2025-20682 | Critical | 9.8 | — | 2025-07-08 | In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. |
CVE-2025-20681 | Critical | 9.8 | — | 2025-07-08 | In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. |
CVE-2025-20680 | Critical | 9.8 | — | 2025-07-08 | In Bluetooth driver, there is a possible out of bounds write due to an incorrect bounds check. |
CVE-2025-20686 | High | 8.8 | — | 2025-07-08 | In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. |
CVE-2025-20685 | High | 8.8 | — | 2025-07-08 | In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. |
CVE-2025-20692 | Medium | 5.5 | — | 2025-07-08 | In wlan AP driver, there is a possible out of bounds read due to an incorrect bounds check. |
CVE-2025-20691 | Medium | 5.5 | — | 2025-07-08 | In wlan AP driver, there is a possible out of bounds read due to an incorrect bounds check. |
CVE-2025-20690 | Medium | 5.5 | — | 2025-07-08 | In wlan AP driver, there is a possible out of bounds read due to an incorrect bounds check. |
CVE-2025-20689 | Medium | 5.5 | — | 2025-07-08 | In wlan AP driver, there is a possible out of bounds read due to an incorrect bounds check. |
CVE-2025-20688 | Medium | 5.5 | — | 2025-07-08 | In wlan AP driver, there is a possible out of bounds read due to an incorrect bounds check. |
CVE-2025-20687 | Medium | 5.5 | — | 2025-07-08 | In Bluetooth driver, there is a possible out of bounds read due to an incorrect bounds check. |
Phoenix Contact · 13 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-25270 | Critical | 9.8 | — | 2025-07-08 | An unauthenticated remote attacker can alter the device configuration in a way to get remote code execution as root with specific configurations. |
CVE-2025-41668 | High | 8.8 | — | 2025-07-08 | A low privileged remote attacker with file access can replace a critical file or folder used by the service security-profile to get read, write and execute access to any file on the device. |
CVE-2025-41667 | High | 8.8 | — | 2025-07-08 | A low privileged remote attacker with file access can replace a critical file used by the arp-preinit script to get read, write and execute access to any file on the device. |
CVE-2025-41666 | High | 8.8 | — | 2025-07-08 | A low privileged remote attacker with file access can replace a critical file used by the watchdog to get read, write and execute access to any file on the device after the watchdog has been initialized. |
CVE-2025-25271 | High | 8.8 | — | 2025-07-08 | An unauthenticated adjacent attacker is able to configure a new OCPP backend, due to insecure defaults for the configuration interface. |
CVE-2025-25268 | High | 8.8 | — | 2025-07-08 | An unauthenticated adjacent attacker can modify configuration by sending specific requests to an API-endpoint resulting in read and write access due to missing authentication. |
CVE-2025-25269 | High | 8.4 | — | 2025-07-08 | An unauthenticated local attacker can inject a command that is subsequently executed as root, leading to a privilege escalation. |
CVE-2025-24003 | High | 8.2 | — | 2025-07-08 | An unauthenticated remote attacker can use MQTT messages to trigger out-of-bounds writes in charging stations complying with German Calibration Law, resulting in a loss of integrity for only EichrechtAgents and potential denial-of-service… |
CVE-2025-24006 | High | 7.8 | — | 2025-07-08 | A low privileged local attacker can leverage insecure permissions via SSH on the affected devices to escalate privileges to root. |
CVE-2025-24005 | High | 7.8 | — | 2025-07-08 | A local attacker with a local user account can leverage a vulnerable script via SSH to escalate privileges to root due to improper input validation. |
CVE-2025-41665 | Medium | 6.5 | — | 2025-07-08 | An low privileged remote attacker can enforce the watchdog of the affected devices to reboot the PLC due to incorrect default permissions of a config file. |
CVE-2025-24002 | Medium | 5.3 | — | 2025-07-08 | An unauthenticated remote attacker can use MQTT messages to crash a service on charging stations complying with German Calibration Law, resulting in a temporary denial-of-service for these stations until they got restarted by the watchdog. |
CVE-2025-24004 | Medium | 5.2 | — | 2025-07-08 | A physical attacker with access to the device display via USB-C can send a message to the device which triggers an unsecure copy to a buffer resulting in loss of integrity and a temporary denial-of-service for the stations until they got r… |
Apache · 11 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-23048 | Critical | 9.1 | — | 2025-07-10 | In some mod_ssl configurations on Apache HTTP Server 2.4.35 through to 2.4.63, an access control bypass by trusted clients is possible using TLS 1.3 session resumption. |
CVE-2025-53506 | High | 7.5 | — | 2025-07-10 | Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. |
CVE-2025-52520 | High | 7.5 | — | 2025-07-10 | For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. |
CVE-2025-52434 | High | 7.5 | — | 2025-07-10 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. |
CVE-2025-53020 | High | 7.5 | — | 2025-07-10 | Late Release of Memory after Effective Lifetime vulnerability in Apache HTTP Server. |
CVE-2025-49630 | High | 7.5 | — | 2025-07-10 | In certain proxy configurations, a denial of service attack against Apache HTTP Server versions 2.4.26 through to 2.4.63 can be triggered by untrusted clients causing an assertion in mod_proxy_http2. |
CVE-2024-47252 | High | 7.5 | — | 2025-07-10 | Insufficient escaping of user-supplied data in mod_ssl in Apache HTTP Server 2.4.63 and earlier allows an untrusted SSL/TLS client to insert escape characters into log files in some configurations. |
CVE-2024-43204 | High | 7.5 | — | 2025-07-10 | SSRF in Apache HTTP Server with mod_proxy loaded allows an attacker to send outbound proxy requests to a URL controlled by the attacker. Requires an unlikely configuration where mod_headers is configured to modify the Content-Type request… |
CVE-2024-42516 | High | 7.5 | — | 2025-07-10 | HTTP response splitting in the core of Apache HTTP Server allows an attacker who can manipulate the Content-Type response headers of applications hosted or proxied by the server can split the HTTP response. |
CVE-2025-49812 | High | 7.4 | — | 2025-07-10 | In some mod_ssl configurations on Apache HTTP Server versions through to 2.4.63, an HTTP desynchronisation attack allows a man-in-the-middle attacker to hijack an HTTP session via a TLS upgrade. |
CVE-2025-48924 | Medium | 5.3 | — | 2025-07-11 | Uncontrolled Recursion vulnerability in Apache Commons Lang. |
Ivanti · 11 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6996 | High | 8.4 | — | 2025-07-08 | Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a local authenticated attacker to decrypt other users’ passwords. |
CVE-2025-6995 | High | 8.4 | — | 2025-07-08 | Improper use of encryption in the agent of Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a local authenticated attacker to decrypt other users’ passwords. |
CVE-2025-6771 | High | 7.2 | — | 2025-07-08 | OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2,12.4.0.3 and 12.3.0.3 allows a remote authenticated attacker with high privileges to achieve remote code execution |
CVE-2025-7037 | High | 7.2 | — | 2025-07-08 | SQL injection in Ivanti Endpoint Manager before version 2024 SU3 and 2022 SU8 Security Update 1 allows a remote authenticated attacker with admin privileges to read arbitrary data from the database |
CVE-2025-6770 | High | 7.2 | — | 2025-07-08 | OS command injection in Ivanti Endpoint Manager Mobile (EPMM) before version 12.5.0.2 allows a remote authenticated attacker with high privileges to achieve remote code execution |
CVE-2025-0293 | Medium | 6.6 | — | 2025-07-08 | CLRF injection in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to write to a protected configuration file on disk. |
CVE-2025-5464 | Medium | 6.5 | — | 2025-07-08 | Insertion of sensitive information into a log file in Ivanti Connect Secure before version 22.7R2.8 allows a local authenticated attacker to obtain that information. |
CVE-2025-5450 | Medium | 6.3 | — | 2025-07-08 | Improper access control in the certificate management component of Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated admin with read-only rights to modify settings… |
CVE-2025-0292 | Medium | 5.5 | — | 2025-07-08 | SSRF in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to access internal network services. |
CVE-2025-5463 | Medium | 5.5 | — | 2025-07-08 | Insertion of sensitive information into a log file in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a local authenticated attacker to obtain that information. |
CVE-2025-5451 | Medium | 4.9 | — | 2025-07-08 | A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.8 and Ivanti Policy Secure before version 22.7R1.5 allows a remote authenticated attacker with admin rights to trigger a denial of service. |
Quiter · 11 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-40717 | Critical | 9.8 | — | 2025-07-08 | SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. |
CVE-2025-40716 | Critical | 9.8 | — | 2025-07-08 | SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. |
CVE-2025-40715 | Critical | 9.8 | — | 2025-07-08 | SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. |
CVE-2025-40714 | Critical | 9.8 | — | 2025-07-08 | SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. |
CVE-2025-40713 | Critical | 9.8 | — | 2025-07-08 | SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. |
CVE-2025-40712 | Critical | 9.8 | — | 2025-07-08 | SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. |
CVE-2025-40711 | Critical | 9.8 | — | 2025-07-08 | SQL injection vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. |
CVE-2025-40718 | High | 7.5 | — | 2025-07-08 | Improper error handling vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. |
CVE-2025-40720 | Medium | 6.1 | — | 2025-07-08 | Reflected Cross-site Scripting (XSS) vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. |
CVE-2025-40719 | Medium | 6.1 | — | 2025-07-08 | Reflected Cross-site Scripting (XSS) vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. |
CVE-2025-40721 | Medium | 5.4 | — | 2025-07-08 | Reflected Cross-site Scripting (XSS) vulnerability in versions prior to 4.7.0 of Quiter Gateway by Quiter. |
Tenda · 11 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7434 | High | 8.8 | — | 2025-07-11 | A vulnerability was found in Tenda FH451 up to 1.0.0.9 and classified as critical. |
CVE-2025-7423 | High | 8.8 | — | 2025-07-11 | A vulnerability classified as critical was found in Tenda O3V2 1.0.0.12(3880). |
