Total
653 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-8107 | 2025-07-25 | N/A | 6.3 MEDIUM | ||
| In OceanBase's Oracle tenant mode, a malicious user with specific privileges can achieve privilege escalation to SYS-level access by executing carefully crafted commands. This vulnerability only affects OceanBase tenants in Oracle mode. Tenants in MySQL mode are unaffected. | |||||
| CVE-2025-34119 | 2025-07-17 | N/A | N/A | ||
| A remote file disclosure vulnerability exists in EasyCafe Server 2.2.14, exploitable by unauthenticated remote attackers via TCP port 831. The server listens for a custom protocol where opcode 0x43 can be used to request arbitrary files by absolute path. If the file exists and is accessible, its content is returned without authentication. This flaw allows attackers to retrieve sensitive files such as system configuration, password files, or application data. | |||||
| CVE-2025-6788 | 2025-07-15 | N/A | N/A | ||
| A CWE-668: Exposure of Resource to Wrong Sphere vulnerability exists that exposes TGML diagram resources to the wrong control sphere, providing other authenticated users with potentially inappropriate access to TGML diagrams. | |||||
| CVE-2024-22281 | 1 Apache | 1 Helix | 2025-07-10 | N/A | 7.5 HIGH |
| ** UNSUPPORTED WHEN ASSIGNED ** The Apache Helix Front (UI) component contained a hard-coded secret, allowing an attacker to spoof sessions by generating their own fake cookies. This issue affects Apache Helix Front (UI): all versions. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2025-34064 | 2025-07-03 | N/A | N/A | ||
| A cloud infrastructure misconfiguration in OneLogin AD Connector results in log data being sent to a hardcoded S3 bucket (onelogin-adc-logs-production) without validating bucket ownership. An attacker who registers this unclaimed bucket can begin receiving log files from other OneLogin tenants. These logs may contain sensitive data such as directory tokens, user metadata, and environment configuration. This enables cross-tenant leakage of secrets, potentially allowing JWT signing key recovery and user impersonation. | |||||
| CVE-2025-46707 | 2025-07-02 | N/A | 5.2 MEDIUM | ||
| Software installed and running inside a Guest VM may override Firmware's state and gain access to the GPU. | |||||
| CVE-2024-13484 | 2025-06-24 | N/A | 8.2 HIGH | ||
| A flaw was found in openshift-gitops-operator-container. The openshift.io/cluster-monitoring label is applied to all namespaces that deploy an ArgoCD CR instance, allowing the namespace to create a rogue PrometheusRule. This issue can have adverse effects on the platform monitoring stack, as the rule is rolled out cluster-wide when the label is applied. | |||||
| CVE-2025-49574 | 2025-06-23 | N/A | 6.4 MEDIUM | ||
| Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. In versions prior to 3.24.0, there is a potential data leak when duplicating a duplicated context. Quarkus extensively uses the Vert.x duplicated context to implement context propagation. With the new semantic data from one transaction can leak to the data from another transaction. From a Vert.x point of view, this new semantic clarifies the behavior. A significant amount of data is stored in the duplicated context, including request scope, security details, and metadata. Duplicating a duplicated context is rather rare and is only done in a few places. This issue has been patched in version 3.24.0. | |||||
| CVE-2023-7204 | 1 Wp-staging | 1 Wp Staging | 2025-06-11 | N/A | 7.5 HIGH |
| The WP STAGING WordPress Backup plugin before 3.2.0 allows access to cache files during the cloning process which provides | |||||
| CVE-2020-16247 | 1 Philips | 1 Clinical Collaboration Platform | 2025-06-04 | 3.6 LOW | 6.8 MEDIUM |
| Philips Clinical Collaboration Platform, Versions 12.2.1 and prior, exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource. | |||||
| CVE-2024-22049 | 1 John Nunemaker | 1 Httparty | 2025-06-03 | N/A | 5.3 MEDIUM |
| httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written. | |||||
| CVE-2023-42716 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-05-29 | N/A | 7.5 HIGH |
| In telephony service, there is a possible missing permission check. This could lead to remote information disclosure no additional execution privileges needed | |||||
| CVE-2024-51754 | 2025-05-29 | N/A | 2.2 LOW | ||
| Twig is a template language for PHP. In a sandbox, an attacker can call `__toString()` on an object even if the `__toString()` method is not allowed by the security policy when the object is part of an array or an argument list (arguments to a function or a filter for instance). This issue has been patched in versions 3.11.2 and 3.14.1. All users are advised to upgrade. There are no known workarounds for this issue. | |||||
| CVE-2022-23950 | 1 Keylime | 1 Keylime | 2025-05-27 | N/A | 7.5 HIGH |
| In Keylime before 6.3.0, Revocation Notifier uses a fixed /tmp path for UNIX domain socket which can allow unprivileged users a method to prohibit keylime operations. | |||||
| CVE-2020-26272 | 1 Electronjs | 1 Electron | 2025-05-27 | 6.4 MEDIUM | 5.4 MEDIUM |
| The Electron framework lets users write cross-platform desktop applications using JavaScript, HTML and CSS. In versions of Electron IPC prior to 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9, messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame. If your app uses remote, calls webContents.sendToFrame, or calls event.reply in an IPC message handler then it is impacted by this issue. This has been fixed in versions 9.4.0, 10.2.0, 11.1.0, and 12.0.0-beta.9. There are no known workarounds for this issue. | |||||
| CVE-2021-1918 | 1 Qualcomm | 60 Qca6391, Qca6391 Firmware, Qcm6490 and 57 more | 2025-05-22 | 2.1 LOW | 6.5 MEDIUM |
| Improper handling of resource allocation in virtual machines can lead to information exposure in Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile | |||||
| CVE-2013-4253 | 1 Redhat | 1 Openshift | 2025-05-09 | N/A | 7.5 HIGH |
| The deployment script in the unsupported "OpenShift Extras" set of add-on scripts, in Red Hat Openshift 1, installs a default public key in the root user's authorized_keys file. | |||||
| CVE-2022-2882 | 1 Gitlab | 1 Gitlab | 2025-05-07 | N/A | 5.5 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions starting from 12.6 before 15.2.5, all versions starting from 15.3 before 15.3.4, all versions starting from 15.4 before 15.4.1. A malicious maintainer could exfiltrate a GitHub integration's access token by modifying the integration URL such that authenticated requests are sent to an attacker controlled server. | |||||
| CVE-2022-25236 | 4 Debian, Libexpat Project, Oracle and 1 more | 5 Debian Linux, Libexpat, Http Server and 2 more | 2025-05-05 | 7.5 HIGH | 9.8 CRITICAL |
| xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. | |||||
| CVE-2021-33096 | 1 Intel | 6 82599eb, 82599eb Firmware, 82599en and 3 more | 2025-05-05 | 2.1 LOW | 5.5 MEDIUM |
| Improper isolation of shared resources in network on chip for the Intel(R) 82599 Ethernet Controllers and Adapters may allow an authenticated user to potentially enable denial of service via local access. | |||||