Total
11363 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-34033 | 1 5vtechnologies | 1 Blue Angel Software Suite | 2025-07-09 | N/A | 8.8 HIGH |
| An OS command injection vulnerability exists in the Blue Angel Software Suite running on embedded Linux devices via the ping_addr parameter in the webctrl.cgi script. The application fails to properly sanitize input before passing it to the system-level ping command. An authenticated attacker can inject arbitrary commands by appending shell metacharacters to the ping_addr parameter in a crafted GET request to /cgi-bin/webctrl.cgi?action=pingtest_update. The command's output is reflected in the application's web interface, enabling attackers to view results directly. Default and backdoor credentials can be used to access the interface and exploit the issue. Successful exploitation results in arbitrary command execution as the root user. | |||||
| CVE-2025-34035 | 1 Engeniustech | 14 Epg5000, Epg5000 Firmware, Esr1200 and 11 more | 2025-07-09 | N/A | 9.8 CRITICAL |
| An OS command injection vulnerability exists in EnGenius EnShare Cloud Service version 1.4.11 and earlier. The usbinteract.cgi script fails to properly sanitize user input passed to the path parameter, allowing unauthenticated remote attackers to inject arbitrary shell commands. The injected commands are executed with root privileges, leading to full system compromise. | |||||
| CVE-2025-34036 | 1 Tvt | 60 Td-2004ts-cl, Td-2004ts-cl-c, Td-2004ts-cl-c Firmware and 57 more | 2025-07-09 | N/A | 9.8 CRITICAL |
| An OS command injection vulnerability exists in white-labeled DVRs manufactured by TVT, affecting a custom HTTP service called "Cross Web Server" that listens on TCP ports 81 and 82. The web interface fails to sanitize input in the URI path passed to the language extraction functionality. When the server processes a request to /language/[lang]/index.html, it uses the [lang] input unsafely in a tar extraction command without proper escaping. This allows an unauthenticated remote attacker to inject shell commands and achieve arbitrary command execution as root. | |||||
| CVE-2025-29646 | 1 Open5gs | 1 Open5gs | 2025-07-09 | N/A | 7.1 HIGH |
| An issue in upf in open5gs 2.7.2 and earlier allows a remote attacker to cause a Denial of Service via a crafted PFCP SessionEstablishmentRequest packet with restoration indication = true and (teid = 0 or teid >= ogs_pfcp_pdr_teid_pool.size). | |||||
| CVE-2025-47968 | 1 Microsoft | 1 Autoupdate | 2025-07-09 | N/A | 7.8 HIGH |
| Improper input validation in Microsoft AutoUpdate (MAU) allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-47171 | 1 Microsoft | 4 365 Apps, Office, Office Long Term Servicing Channel and 1 more | 2025-07-09 | N/A | 6.7 MEDIUM |
| Improper input validation in Microsoft Office Outlook allows an authorized attacker to execute code locally. | |||||
| CVE-2023-43037 | 1 Ibm | 1 Maximo Application Suite | 2025-07-08 | N/A | 6.5 MEDIUM |
| IBM Maximo Application Suite 8.11 and 9.0 could allow an authenticated user to perform unauthorized actions due to improper input validation. | |||||
| CVE-2025-26780 | 2025-07-08 | N/A | 7.5 HIGH | ||
| An issue was discovered in L2 in Samsung Mobile Processor and Modem Exynos 2400 and Modem 5400. The lack of a length check leads to a Denial of Service via a malformed PDCP packet. | |||||
| CVE-2025-27731 | 1 Microsoft | 10 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 7 more | 2025-07-08 | N/A | 7.8 HIGH |
| Improper input validation in OpenSSH for Windows allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-6279 | 1 Upsonic | 1 Upsonic | 2025-07-08 | 5.2 MEDIUM | 5.5 MEDIUM |
| A vulnerability, which was classified as critical, has been found in Upsonic up to 0.55.6. This issue affects the function cloudpickle.loads of the file /tools/add_tool of the component Pickle Handler. The manipulation leads to deserialization. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-53502 | 2025-07-08 | N/A | 6.5 MEDIUM | ||
| Improper Input Validation vulnerability in Wikimedia Foundation Mediawiki - FeaturedFeeds Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - FeaturedFeeds Extension: 1.39.X, 1.42.X, 1.43.X. | |||||
| CVE-2025-7060 | 2025-07-08 | 4.3 MEDIUM | 4.1 MEDIUM | ||
| A vulnerability was found in Monitorr up to 1.7.6m. It has been classified as problematic. This affects an unknown part of the file assets/config/_installation/mkdbajax.php of the component Installer. The manipulation of the argument datadir leads to improper input validation. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-7099 | 2025-07-08 | 5.1 MEDIUM | 5.6 MEDIUM | ||
| A vulnerability has been found in BoyunCMS up to 1.21 on PHP7 and classified as critical. Affected by this vulnerability is an unknown functionality of the file install/install2.php of the component Installation Handler. The manipulation of the argument db_host leads to deserialization. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3777 | 2025-07-08 | N/A | 3.5 LOW | ||
| Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the `startswith()` method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve to malicious domains, potentially leading to phishing attacks, malware distribution, or data exfiltration. The issue is fixed in version 4.52.1. | |||||
| CVE-2025-40593 | 2025-07-08 | N/A | 6.5 MEDIUM | ||
| A vulnerability has been identified in SIMATIC CN 4100 (All versions < V4.0). The affected application allows to control the device by storing arbitrary files in the SFTP folder of the device. This could allow an attacker to cause a denial of service condition. | |||||
| CVE-2025-53075 | 1 Samsung | 1 Rlottie | 2025-07-08 | N/A | 9.8 CRITICAL |
| Improper Input Validation vulnerability in Samsung Open Source rLottie allows Path Traversal.This issue affects rLottie: V0.2. | |||||
| CVE-2025-21194 | 1 Microsoft | 54 Surface Go 2 1901, Surface Go 2 1901 Firmware, Surface Go 2 1926 and 51 more | 2025-07-08 | N/A | 7.1 HIGH |
| Microsoft Surface Security Feature Bypass Vulnerability | |||||
| CVE-2025-20197 | 1 Cisco | 1 Ios Xe | 2025-07-08 | N/A | 6.7 MEDIUM |
| A vulnerability in the CLI of Cisco IOS XE Software could allow an authenticated, local attacker with privilege level 15 to elevate privileges to root on the underlying operating system of an affected device. This vulnerability is due to insufficient input validation when processing specific configuration commands. An attacker could exploit this vulnerability by including crafted input in specific configuration commands. A successful exploit could allow the attacker to elevate privileges to root on the underlying operating system of an affected device. The security impact rating (SIR) of this advisory has been raised to High because an attacker could gain access to the underlying operating system of the affected device and perform potentially undetected actions. Note: The attacker must have privileges to enter configuration mode on the affected device. This is usually referred to as privilege level 15. | |||||
| CVE-2025-32079 | 2025-07-07 | N/A | 6.5 MEDIUM | ||
| Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments allows HTTP DoS.This issue affects Mediawiki - GrowthExperiments: from 1.39 through 1.43. | |||||
| CVE-2025-32071 | 2025-07-07 | N/A | 5.4 MEDIUM | ||
| Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Wikidata Extension allows Cross-Site Scripting (XSS) from widthheight message via ImageHandler::getDimensionsString()This issue affects Mediawiki - Wikidata Extension: from 1.39 through 1.43. | |||||