CVE-2025-7422 | High | 8.8 | — | 2025-07-11 | A vulnerability classified as critical has been found in Tenda O3V2 1.0.0.12(3880). |
CVE-2025-7421 | High | 8.8 | — | 2025-07-11 | A vulnerability was found in Tenda O3V2 1.0.0.12(3880). |
CVE-2025-7420 | High | 8.8 | — | 2025-07-11 | A vulnerability was found in Tenda O3V2 1.0.0.12(3880). |
CVE-2025-7419 | High | 8.8 | — | 2025-07-10 | A vulnerability was found in Tenda O3V2 1.0.0.12(3880). |
CVE-2025-7418 | High | 8.8 | — | 2025-07-10 | A vulnerability was found in Tenda O3V2 1.0.0.12(3880) and classified as critical. |
CVE-2025-7417 | High | 8.8 | — | 2025-07-10 | A vulnerability has been found in Tenda O3V2 1.0.0.12(3880) and classified as critical. |
CVE-2025-7416 | High | 8.8 | — | 2025-07-10 | A vulnerability, which was classified as critical, was found in Tenda O3V2 1.0.0.12(3880). |
CVE-2025-7415 | Medium | 6.3 | — | 2025-07-10 | A vulnerability, which was classified as critical, has been found in Tenda O3V2 1.0.0.12(3880). |
CVE-2025-7414 | Medium | 6.3 | — | 2025-07-10 | A vulnerability classified as critical was found in Tenda O3V2 1.0.0.12(3880). |
Advantech · 10 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53515 | High | 8.8 | — | 2025-07-11 | A vulnerability exists in Advantech iView that allows for SQL injection and remote code execution through NetworkServlet.archiveTrap(). |
CVE-2025-53475 | High | 8.8 | — | 2025-07-11 | A vulnerability exists in Advantech iView that could allow for SQL injection and remote code execution through NetworkServlet.getNextTrapPage(). |
CVE-2025-52577 | High | 8.8 | — | 2025-07-11 | A vulnerability exists in Advantech iView that could allow SQL injection and remote code execution through NetworkServlet.archiveTrapRange(). |
CVE-2025-48891 | High | 7.6 | — | 2025-07-11 | A vulnerability exists in Advantech iView that could allow for SQL injection through the CUtils.checkSQLInjection() function. |
CVE-2025-53509 | Medium | 6.5 | — | 2025-07-11 | A vulnerability exists in Advantech iView that allows for argument injection in the NetworkServlet.restoreDatabase(). |
CVE-2025-52459 | Medium | 6.5 | — | 2025-07-11 | A vulnerability exists in Advantech iView that allows for argument injection in NetworkServlet.backupDatabase(). |
CVE-2025-53519 | Medium | 5.4 | — | 2025-07-11 | A vulnerability exists in Advantech iView versions prior to 5.7.05 build 7057, which could allow a reflected cross-site scripting (XSS) attack. |
CVE-2025-53397 | Medium | 5.4 | — | 2025-07-11 | A vulnerability exists in Advantech iView versions prior to 5.7.05 build 7057, which could allow a reflected cross-site scripting (XSS) attack. |
CVE-2025-41442 | Medium | 5.4 | — | 2025-07-11 | A vulnerability exists in Advantech iView versions prior to 5.7.05 build 7057, which could allow a reflected cross-site scripting (XSS) attack. |
CVE-2025-46704 | Medium | 4.3 | — | 2025-07-11 | A vulnerability exists in Advantech iView in NetworkServlet.processImportRequest() that could allow for a directory traversal attack. |
Anisha · 10 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7459 | High | 7.3 | — | 2025-07-11 | A vulnerability classified as critical was found in code-projects Mobile Shop 1.0. |
CVE-2025-7411 | High | 7.3 | — | 2025-07-10 | A vulnerability was found in code-projects LifeStyle Store 1.0. |
CVE-2025-7410 | High | 7.3 | — | 2025-07-10 | A vulnerability was found in code-projects LifeStyle Store 1.0. |
CVE-2025-7409 | High | 7.3 | — | 2025-07-10 | A vulnerability was found in code-projects Mobile Shop 1.0 and classified as critical. |
CVE-2025-7211 | High | 7.3 | — | 2025-07-09 | A vulnerability was found in code-projects LifeStyle Store 1.0. |
CVE-2025-7198 | High | 7.3 | — | 2025-07-08 | A vulnerability classified as critical was found in code-projects Jonnys Liquor 1.0. |
CVE-2025-7197 | High | 7.3 | — | 2025-07-08 | A vulnerability classified as critical has been found in code-projects Jonnys Liquor 1.0. |
CVE-2025-7196 | High | 7.3 | — | 2025-07-08 | A vulnerability was found in code-projects Jonnys Liquor 1.0. |
CVE-2025-7157 | High | 7.3 | — | 2025-07-08 | A vulnerability was found in code-projects Online Note Sharing 1.0. |
CVE-2025-7124 | Medium | 6.3 | — | 2025-07-07 | A vulnerability classified as critical has been found in code-projects Online Note Sharing 1.0. |
Ibm · 10 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-36014 | High | 8.2 | — | 2025-07-07 | IBM Integration Bus for z/OS 10.1.0.0 through 10.1.0.5 is vulnerable to code injection by a privileged user with access to the IIB install directory. |
CVE-2024-56468 | High | 7.5 | — | 2025-07-08 | IBM InfoSphere Data Replication VSAM for z/OS Remote Source 11.4 could allow a remote user to cause a denial of service by sending an invalid HTTP request to the log reading service. |
CVE-2024-39752 | Medium | 6.8 | — | 2025-07-10 | IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 could be vulnerable to malicious file upload by not validating the type of file uploaded to Explore Content. |
CVE-2024-38327 | Medium | 6.8 | — | 2025-07-10 | IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 is vulnerable to information exposure and further attacks due to an exposed JavaScript source map which could assist an attacker to read and debug JavaScript used in the application's API. |
CVE-2025-1351 | Medium | 6.7 | — | 2025-07-07 | IBM Storage Virtualize 8.5, 8.6, and 8.7 products could allow a user to escalate their privileges to that of another user logging in at the same time due to a race condition in the login function. |
CVE-2025-3631 | Medium | 6.5 | — | 2025-07-11 | An IBM MQ 9.3 and 9.4 Client connecting to an MQ Queue Manager can cause a SIGSEGV in the AMQRMPPA channel process terminating it. |
CVE-2024-43190 | Medium | 5.9 | — | 2025-07-07 | IBM Engineering Requirements Management DOORS 9.7.2.9, under certain configurations, could allow a remote attacker to obtain password reset instructions of a legitimate user using man in the middle techniques. |
CVE-2024-37524 | Medium | 5.3 | — | 2025-07-10 | IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. |
CVE-2025-36090 | Medium | 4.3 | — | 2025-07-10 | IBM Analytics Content Hub 2.0, 2.1, 2.2, and 2.3 could allow a remote attacker to obtain information about the application framework which could be used in reconnaissance to gather information for future attacks from a detailed technical e… |
CVE-2025-2670 | Medium | 4.3 | — | 2025-07-09 | IBM OpenPages 9.0 is vulnerable to information disclosure of sensitive information due to a weaker than expected security for certain REST end points related to workflow feature of OpenPages. |
Phpgurukul · 9 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7176 | High | 7.3 | — | 2025-07-08 | A vulnerability was found in PHPGurukul Hospital Management System 1.0. |
CVE-2025-7160 | High | 7.3 | — | 2025-07-08 | A vulnerability classified as critical has been found in PHPGurukul Zoo Management System 2.1. |
CVE-2025-7155 | High | 7.3 | — | 2025-07-08 | A vulnerability, which was classified as critical, was found in PHPGurukul Online Notes Sharing System 1.0. |
CVE-2025-7163 | Medium | 6.3 | — | 2025-07-08 | A vulnerability, which was classified as critical, was found in PHPGurukul Zoo Management System 2.1. |
CVE-2025-7162 | Medium | 6.3 | — | 2025-07-08 | A vulnerability, which was classified as critical, has been found in PHPGurukul Zoo Management System 2.1. |
CVE-2025-7161 | Medium | 6.3 | — | 2025-07-08 | A vulnerability classified as critical was found in PHPGurukul Zoo Management System 2.1. |
CVE-2025-7159 | Medium | 6.3 | — | 2025-07-08 | A vulnerability was found in PHPGurukul Zoo Management System 2.1. |
CVE-2025-7158 | Medium | 6.3 | — | 2025-07-08 | A vulnerability was found in PHPGurukul Zoo Management System 2.1. |
CVE-2025-7177 | Medium | 4.7 | — | 2025-07-08 | A vulnerability was found in PHPGurukul Car Washing Management System 1.0. |
Mayurik · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7138 | Medium | 6.3 | — | 2025-07-07 | A vulnerability was found in SourceCodester Best Salon Management System 1.0. |
CVE-2025-7137 | Medium | 6.3 | — | 2025-07-07 | A vulnerability was found in SourceCodester Best Salon Management System 1.0. |
CVE-2025-7144 | Low | 2.4 | — | 2025-07-07 | A vulnerability has been found in SourceCodester Best Salon Management System 1.0 and classified as problematic. |
CVE-2025-7143 | Low | 2.4 | — | 2025-07-07 | A vulnerability, which was classified as problematic, was found in SourceCodester Best Salon Management System 1.0. |
CVE-2025-7142 | Low | 2.4 | — | 2025-07-07 | A vulnerability, which was classified as problematic, has been found in SourceCodester Best Salon Management System 1.0. |
CVE-2025-7141 | Low | 2.4 | — | 2025-07-07 | A vulnerability classified as problematic was found in SourceCodester Best Salon Management System 1.0. |
CVE-2025-7140 | Low | 2.4 | — | 2025-07-07 | A vulnerability classified as problematic has been found in SourceCodester Best Salon Management System 1.0. |
CVE-2025-7139 | Low | 2.4 | — | 2025-07-07 | A vulnerability was found in SourceCodester Best Salon Management System 1.0. |
Splunk · 8 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-20319 | Medium | 6.8 | — | 2025-07-07 | In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a user who holds a role that contains the high-privilege capability `edit_scripted` and `list_inputs` capability , could perform a remote command execution due to imprope… |
CVE-2025-20321 | Medium | 6.5 | — | 2025-07-07 | In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could chang… |
CVE-2025-20320 | Medium | 6.3 | — | 2025-07-07 | In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could c… |
CVE-2025-20324 | Medium | 5.4 | — | 2025-07-07 | In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles could c… |
CVE-2025-20323 | Medium | 4.3 | — | 2025-07-07 | In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a low-privileged user that does not hold the "admin" or "power" Splunk roles could turn off the scheduled search `Bucket Copy Trigger` within the Splunk Archiver applicat… |
CVE-2025-20322 | Medium | 4.3 | — | 2025-07-07 | In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that… |
CVE-2025-20300 | Medium | 4.3 | — | 2025-07-07 | In Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.6, and 9.1.9 and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.112, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles, and has… |
CVE-2025-20325 | Low | 3.1 | — | 2025-07-07 | In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.113, and 9.2.2406.119, the software potentially exposes the search head cluster [splunk.secret](https://he… |
Labredescefetrj · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53529 | Critical | 9.8 | — | 2025-07-07 | WeGIA is a web manager for charitable institutions. |
CVE-2025-53527 | Critical | 9.8 | — | 2025-07-07 | WeGIA is a web manager for charitable institutions. |
CVE-2025-53531 | High | 7.5 | — | 2025-07-07 | WeGIA is a web manager for charitable institutions. |
CVE-2025-53530 | High | 7.5 | — | 2025-07-07 | WeGIA is a web manager for charitable institutions. |
CVE-2025-53526 | Medium | 6.1 | — | 2025-07-07 | WeGIA is a web manager for charitable institutions. |
CVE-2025-53525 | Medium | 6.1 | — | 2025-07-07 | WeGIA is a web manager for charitable institutions. |
CVE-2025-53377 | Medium | 6.1 | — | 2025-07-07 | WeGIA is a web manager for charitable institutions. |
Llamaindex · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6209 | High | 7.5 | — | 2025-07-07 | A path traversal vulnerability exists in run-llama/llama_index versions 0.12.27 through 0.12.40, specifically within the `encode_image` function in `generic_utils.py`. |
CVE-2025-3225 | High | 7.5 | — | 2025-07-07 | An XML Entity Expansion vulnerability, also known as a 'billion laughs' attack, exists in the sitemap parser of the run-llama/llama_index repository, specifically affecting version v0.12.21. |
CVE-2025-3046 | High | 7.5 | — | 2025-07-07 | A vulnerability in the `ObsidianReader` class of the run-llama/llama_index repository, versions 0.12.23 to 0.12.28, allows for arbitrary file read through symbolic links. |
CVE-2025-6211 | Medium | 6.5 | — | 2025-07-10 | A vulnerability in the DocugamiReader class of the run-llama/llama_index repository, up to version 0.12.28, involves the use of MD5 hashing to generate IDs for document chunks. |
CVE-2025-5472 | Medium | 6.5 | — | 2025-07-07 | The JSONReader in run-llama/llama_index versions 0.12.28 is vulnerable to a stack overflow due to uncontrolled recursive JSON parsing. |
CVE-2025-6210 | Medium | 6.2 | — | 2025-07-07 | A vulnerability in the ObsidianReader class of the run-llama/llama_index repository, specifically in version 0.12.27, allows for hardlink-based path traversal. |
CVE-2025-3044 | Medium | 5.3 | — | 2025-07-07 | A vulnerability in the ArxivReader class of the run-llama/llama_index repository, versions up to v0.12.22.post1, allows for MD5 hash collisions when generating filenames for downloaded papers. |
Schneider Electric · 7 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6788 | — | — | — | 2025-07-11 | A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that exposes TGML diagram resources to the wrong control sphere, providing other authenticated users with potentially inappropriate access to TGML diagrams. |
CVE-2025-50125 | — | — | — | 2025-07-11 | A CWE-918: Server-Side Request Forgery (SSRF) vulnerability exists that could cause unauthenticated remote code execution when the server is accessed via the network with knowledge of hidden URLs and manipulation of host request header. |
CVE-2025-50124 | — | — | — | 2025-07-11 | A CWE-269: Improper Privilege Management vulnerability exists that could cause privilege escalation when the server is accessed by a privileged account via a console and through exploitation of a setup script. |
CVE-2025-50123 | — | — | — | 2025-07-11 | A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote command execution by a privileged account when the server is accessed via a console and through exploitation of the hostname… |
CVE-2025-50122 | — | — | — | 2025-07-11 | A CWE-331: Insufficient Entropy vulnerability exists that could cause root password discovery when the password generation algorithm is reverse engineered with access to installation or upgrade artifacts. |
CVE-2025-50121 | — | — | — | 2025-07-11 | A CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could cause unauthenticated remote code execution when a malicious folder is created over the web interface HTTP… |
CVE-2025-6438 | — | — | — | 2025-07-11 | A CWE-611: Improper Restriction of XML External Entity Reference vulnerability exists that could cause manipulation of SOAP API calls and XML external entities injection resulting in unauthorized file access when the server is acces… |
Honeywell · 6 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2523 | Critical | 9.4 | — | 2025-07-10 | The Honeywell Experion PKS and OneWireless WDM contains an Integer Underflow vulnerability in the component Control Data Access (CDA). |
CVE-2025-2521 | High | 8.6 | — | 2025-07-10 | The Honeywell Experion PKS and OneWireless WDM contains a Memory Buffer vulnerability in the component Control Data Access (CDA). |
CVE-2025-3947 | High | 8.2 | — | 2025-07-10 | The Honeywell Experion PKS contains an Integer Underflow vulnerability in the component Control Data Access (CDA). |
CVE-2025-3946 | High | 8.2 | — | 2025-07-10 | The Honeywell Experion PKS and OneWireless WDM contains a Deployment of Wrong Handler vulnerability in the component Control Data Access (CDA). |
CVE-2025-2520 | High | 7.5 | — | 2025-07-10 | The Honeywell Experion PKS contains an Uninitialized Variable in the common Epic Platform Analyzer (EPA) communications. |
CVE-2025-2522 | Medium | 6.5 | — | 2025-07-10 | The Honeywell Experion PKS and OneWireless WDM contains Sensitive Information in Resource vulnerability in the component Control Data Access (CDA). |
Boyuncms_project · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7103 | Medium | 6.3 | — | 2025-07-07 | A vulnerability was found in BoyunCMS up to 1.4.20. |
CVE-2025-7102 | Medium | 6.3 | — | 2025-07-07 | A vulnerability was found in BoyunCMS up to 1.4.20. |
CVE-2025-7101 | Medium | 6.3 | — | 2025-07-07 | A vulnerability was found in BoyunCMS up to 1.4.20. |
CVE-2025-7100 | Medium | 6.3 | — | 2025-07-07 | A vulnerability was found in BoyunCMS up to 1.4.20 and classified as critical. |
CVE-2025-7099 | Medium | 5.6 | — | 2025-07-07 | A vulnerability has been found in BoyunCMS up to 1.21 on PHP7 and classified as critical. |
Broadcom · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-24508 | Medium | 6.4 | — | 2025-07-07 | Extraction of Account Connectivity Credentials (ACCs) from the IT Management Agent secure storage |
CVE-2025-4663 | Medium | 4.9 | — | 2025-07-08 | An Improper Check for Unusual or Exceptional Conditions vulnerability in Brocade Fabric OS before 9.2.2.a could allow an authenticated, network-based attacker to cause a Denial-of-Service (DoS). |
CVE-2025-6392 | Medium | 4.4 | — | 2025-07-10 | Brocade SANnav before Brocade SANnav 2.4.0a could log database passwords in clear text in audit logs when the daily data dump collector invokes docker exec commands. |
CVE-2025-6390 | Medium | 4.4 | — | 2025-07-10 | Brocade SANnav before SANnav 2.4.0a logs passwords and pbe keys in the Brocade SANnav server audit logs after installation and under specific conditions. |
CVE-2025-4662 | Medium | 4.4 | — | 2025-07-10 | Brocade SANnav before SANnav 2.4.0a logs plaintext passphrases in the Brocade SANnav host server audit logs while executing OpenSSL command using a passphrase from the command line or while providing the passphrase through a temporary file. |
Emerson · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-52579 | Critical | 9.4 | — | 2025-07-11 | Emerson ValveLink Products store sensitive information in cleartext in memory. |
CVE-2025-50109 | High | 7.7 | — | 2025-07-11 | Emerson ValveLink Products store sensitive information in cleartext within a resource that might be accessible to another control sphere. |
CVE-2025-46358 | High | 7.7 | — | 2025-07-11 | Emerson ValveLink products do not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
CVE-2025-53471 | Medium | 5.1 | — | 2025-07-11 | Emerson ValveLink products receive input or data, but does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
CVE-2025-48496 | Medium | 5.1 | — | 2025-07-11 | Emerson ValveLink products use a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors. |
Huggingface · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3262 | High | 7.5 | — | 2025-07-07 | A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the huggingface/transformers repository, specifically in version 4.49.0. |
CVE-2025-3933 | Medium | 5.3 | — | 2025-07-11 | A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. |
CVE-2025-3264 | Medium | 5.3 | — | 2025-07-07 | A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_imports()` function within `dynamic_module_utils.py`. |
CVE-2025-3263 | Medium | 5.3 | — | 2025-07-07 | A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_configuration_file()` function within the `transformers.configuration_utils` module. |
CVE-2025-3777 | Low | 3.5 | — | 2025-07-07 | Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. |
Mongodb · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6713 | High | 7.7 | — | 2025-07-07 | An unauthorized user may leverage a specially crafted aggregation pipeline to access data without proper authorization due to improper handling of the $mergeCursors stage in MongoDB Server. |
CVE-2025-6714 | High | 7.5 | — | 2025-07-07 | MongoDB Server's mongos component can become unresponsive to new connections due to incorrect handling of incomplete data. |
CVE-2025-7259 | Medium | 6.5 | — | 2025-07-07 | An authorized user can issue queries with duplicate _id fields, that leads to unexpected behavior in MongoDB Server, which may result to crash. |
CVE-2025-6712 | Medium | 6.5 | — | 2025-07-07 | MongoDB Server may be susceptible to disruption caused by high memory usage, potentially leading to server crash. |
CVE-2025-6711 | Medium | 4.4 | — | 2025-07-07 | An issue has been identified in MongoDB Server where unredacted queries may inadvertently appear in server logs when certain error conditions are encountered. |
Portabilis · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7113 | Low | 3.5 | — | 2025-07-07 | A vulnerability was found in Portabilis i-Educar 2.9.0. |
CVE-2025-7112 | Low | 3.5 | — | 2025-07-07 | A vulnerability was found in Portabilis i-Educar 2.9.0 and classified as problematic. |
CVE-2025-7111 | Low | 3.5 | — | 2025-07-07 | A vulnerability has been found in Portabilis i-Educar 2.9.0 and classified as problematic. |
CVE-2025-7110 | Low | 3.5 | — | 2025-07-07 | A vulnerability, which was classified as problematic, was found in Portabilis i-Educar 2.9.0. |
CVE-2025-7109 | Low | 3.5 | — | 2025-07-07 | A vulnerability, which was classified as problematic, has been found in Portabilis i-Educar 2.9.0. |
Radiflow · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3499 | Critical | 10.0 | — | 2025-07-09 | The device has two web servers that expose unauthenticated REST APIs on the management network (TCP ports 8084 and 8086). |
CVE-2025-3498 | Critical | 9.9 | — | 2025-07-09 | An unauthenticated user with management network access can get and modify the Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) configuration. |
CVE-2025-3497 | High | 8.7 | — | 2025-07-09 | The Linux distribution underlying the Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) is obsolete and reached end of life (EOL) on June 30, 2024. |
CVE-2025-27028 | Medium | 6.8 | — | 2025-07-09 | The Linux deprivileged user vpuser in Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) can read the entire file system content, including files belonging to other users and having restricted access (like, for example, the root password… |
CVE-2025-27027 | Medium | 4.1 | — | 2025-07-09 | A user with vpuser credentials that opens an SSH connection to the device, gets a restricted shell rbash that allows only a small list of allowed commands. |
Red Hat · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7345 | High | 7.5 | — | 2025-07-08 | A flaw exists in gdk‑pixbuf within the gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in glib’s g_base64_encode_step (glib/gbase64.c). |
CVE-2025-7365 | High | 7.1 | — | 2025-07-10 | A flaw was found in Keycloak. |
CVE-2025-6395 | Medium | 6.5 | — | 2025-07-10 | A NULL pointer dereference flaw was found in the GnuTLS software in _gnutls_figure_common_ciphersuite(). |
CVE-2025-53862 | Low | 3.5 | — | 2025-07-11 | A flaw was found in Ansible. |
CVE-2025-53861 | Low | 3.1 | — | 2025-07-11 | A flaw was found in Ansible. |
Zoom · 5 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-46788 | High | 7.4 | — | 2025-07-10 | Improper certificate validation in Zoom Workplace for Linux before version 6.4.13 may allow an unauthorized user to conduct an information disclosure via network access. |
CVE-2025-49464 | Medium | 6.5 | — | 2025-07-10 | Classic buffer overflow in certain Zoom Clients for Windows may allow an authorised user to conduct a denial of service via network access. |
CVE-2025-49463 | Medium | 6.5 | — | 2025-07-10 | Insufficient control flow management in certain Zoom Clients for iOS before version 6.4.5 may allow an unauthenticated user to conduct a disclosure of information via network access. |
CVE-2025-46789 | Medium | 6.5 | — | 2025-07-10 | Classic buffer overflow in certain Zoom Clients for Windows may allow an authorized user to conduct a denial of service via network access. |
CVE-2025-49462 | Low | 3.5 | — | 2025-07-10 | Cross-site scripting in certain Zoom Clients before version 6.4.5 may allow an authenticated user to conduct a disclosure of information via network access. |
Amd · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-36357 | Medium | 5.6 | — | 2025-07-08 | A transient execution vulnerability in some AMD processors may allow an attacker to infer data in the L1D cache, potentially resulting in the leakage of sensitive information across privileged boundaries. |
CVE-2024-36350 | Medium | 5.6 | — | 2025-07-08 | A transient execution vulnerability in some AMD processors may allow an attacker to infer data from previous stores, potentially resulting in the leakage of privileged information. |
CVE-2024-36349 | Low | 3.8 | — | 2025-07-08 | A transient execution vulnerability in some AMD processors may allow a user process to infer TSC_AUX even when such a read is disabled, potentially resulting in information leakage. |
CVE-2024-36348 | Low | 3.8 | — | 2025-07-08 | A transient execution vulnerability in some AMD processors may allow a user process to infer the control registers speculatively even if UMIP feature is enabled, potentially resulting in information leakage. |
Axis · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-30026 | Critical | 9.8 | — | 2025-07-11 | The AXIS Camera Station Server had a flaw that allowed to bypass authentication that is normally required. |
CVE-2025-30023 | Critical | 9.0 | — | 2025-07-11 | The communication protocol used between client and server had a flaw that could lead to an authenticated user performing a remote code execution attack. |
CVE-2025-30025 | High | 7.8 | — | 2025-07-11 | The communication protocol used between the server process and the service control had a flaw that could lead to a local privilege escalation. |
CVE-2025-30024 | Medium | 6.8 | — | 2025-07-11 | The communication protocol used between client and server had a flaw that could be leveraged to execute a man in the middle attack. |
Codeastro · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7147 | High | 7.3 | — | 2025-07-07 | A vulnerability has been found in CodeAstro Patient Record Management System 1.0 and classified as critical. |
CVE-2025-7133 | Medium | 4.3 | — | 2025-07-07 | A vulnerability classified as problematic has been found in CodeAstro Online Movie Ticket Booking System 1.0. |
CVE-2025-7153 | Low | 3.5 | — | 2025-07-08 | A vulnerability classified as problematic was found in CodeAstro Simple Hospital Management System 1.0. |
CVE-2025-7148 | Low | 3.5 | — | 2025-07-07 | A vulnerability was found in CodeAstro Simple Hospital Management System 1.0 and classified as problematic. |
Gigabyte · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7029 | High | 8.2 | — | 2025-07-11 | A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control the RBX register, which is used to derive pointers (OcHeader, OcData) passed into power and thermal configuration logic. |
CVE-2025-7027 | High | 8.2 | — | 2025-07-11 | A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control both the read and write addresses used by the CommandRcx1 function. |
CVE-2025-7026 | High | 8.2 | — | 2025-07-11 | A vulnerability in the Software SMI handler (SwSmiInputValue 0xB2) allows a local attacker to control the RBX register, which is used as an unchecked pointer in the CommandRcx0 function. |
CVE-2025-7028 | High | 7.8 | — | 2025-07-11 | A vulnerability in the Software SMI handler (SwSmiInputValue 0x20) allows a local attacker to supply a crafted pointer (FuncBlock) through RBX and RCX register values. |
Gitlab · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6948 | High | 8.7 | — | 2025-07-10 | An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that, under certain conditions, could have allowed a successful attacker to execute actions on behalf… |
CVE-2025-3396 | Medium | 4.3 | — | 2025-07-10 | An issue has been discovered in GitLab EE affecting all versions from 13.3 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that could have allowed authenticated project owners to bypass group-level forking restrictions by manipu… |
CVE-2025-6168 | Low | 2.7 | — | 2025-07-10 | An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated maintainers to bypass group-level user invitation restrictions by sending crafted API req… |
CVE-2025-4972 | Low | 2.7 | — | 2025-07-10 | An issue has been discovered in GitLab EE affecting all versions from 18.0 before 18.0.4 and 18.1 before 18.1.2 that could have allowed authenticated users with invitation privileges to bypass group-level user invitation restrictions by ma… |
Gnu · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-32990 | Medium | 6.5 | — | 2025-07-10 | A heap-buffer-overflow (off-by-one) flaw was found in the GnuTLS software in the template parsing logic within the certtool utility. |
CVE-2025-32988 | Medium | 6.5 | — | 2025-07-10 | A flaw was found in GnuTLS. |
CVE-2025-32989 | Medium | 5.3 | — | 2025-07-10 | A heap-buffer-overread vulnerability was found in GnuTLS in how it handles the Certificate Transparency (CT) Signed Certificate Timestamp (SCT) extension during X.509 certificate parsing. |
CVE-2025-45582 | Medium | 4.1 | — | 2025-07-11 | GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. |
Google · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-20695 | Medium | 6.5 | — | 2025-07-08 | In Bluetooth FW, there is a possible system crash due to an uncaught exception. |
CVE-2025-20694 | Medium | 6.5 | — | 2025-07-08 | In Bluetooth FW, there is a possible system crash due to an uncaught exception. |
CVE-2025-20693 | Medium | 6.5 | — | 2025-07-08 | In wlan STA driver, there is a possible out of bounds read due to an incorrect bounds check. |
CVE-2025-6044 | Medium | 6.1 | — | 2025-07-07 | An Improper Access Control vulnerability in the Stylus Tools component of Google ChromeOS version 16238.64.0 on the garaged stylus devices allows a physical attacker to bypass the lock screen and access user files by removing the stylus wh… |
J6t · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-46334 | High | 8.6 | — | 2025-07-10 | Git GUI allows you to use the Git source control management tools via a GUI. |
CVE-2025-27614 | High | 8.6 | — | 2025-07-10 | Gitk is a Tcl/Tk based Git history browser. |
CVE-2025-46835 | High | 8.5 | — | 2025-07-10 | Git GUI allows you to use the Git source control management tools via a GUI. |
CVE-2025-27613 | Low | 3.6 | — | 2025-07-10 | Gitk is a Tcl/Tk based Git history browser. |
Wftpserver · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-47812 | Critical | 10.0 | KEV | 2025-07-10 | In Wing FTP Server before 7.4.4. |
CVE-2025-47813 | Medium | 4.3 | KEV | 2025-07-10 | loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie. |
CVE-2025-47811 | Medium | 4.1 | — | 2025-07-10 | In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. |
CVE-2025-27889 | Low | 3.4 | — | 2025-07-10 | Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. |
Xtemos · 4 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6746 | High | 8.8 | — | 2025-07-08 | The WoodMart plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.2.3 via the 'layout' attribute. |
CVE-2025-6744 | High | 7.3 | — | 2025-07-08 | The The Woodmart theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.2.3. |
CVE-2025-6743 | Medium | 6.4 | — | 2025-07-08 | The Woodmart theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'multiple_markers' attribute in all versions up to, and including, 8.2.3 due to insufficient input sanitization and output escaping on user supp… |
CVE-2025-6745 | Medium | 5.3 | — | 2025-07-11 | The WoodMart plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 8.2.5 via the woodmart_get_posts_by_query() function due to insufficient restrictions on which posts can be included. |
Alteryx · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-28244 | High | 8.8 | — | 2025-07-10 | Insecure Permissions vulnerability in the Local Storage in Alteryx Server 2023.1.1.460 allows remote attackers to obtain valid user session tokens from localStorage, leading to account takeover |
CVE-2025-28243 | High | 8.0 | — | 2025-07-10 | An issue in Alteryx Server v.2023.1.1.460 allows HTML injection via a crafted script to the pages component. |
CVE-2025-28245 | Medium | 6.1 | — | 2025-07-10 | Cross-site scripting (XSS) vulnerability in Alteryx Server 2023.1.1.460 allows remote attackers to inject arbitrary web script or HTML via the notification body. |
Canonical · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0928 | High | 8.8 | — | 2025-07-08 | In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. |
CVE-2025-53513 | High | 8.8 | — | 2025-07-08 | The /charms endpoint on a Juju controller lacked sufficient authorization checks, allowing any user with an account on the controller to upload a charm. |
CVE-2025-53512 | Medium | 6.5 | — | 2025-07-08 | The /log endpoint on a Juju controller lacked sufficient authorization checks, allowing unauthorized users to access debug messages that could contain sensitive information. |
Clivedelacruz · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7126 | Medium | 6.3 | — | 2025-07-07 | A vulnerability, which was classified as critical, has been found in itsourcecode Employee Management System up to 1.0. |
CVE-2025-7125 | Medium | 6.3 | — | 2025-07-07 | A vulnerability classified as critical was found in itsourcecode Employee Management System up to 1.0. |
CVE-2025-7127 | Medium | 4.7 | — | 2025-07-07 | A vulnerability, which was classified as critical, was found in itsourcecode Employee Management System up to 1.0. |
Ctfer-io · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53633 | Critical | 9.8 | — | 2025-07-10 | Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. |
CVE-2025-53632 | Critical | 9.1 | — | 2025-07-10 | Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. |
CVE-2025-53634 | High | 7.5 | — | 2025-07-10 | Chall-Manager is a platform-agnostic system able to start Challenges on Demand of a player. |
D-link · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7206 | Critical | 9.8 | — | 2025-07-09 | A vulnerability, which was classified as critical, has been found in D-Link DIR-825 2.10. |
CVE-2025-7194 | High | 8.8 | — | 2025-07-08 | A vulnerability was found in D-Link DI-500WF 17.04.10A1T. |
CVE-2025-7192 | Medium | 6.3 | — | 2025-07-08 | A vulnerability was found in D-Link DIR-645 up to 1.05B01 and classified as critical. |
Dokploy · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53376 | High | 8.8 | — | 2025-07-07 | Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. |
CVE-2025-53375 | Medium | 6.5 | — | 2025-07-07 | Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. |
CVE-2025-53374 | Medium | 4.3 | — | 2025-07-07 | Dokploy is a self-hostable Platform as a Service (PaaS) that simplifies the deployment and management of applications and databases. |
Fnkvision · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7213 | Medium | 6.4 | — | 2025-07-09 | A vulnerability classified as critical has been found in FNKvision FNK-GU2 up to 40.1.7. |
CVE-2025-7215 | Low | 1.6 | — | 2025-07-09 | A vulnerability, which was classified as problematic, has been found in FNKvision FNK-GU2 up to 40.1.7. |
CVE-2025-7214 | Low | 1.6 | — | 2025-07-09 | A vulnerability classified as problematic was found in FNKvision FNK-GU2 up to 40.1.7. |
Fortinet · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-52965 | High | 7.2 | — | 2025-07-08 | A missing critical step in authentication vulnerability [CWE-304] in Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.10, and before 7.0.16 & FortiProxy version 7.6.0 through 7.6.1, 7.4.0 through 7.4.8… |
CVE-2024-55599 | Medium | 5.3 | — | 2025-07-08 | An Improperly Implemented Security Check for Standard vulnerability [CWE-358] in FortiOS version 7.6.0, version 7.4.7 and below, 7.0 all versions, 6.4 all versions and FortiProxy version 7.6.1 and below, version 7.4.8 and below, 7.2 all ve… |
CVE-2025-24474 | Low | 2.7 | — | 2025-07-08 | An Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability [CWE-89] in FortiManager 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2 all versions, 7.0 all versions, 6.4 all versions; FortiManager Clo… |
Gallagher · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-35983 | Medium | 6.5 | — | 2025-07-10 | Improper Certificate Validation (CWE-295) in the Controller 7000 OneLink implementation could allow an unprivileged attacker to perform a limited denial of service or perform privileged overrides during the initial configuration of the Con… |
CVE-2025-46406 | Medium | 5.6 | — | 2025-07-10 | A Privilege Context Switching Error (CWE-270) in the Command Center Server could allow a privileged Operator with high level access in one Division to perform limited privileged activities across the Division boundary. |
CVE-2025-44003 | Medium | 4.3 | — | 2025-07-10 | Missing Release of Resource after Effective Lifetime (CWE-772) in the Gallagher T-Series Reader allows an attacker with physical access to the reader to perform a limited denial of service when 125 kHz Card Technology is enabled. |
Luajit · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-25176 | Critical | 9.8 | — | 2025-07-07 | LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240626 have a stack-buffer-overflow in lj_strfmt_wfnum in lj_strfmt_num.c. |
CVE-2024-25178 | Critical | 9.1 | — | 2025-07-07 | LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an out-of-bounds read in the stack-overflow handler in lj_state.c. |
CVE-2024-25177 | High | 7.5 | — | 2025-07-07 | LuaJIT through 2.1 and OpenRusty luajit2 before v2.1-20240314 have an unsinking of IR_FSTORE for NULL metatable, which leads to Denial of Service (DoS). |
Meshtastic · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-47065 | Medium | 6.5 | — | 2025-07-11 | Meshtastic is an open source mesh networking solution. |
CVE-2025-24798 | Medium | 4.3 | — | 2025-07-10 | Meshtastic is an open source mesh networking solution. |
CVE-2025-53637 | Medium | 4.1 | — | 2025-07-10 | Meshtastic is an open source mesh networking solution. |
Mitsubishi Electric Corporation · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-5023 | High | 7.1 | — | 2025-07-10 | Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor “EcoGuideTAB” PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the… |
CVE-2025-5022 | Medium | 6.5 | — | 2025-07-10 | Weak Password Requirements vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor “EcoGuideTAB” PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the un… |
CVE-2025-5241 | Medium | 5.3 | — | 2025-07-11 | Overly Restrictive Account Lockout Mechanism vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series allows a remote unauthenticated attacker to lockout legitimate users for a certain period by repeatedly attempting to login wi… |
Netweblogic · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6970 | High | 7.5 | — | 2025-07-09 | The Events Manager – Calendar, Bookings, Tickets, and more! |
CVE-2025-6976 | Medium | 6.4 | — | 2025-07-09 | The Events Manager – Calendar, Bookings, Tickets, and more! |
CVE-2025-6975 | Medium | 6.1 | — | 2025-07-09 | The Events Manager – Calendar, Bookings, Tickets, and more! |
Palo Alto Networks · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-0141 | — | — | — | 2025-07-09 | An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtect™ App on enables a locally authenticated non administrative user to escalate their privileges to root on macOS and Linux or NT AUTHORITY\SYSTEM on Windo… |
CVE-2025-0140 | — | — | — | 2025-07-09 | An incorrect privilege assignment vulnerability in the Palo Alto Networks GlobalProtect™ App on macOS devices enables a locally authenticated non administrative user to disable the app even if the GlobalProtect app configuration would not… |
CVE-2025-0139 | — | — | — | 2025-07-09 | An incorrect privilege assignment vulnerability in Palo Alto Networks Autonomous Digital Experience Manager allows a locally authenticated low privileged user on macOS endpoints to escalate their privileges to root. |
Sap · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-42956 | Medium | 6.1 | — | 2025-07-08 | SAP NetWeaver Application Server ABAP and ABAP Platform allows an unauthenticated attacker to create a malicious link which they can make publicly available. |
CVE-2025-42968 | Medium | 5.0 | — | 2025-07-08 | SAP NetWeaver allows an authenticated non-administrative user to call the remote-enabled function module which could grants access to non-sensitive information about the SAP system and OS without requiring any specific knowledge or control… |
CVE-2025-42986 | Medium | 4.3 | — | 2025-07-08 | Due to a missing authorization check in an obsolete RFC enabled function module in SAP BASIS, an authenticated low-privileged attacker could call a Remote Function Call (RFC), potentially accessing restricted system information. |
Utt · 3 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7118 | High | 8.8 | — | 2025-07-07 | A vulnerability, which was classified as critical, has been found in UTT HiPER 840G up to 3.1.1-190328. |
CVE-2025-7117 | High | 8.8 | — | 2025-07-07 | A vulnerability classified as critical was found in UTT HiPER 840G up to 3.1.1-190328. |
CVE-2025-7116 | High | 8.8 | — | 2025-07-07 | A vulnerability classified as critical has been found in UTT 进取 750W up to 3.2.2-191225. |
9fans · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7208 | Medium | 5.5 | — | 2025-07-09 | A vulnerability was found in 9fans plan9port up to 9da5b44. |
CVE-2025-7209 | Low | 3.3 | — | 2025-07-09 | A vulnerability has been found in 9fans plan9port up to 9da5b44 and classified as problematic. |
Apos37 · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6851 | High | 7.2 | — | 2025-07-11 | The Broken Link Notifier plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.0 via the ajax_blinks() function which ultimately calls the check_url_status_code() function. |
CVE-2025-6838 | Medium | 4.1 | — | 2025-07-11 | The Broken Link Notifier plugin for WordPress is vulnerable to CSV Injection in all versions up to, and including, 1.3.0 via broken links that are later exported. |
Apple · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48384 | High | 8.0 | KEV | 2025-07-08 | Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. |
CVE-2025-31267 | Medium | 4.6 | — | 2025-07-10 | An authentication issue was addressed with improved state management. |
Asustor · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7379 | — | — | — | 2025-07-09 | A security bypass vulnerability allows exploitation via Reverse Tabnabbing, a type of phishing attack where attackers can manipulate the content of the original tab, leading to credential theft and other security risks. |
CVE-2025-7378 | — | — | — | 2025-07-09 | An improper Input Validation vulnerability allows injecting arbitrary values of the NAS configuration file in ASUSTOR ADM. |
Autodesk · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-5040 | High | 7.8 | — | 2025-07-10 | A maliciously crafted RTE file, when parsed through Autodesk Revit, can force a Heap-Based Overflow vulnerability. |
CVE-2025-5037 | High | 7.8 | — | 2025-07-10 | A maliciously crafted RFA, RTE, or RVT file, when parsed through Autodesk Revit, can force a Memory Corruption vulnerability. |
Brainstormforce · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6691 | High | 8.1 | — | 2025-07-09 | The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_entry_files() function in all versions up to, and including, 1.7… |
CVE-2025-6742 | High | 7.5 | — | 2025-07-09 | The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7.3 via the use of file_exists() in the delete_entry_files() function without restr… |
Carmelo · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7180 | High | 7.3 | — | 2025-07-08 | A vulnerability, which was classified as critical, has been found in code-projects Staff Audit System 1.0. |
CVE-2025-7181 | Medium | 6.3 | — | 2025-07-08 | A vulnerability, which was classified as critical, was found in code-projects Staff Audit System 1.0. |
Dell · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-36600 | High | 8.2 | — | 2025-07-08 | Dell Client Platform BIOS contains an Improper Access Control Applied to Mirrored or Aliased Memory Regions vulnerability in an externally developed component. |
CVE-2025-36599 | Medium | 4.3 | — | 2025-07-09 | Dell PowerFlex Manager VM, versions prior to 4.6.2.1, contains an Insertion of Sensitive Information into Log File vulnerability. |
Egroupware · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-38329 | Medium | 6.1 | — | 2025-07-11 | An issue was discovered in eGroupWare 17.1.20190111. |
CVE-2023-38327 | Medium | 5.3 | — | 2025-07-11 | An issue was discovered in eGroupWare 17.1.20190111. |
Fooplugins · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6068 | Medium | 6.4 | — | 2025-07-11 | The FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption-title` & `data-caption-description` HTML attributes in all versi… |
CVE-2025-5537 | Medium | 6.4 | — | 2025-07-08 | The Lightbox & Modal Popup WordPress Plugin – FooBox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image alternative texts in all versions up to, and including, 2.7.34 due to insufficient input sanitization and outp… |
Frauscher · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3626 | Critical | 9.1 | — | 2025-07-07 | A remote attacker with administrator account can gain full control of the device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') while uploading a config file via webUI. |
CVE-2025-3705 | Medium | 6.8 | — | 2025-07-07 | A physical attacker with no privileges can gain full control of the affected device due to improper neutralization of special elements used in an OS Command ('OS Command Injection') when loading a config file from a USB drive. |
Git · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48386 | Medium | 6.3 | — | 2025-07-08 | Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. |
CVE-2025-48385 | — | — | — | 2025-07-08 | Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. |
Gnome · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7425 | High | 7.8 | — | 2025-07-10 | A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. |
CVE-2025-7424 | High | 7.5 | — | 2025-07-10 | A flaw was found in the libxslt library. |
Hewlett Packard Enterprise (Hpe) · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-37103 | Critical | 9.8 | — | 2025-07-08 | Hard-coded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication. |
CVE-2025-37102 | High | 7.2 | — | 2025-07-08 | An authenticated command injection vulnerability exists in the Command line interface of HPE Networking Instant On Access Points. |
Kibokolabs · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6234 | Medium | 6.1 | — | 2025-07-10 | The Hostel WordPress plugin before 1.1.5.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. |
CVE-2025-6236 | Medium | 4.8 | — | 2025-07-10 | The Hostel WordPress plugin before 1.1.5.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is d… |
Langgenius · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3466 | High | 7.2 | — | 2025-07-07 | langgenius/dify versions 1.1.0 to 1.1.2 are vulnerable to unsanitized input in the code node, allowing execution of arbitrary code with full root permissions. |
CVE-2025-3467 | Medium | 5.4 | — | 2025-07-07 | An XSS vulnerability exists in langgenius/dify versions prior to 1.1.3, specifically affecting Firefox browsers. |
Mescius · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6811 | Critical | 9.8 | — | 2025-07-07 | Mescius ActiveReports.NET TypeResolutionService Deserialization of Untrusted Data Remote Code Execution Vulnerability. |
CVE-2025-6810 | Critical | 9.8 | — | 2025-07-07 | Mescius ActiveReports.NET ReadValue Deserialization of Untrusted Data Remote Code Execution Vulnerability. |
Nimesa · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48501 | Critical | 9.8 | — | 2025-07-07 | An OS command injection issue exists in Nimesa Backup and Recovery v2.3 and v2.4. |
CVE-2025-53473 | High | 7.3 | — | 2025-07-07 | Server-side request forgery (SSRF) vulnerability exists n multiple versions of Nimesa Backup and Recovery, If this vulnerability is exploited, unintended requests may be sent to internal servers. |
Redis · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-48367 | High | 7.5 | — | 2025-07-07 | Redis is an open source, in-memory database that persists on disk. |
CVE-2025-32023 | High | 7.0 | — | 2025-07-07 | Redis is an open source, in-memory database that persists on disk. |
Rockwell Automation · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6377 | High | 7.8 | — | 2025-07-09 | A remote code execution security issue exists in the Rockwell Automation Arena®. A crafted DOE file can force Arena Simulation to write beyond the boundaries of an allocated object. |
CVE-2025-6376 | High | 7.8 | — | 2025-07-09 | A remote code execution security issue exists in the Rockwell Automation Arena®. A crafted DOE file can force Arena Simulation to write beyond the boundaries of an allocated object. |
Schiocco · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4855 | Critical | 9.8 | — | 2025-07-09 | The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. |
CVE-2025-4828 | Critical | 9.8 | — | 2025-07-09 | The Support Board plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the sb_file_delete function in all versions up to, and including, 3.8.0. |
Sim · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7114 | High | 7.3 | — | 2025-07-07 | A vulnerability was found in SimStudioAI sim up to 37786d371e17d35e0764e1b5cd519d873d90d97b. |
CVE-2025-7107 | Medium | 5.3 | — | 2025-07-07 | A vulnerability classified as critical has been found in SimStudioAI sim up to 0.1.17. |
Totolink · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7460 | High | 8.8 | — | 2025-07-11 | A vulnerability has been found in TOTOLINK T6 4.1.5cu.748_B20211015 and classified as critical. |
CVE-2025-7154 | Medium | 6.3 | — | 2025-07-08 | A vulnerability, which was classified as critical, has been found in TOTOLINK N200RE 9.3.5u.6095_B20200916/9.3.5u.6139_B20201216. |
Trendmicro · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53503 | High | 7.8 | — | 2025-07-10 | Trend Micro Cleaner One Pro is vulnerable to a Privilege Escalation vulnerability that could allow a local attacker to unintentionally delete privileged Trend Micro files including its own. |
CVE-2025-52837 | High | 7.8 | — | 2025-07-10 | Trend Micro Password Manager (Consumer) version 5.8.0.1327 and below is vulnerable to a Link Following Privilege Escalation Vulnerability that could allow an attacker the opportunity to abuse symbolic links and other methods to delete any… |
Yhirose · 2 CVEs
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53628 | High | 8.8 | — | 2025-07-10 | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. |
CVE-2025-53629 | High | 7.5 | — | 2025-07-10 | cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. |
Aa-team · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7401 | Critical | 9.8 | — | 2025-07-11 | The Premium Age Verification / Restriction for WordPress plugin for WordPress is vulnerable to arbitrary file read and write due to the existence of an insufficiently protected remote support functionality in remote_tunnel.php in all versi… |
Adonesevangelista · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7193 | High | 7.3 | — | 2025-07-08 | A vulnerability was found in itsourcecode Agri-Trading Online Shopping System up to 1.0. |
Ahmed-elgaml11 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53373 | — | — | — | 2025-07-07 | Natours is a Tour Booking API. |
Alfonsograziano · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53372 | High | 7.5 | — | 2025-07-08 | node-code-sandbox-mcp is a Node.js–based Model Context Protocol server that spins up disposable Docker containers to execute arbitrary JavaScript. |
Angeljudesuarez · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7212 | Medium | 6.3 | — | 2025-07-09 | A vulnerability was found in itsourcecode Insurance Management System up to 1.0. |
Avimegladon · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4593 | Medium | 6.5 | — | 2025-07-11 | The WP Register Profile With Shortcode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.6.2 via the 'rp_user_data' shortcode. |
Ayecode · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6200 | Medium | 5.9 | — | 2025-07-11 | The GeoDirectory WordPress plugin before 2.8.120 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and… |
Better-auth · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53535 | — | — | — | 2025-07-07 | Better Auth is an authentication and authorization library for TypeScript. |
Builderengine · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-34100 | — | — | — | 2025-07-10 | An unrestricted file upload vulnerability exists in BuilderEngine 3.5.0 via the integration of the elFinder 2.0 file manager and its use of the jQuery File Upload plugin. |
Citrix · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6759 | High | 7.8 | — | 2025-07-08 | Local Privilege escalation allows a low-privileged user to gain SYSTEM privileges in Windows Virtual Delivery Agent for CVAD and Citrix DaaS |
Clerk · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53548 | High | 7.5 | — | 2025-07-09 | Clerk helps developers build user management. |
Config_pages_viewer_project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7031 | Medium | 5.3 | — | 2025-07-08 | Missing Authentication for Critical Function vulnerability in Drupal Config Pages Viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Config Pages Viewer: from 0.0.0 before 1.0.4. |
Connect2id · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53864 | Medium | 5.8 | — | 2025-07-11 | Connect2id Nimbus JOSE + JWT 10.0.x before 10.0.2 and 9.37.x before 9.37.4 allows a remote attacker to cause a denial of service via a deeply nested JSON object supplied in a JWT claim set, because of uncontrolled recursion. |
Connectwise · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7204 | Medium | 6.5 | — | 2025-07-09 | In ConnectWise PSA versions older than 2025.9, a vulnerability exists where authenticated users could gain access to sensitive user information. |
Contest-gallery · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6716 | Medium | 6.4 | — | 2025-07-11 | The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'upload[1][… |
Crypttech · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-34102 | — | — | — | 2025-07-10 | A remote code execution vulnerability exists in CryptoLog (PHP version, discontinued since 2009) due to a chained exploitation of SQL injection and command injection vulnerabilities. |
Dasinfomedia · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7442 | High | 7.5 | — | 2025-07-11 | The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to SQL Injection via several parameters in the MJ_gmgt_delete_class_limit_for_member, MJ_gmgt_get_yearly_income_expense, MJ_gmgt_get_monthly_income_expense, MJ_… |
Dradisframework · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2023-50458 | Low | 3.5 | — | 2025-07-10 | In Dradis before 4.11.0, the Output Console shows a job queue that may contain information about other users' jobs. |
Drupal · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7030 | Medium | 6.5 | — | 2025-07-08 | Privilege Defined With Unsafe Actions vulnerability in Drupal Two-factor Authentication (TFA) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.1… |
Educoder · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-45479 | Critical | 9.8 | — | 2025-07-07 | Insufficient security mechanisms for created containers in educoder challenges v1.0 allow attackers to execute arbitrary code via injecting crafted content into a container. |
Efs Software Inc. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-34096 | — | — | — | 2025-07-10 | A stack-based buffer overflow vulnerability exists in Easy File Sharing HTTP Server version 7.2. |
End-of-train And Head-of-train Remote Linking Protocol · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-1727 | High | 8.1 | — | 2025-07-10 | The protocol used for remote linking over RF for End-of-Train and Head-of-Train (also known as a FRED) relies on a BCH checksum for packet creation. |
Eset, Spol. S.r.o · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-5028 | — | — | — | 2025-07-11 | Installation file of ESET security products on Windows allow an attacker to misuse to delete an arbitrary file without having the permissions to do so. |
Espressif · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53540 | — | — | — | 2025-07-07 | arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. |
Facebook · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-30403 | High | 8.1 | — | 2025-07-11 | A heap-buffer-overflow vulnerability is possible in mvfst via a specially crafted message during a QUIC session. |
Fastapi-guard · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53539 | High | 7.5 | — | 2025-07-07 | FastAPI Guard is a security library for FastAPI that provides middleware to control IPs, log requests, and detect penetration attempts. |
Flux159 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53355 | High | 7.5 | — | 2025-07-08 | MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. |
Frappe · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53545 | — | — | — | 2025-07-08 | Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service (SaaS). |
Fuji Electric Co., Ltd. / Hakko Electronics Co., Ltd. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-50130 | High | 7.8 | — | 2025-07-08 | A heap-based buffer overflow vulnerability exists in VS6Sim.exe contained in V-SFT and TELLUS provided by FUJI ELECTRIC CO., LTD. Opening V9 files or X1 files specially crafted by an attacker on the affected product may lead to arbitrary… |
Gavias · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-43334 | High | 7.1 | — | 2025-07-07 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gavias Zilom zilom allows Reflected XSS.This issue affects Zilom: from n/a through < 1.4.5. |
Gb-plugins · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-5392 | Critical | 9.8 | — | 2025-07-11 | The GB Forms DB plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.2 via the gbfdb_talk_to_front() function. |
Genetech Solutions · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-34077 | — | — | — | 2025-07-09 | An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary users by submitting a crafted POST request to the login endpoint. |
Ggml-org · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53630 | — | — | — | 2025-07-10 | llama.cpp is an inference of several LLM models in C/C++. |
Giscus · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53532 | Medium | 5.3 | — | 2025-07-07 | giscus is a commenting system powered by GitHub Discussions. |
Gitroomhq · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53641 | High | 8.2 | — | 2025-07-11 | Postiz is an AI social media scheduling tool. |
Gstreamer · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6663 | High | 7.8 | — | 2025-07-07 | GStreamer H266 Codec Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability. |
Haxtheweb · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53642 | Medium | 4.8 | — | 2025-07-11 | haxcms-nodejs and haxcms-php are backends for HAXcms. |
Helm · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53547 | High | 8.5 | — | 2025-07-08 | Helm is a package manager for Charts for Kubernetes. |
Hitsz-ids · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7156 | Medium | 6.3 | — | 2025-07-08 | A vulnerability has been found in hitsz-ids airda 0.0.3 and classified as critical. |
Hp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-43019 | High | 7.8 | — | 2025-07-08 | A potential security vulnerability has been identified in the HP Support Assistant, which allows a local attacker to escalate privileges via an arbitrary file deletion. |
Immich-app · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-43856 | — | — | — | 2025-07-11 | immich is a high performance self-hosted photo and video management solution. |
Itsourcecode · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7182 | Medium | 4.3 | — | 2025-07-08 | A vulnerability has been found in itsourcecode Student Transcript Processing System 1.0 and classified as problematic. |
Jdegayojr · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7059 | Medium | 6.4 | — | 2025-07-09 | The Simple Featured Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slideshow’ parameter in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. |
Jhenggao · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7146 | High | 7.5 | — | 2025-07-08 | The iPublish System developed by Jhenggao has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to read arbitrary system file. |
Kadencewp · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-5678 | Medium | 6.4 | — | 2025-07-09 | The Gutenberg Blocks with AI by Kadence WP – Page Builder Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘redirectURL’ parameter in all versions up to, and including, 3.5.10 due to insufficient input san… |
Kestra-io · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53543 | Medium | 4.2 | — | 2025-07-07 | Kestra is an event-driven orchestration platform. |
Kone-net · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7452 | Medium | 6.3 | — | 2025-07-11 | A vulnerability was found in kone-net go-chat up to f9e58d0afa9bbdb31faf25e7739da330692c4c63. |
Krishna9772 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7200 | Medium | 6.3 | — | 2025-07-08 | A vulnerability, which was classified as critical, was found in krishna9772 Pharmacy Management System up to a2efc8442931ec9308f3b4cf4778e5701153f4e5. |
Kubernetes-sigs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53542 | High | 7.7 | — | 2025-07-10 | Headlamp is an extensible Kubernetes web UI. |
Lanacodes · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7387 | Medium | 5.5 | — | 2025-07-10 | The Lana Downloads Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the endpoint parameters in versions up to, and including, 1.10.0 due to insufficient input sanitization and output escaping on user supplied a… |
Letseeqiji · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7450 | Medium | 5.4 | — | 2025-07-11 | A vulnerability was found in letseeqiji gorobbs up to 1.0.8. |
Libssh · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-5987 | High | 8.1 | — | 2025-07-07 | A flaw was found in libssh when using the ChaCha20 cipher with the OpenSSL library. |
Linksys · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2013-3307 | High | 8.3 | — | 2025-07-11 | Linksys E1000 devices through 2.1.02, E1200 devices before 2.0.05, and E3200 devices through 1.0.04 allow OS command injection via shell metacharacters in the apply.cgi ping_ip parameter on TCP port 52000. |
Livehelperchat · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7435 | Low | 3.5 | — | 2025-07-11 | A vulnerability was found in LiveHelperChat lhc-php-resque Extension up to ee1270b35625f552425e32a6a3061cd54b5085c4. |
Lty628 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7216 | High | 7.3 | — | 2025-07-09 | A vulnerability, which was classified as critical, was found in lty628 Aidigu up to 1.8.2. |
Lunary · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4779 | Medium | 6.1 | — | 2025-07-07 | lunary-ai/lunary versions prior to 1.9.24 are vulnerable to stored cross-site scripting (XSS). |
Matrix-org · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53549 | — | — | — | 2025-07-10 | The Matrix Rust SDK is a collection of libraries that make it easier to build Matrix clients in Rust. |
Mautic · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7381 | Medium | 5.3 | — | 2025-07-09 | ImpactThis is an information disclosure vulnerability originating from PHP's base image. |
Meowapps · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-5570 | Medium | 5.4 | — | 2025-07-08 | The AI Engine plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the mwai_chatbot shortcode 'id' parameter in all versions up to, and including, 2.8.4 due to insufficient input sanitization and output escaping. |
Meta Platforms, Inc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-30402 | High | 8.1 | — | 2025-07-11 | A heap-buffer-overflow vulnerability in the loading of ExecuTorch methods can cause the runtime to crash and potentially result in code execution or other undesirable effects. |
Miraheze · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53371 | Critical | 9.1 | — | 2025-07-10 | DiscordNotifications is an extension for MediaWiki that sends notifications of actions in your Wiki to a Discord channel. |
Mpol · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-5807 | Medium | 6.1 | — | 2025-07-10 | The Gwolle Guestbook plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘gwolle_gb_content’ parameter in all versions up to, and including, 4.9.2 due to insufficient input sanitization and output escaping. |
Mruby · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7207 | Low | 3.3 | — | 2025-07-09 | A vulnerability, which was classified as problematic, was found in mruby up to 3.4.0-rc2. |
Netgear · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7407 | Medium | 6.3 | — | 2025-07-10 | A vulnerability, which was classified as critical, was found in Netgear D6400 1.0.0.114. |
Open-quantum-safe · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-52473 | Medium | 5.9 | — | 2025-07-10 | liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. |
Openai · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7021 | Medium | 6.5 | — | 2025-07-10 | Fullscreen API Spoofing and UI Redressing in the handling of Fullscreen API and UI rendering in OpenAI Operator SaaS on Web allows a remote attacker to capture sensitive user input (e.g., login credentials, email addresses) via displaying… |
Opentext™ · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2024-7650 | — | — | — | 2025-07-10 | Improper Control of Generation of Code ('Code Injection') vulnerability in OpenText™ Directory Services allows Remote Code Inclusion. |
Osc · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53636 | Medium | 5.4 | — | 2025-07-11 | Open OnDemand is an open-source HPC portal. |
Palantir · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53709 | Medium | 5.4 | — | 2025-07-10 | Secure-upload is a data submission service that validates single-use tokens when accepting submissions to channels. |
Parisneo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6386 | High | 7.5 | — | 2025-07-07 | The parisneo/lollms repository is affected by a timing attack vulnerability in the `authenticate_user` function within the `lollms_authentication.py` file. |
Parse-community · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53364 | Medium | 5.3 | — | 2025-07-10 | Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. |
Pdfme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53626 | Medium | 6.1 | — | 2025-07-10 | pdfme is a TypeScript-based PDF generator and React-based UI. |
Phpthumb Project · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-52994 | Medium | 4.9 | — | 2025-07-11 | gif_outputAsJpeg in phpThumb through 1.7.23 allows phpthumb.gif.php OS Command Injection via a crafted parameter value. |
Polycom · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-34093 | — | — | — | 2025-07-10 | An authenticated command injection vulnerability exists in the Polycom HDX Series command shell interface accessible over Telnet. |
Processmaker Inc. · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-34097 | — | — | — | 2025-07-10 | An unrestricted file upload vulnerability exists in ProcessMaker versions prior to 3.5.4 due to improper handling of uploaded plugin archives. |
Pushpam02 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7408 | Low | 3.5 | — | 2025-07-10 | A vulnerability has been found in SourceCodester Zoo Management System 1.0 and classified as problematic. |
Pyload · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7346 | — | — | — | 2025-07-08 | Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages |
Qwikdev · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53620 | — | — | — | 2025-07-09 | @builder.io/qwik-city is the meta-framework for Qwik. |
Radiustheme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7327 | High | 8.8 | — | 2025-07-08 | The Widget for Google Reviews plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.15 via the layout parameter. |
Rcatheme · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-5957 | Medium | 5.3 | — | 2025-07-08 | The Guest Support – Complete customer support ticket system for WordPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'deleteMassTickets' function in all versions up to, and incl… |
Real Time Logic · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-34095 | — | — | — | 2025-07-10 | An OS command injection vulnerability exists in Mako Server versions 2.5 and 2.6, specifically within the tutorial interface provided by the examples/save.lsp endpoint. |
Risesoft-y9 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7108 | Medium | 5.4 | — | 2025-07-07 | A vulnerability classified as critical was found in risesoft-y9 Digital-Infrastructure up to 9.6.7. |
Riverbed Technology · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-34098 | — | — | — | 2025-07-10 | A path traversal vulnerability exists in Riverbed SteelHead VCX appliances (confirmed in VCX255U 9.6.0a) due to improper input validation in the log filtering functionality exposed via the management web interface. |
Roocode · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53536 | High | 8.1 | — | 2025-07-07 | Roo Code is an AI-powered autonomous coding agent. |
Rowboatlabs · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7115 | High | 7.3 | — | 2025-07-07 | A vulnerability was found in rowboatlabs rowboat up to 8096eaf63b5a0732edd8f812bee05b78e214ee97. |
Rssnext · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53546 | Critical | 9.1 | — | 2025-07-09 | Folo organizes feeds content into one timeline. |
Saltbo · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7453 | Low | 3.7 | — | 2025-07-11 | A vulnerability was found in saltbo zpan up to 1.6.5/1.7.0-beta2. |
Servicenow · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3648 | — | — | — | 2025-07-08 | A vulnerability has been identified in the Now Platform that could result in data being inferred without authorization. |
Serviio · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-34101 | — | — | — | 2025-07-10 | An unauthenticated command injection vulnerability exists in Serviio Media Server versions 1.4 through 1.8 on Windows, in the /rest/action API endpoint exposed by the console component (default port 23423). |
Shenzhen Liandian Communication Technology Ltd · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7503 | — | — | — | 2025-07-11 | An OEM IP camera manufactured by Shenzhen Liandian Communication Technology LTD exposes a Telnet service (port 23) with undocumented, default credentials. |
Sur-fbd Cmms · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3920 | — | — | — | 2025-07-07 | A vulnerability was identified in SUR-FBD CMMS where hard-coded credentials were found within a compiled DLL file. |
Teamt5 · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-7145 | High | 7.2 | — | 2025-07-07 | ThreatSonar Anti-Ransomware developed by TeamT5 has an OS Command Injection vulnerability, allowing remote attackers with product platform intermediate privileges to inject arbitrary OS commands and execute them on the server, thereby gain… |
The Qt Company · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-5992 | — | — | — | 2025-07-11 | When passing values outside of the expected range to QColorTransferGenericFunction it can cause a denial of service, for example, this can happen when passing a specifically crafted ICC profile to QColorSpace::fromICCProfile.This issue aff… |
Tomdever · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4406 | Medium | 5.4 | — | 2025-07-10 | The wpForo Forum plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.4.5 due to insufficient input sanitization and output escaping. |
Tychesoftwares · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-2942 | Medium | 4.3 | — | 2025-07-11 | The Order Delivery Date WordPress plugin before 12.6.0 discloses arbitrary post title (such as from draft and private posts) via an unauthenticated AJAX action, allowing attackers to retrieve such information |
Unattributed · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6514 | Critical | 9.6 | — | 2025-07-09 | mcp-remote is exposed to OS command injection when connecting to untrusted MCP servers due to crafted input from the authorization_endpoint response URL |
Universal-omega · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53625 | — | — | — | 2025-07-10 | The DynamicPageList3 extension is a reporting tool for MediaWiki, listing category members and intersections with various formats and details. |
Uxper · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-4606 | Critical | 9.8 | — | 2025-07-09 | The Sala - Startup & SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. |
Vicidial Group · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-34099 | — | — | — | 2025-07-10 | An unauthenticated command injection vulnerability exists in VICIdial versions 2.9 RC1 through 2.13 RC1, within the vicidial_sales_viewer.php component when password encryption is enabled (a non-default configuration). |
Wago · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-41672 | Critical | 10.0 | — | 2025-07-07 | A remote unauthenticated attacker may use default certificates to generate JWT Tokens and gain full access to the tool and all connected devices. |
Wclovers · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-3780 | Medium | 6.5 | — | 2025-07-09 | The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wcfm_redirect_to_setup functi… |
Webbertakken · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-53624 | Critical | 10.0 | — | 2025-07-09 | The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. |
Wpclever · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-5530 | Medium | 6.4 | — | 2025-07-11 | The WPC Smart Compare for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'shortcode_btn' shortcode in all versions up to, and including, 6.4.6 due to insufficient input sanitization and outpu… |
Wpdeveloper · 1 CVE
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2025-6244 | Medium | 6.4 | — | 2025-07-08 | The Essential Addons for Elementor – Popular Elementor Templates and Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the via `Calendar` And `Business Reviews` Widgets attributes in all versions up to, and incl… |