Total
32069 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-10363 | 1 Librechat | 1 Librechat | 2025-07-11 | N/A | 5.4 MEDIUM |
| In version 0.7.5 of danny-avila/LibreChat, there is an improper access control vulnerability. Users can share, use, and create prompts without being granted permission by the admin. This can break application logic and permissions, allowing unauthorized actions. | |||||
| CVE-2024-27613 | 1 Numbas | 1 Editor | 2025-07-11 | N/A | 7.3 HIGH |
| Numbas editor before 7.3 mishandles reading of themes and extensions. | |||||
| CVE-2024-25591 | 1 Benjaminrojas | 1 Wp Editor | 2025-07-11 | N/A | 5.3 MEDIUM |
| Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Benjamin Rojas WP Editor.This issue affects WP Editor: from n/a through 1.2.7. | |||||
| CVE-2025-49136 | 1 Nadh | 1 Listmonk | 2025-07-11 | N/A | 9.0 CRITICAL |
| listmonk is a standalone, self-hosted, newsletter and mailing list manager. Starting in version 4.0.0 and prior to version 5.0.2, the `env` and `expandenv` template functions which is enabled by default in Sprig enables capturing of env variables on host. While this may not be a problem on single-user (super admin) installations, on multi-user installations, this allows non-super-admin users with campaign or template permissions to use the `{{ env }}` template expression to capture sensitive environment variables. Users should upgrade to v5.0.2 to mitigate the issue. | |||||
| CVE-2025-47775 | 1 Bullfrogsec | 1 Bullfrog | 2025-07-11 | N/A | 6.2 MEDIUM |
| Bullfrog is a GithHb Action to block unauthorized outbound traffic in GitHub workflows. Prior to version 0.8.4, using tcp breaks blocking and allows DNS exfiltration. This can result in sandbox bypass. Version 0.8.4 fixes the issue. | |||||
| CVE-2025-26481 | 1 Dell | 1 Powerscale Onefs | 2025-07-11 | N/A | 7.5 HIGH |
| Dell PowerScale OneFS, versions 9.4.0.0 through 9.9.0.0, contains an uncontrolled resource consumption vulnerability. A remote unprivileged attacker could potentially exploit this vulnerability, leading to denial of service. | |||||
| CVE-2024-1286 | 1 Strangerstudios | 1 Paid Memberships Pro | 2025-07-10 | N/A | 6.5 MEDIUM |
| The pmpro-membership-maps WordPress plugin before 0.7 does not prevent users with at least the contributor role from leaking sensitive information about users with a membership on the site. | |||||
| CVE-2024-3584 | 1 Qdrant | 1 Qdrant | 2025-07-10 | N/A | 7.5 HIGH |
| qdrant/qdrant version 1.9.0-dev is vulnerable to path traversal due to improper input validation in the `/collections/{name}/snapshots/upload` endpoint. By manipulating the `name` parameter through URL encoding, an attacker can upload a file to an arbitrary location on the system, such as `/root/poc.txt`. This vulnerability allows for the writing and overwriting of arbitrary files on the server, potentially leading to a full takeover of the system. The issue is fixed in version 1.9.0. | |||||
| CVE-2024-3829 | 1 Qdrant | 1 Qdrant | 2025-07-10 | N/A | 9.1 CRITICAL |
| qdrant/qdrant version 1.9.0-dev is vulnerable to arbitrary file read and write during the snapshot recovery process. Attackers can exploit this vulnerability by manipulating snapshot files to include symlinks, leading to arbitrary file read by adding a symlink that points to a desired file on the filesystem and arbitrary file write by including a symlink and a payload file in the snapshot's directory structure. This vulnerability allows for the reading and writing of arbitrary files on the server, which could potentially lead to a full takeover of the system. The issue is fixed in version v1.9.0. | |||||
| CVE-2024-4287 | 1 Mintplexlabs | 1 Anythingllm | 2025-07-10 | N/A | 7.2 HIGH |
| In mintplex-labs/anything-llm, a vulnerability exists due to improper input validation in the workspace update process. Specifically, the application fails to validate or format JSON data sent in an HTTP POST request to `/api/workspace/:workspace-slug/update`, allowing it to be executed as part of a database query without restrictions. This flaw enables users with a manager role to craft a request that includes nested write operations, effectively allowing them to create new Administrator accounts. | |||||
| CVE-2024-34365 | 1 Apache | 1 Karaf Cave | 2025-07-10 | N/A | 9.1 CRITICAL |
| ** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Karaf Cave.This issue affects all versions of Apache Karaf Cave. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2024-4321 | 1 Gaizhenbiao | 1 Chuanhuchatgpt | 2025-07-10 | N/A | 7.5 HIGH |
| A Local File Inclusion (LFI) vulnerability exists in the gaizhenbiao/chuanhuchatgpt application, specifically within the functionality for uploading chat history. The vulnerability arises due to improper input validation when handling file paths during the chat history upload process. An attacker can exploit this vulnerability by intercepting requests and manipulating the 'name' parameter to specify arbitrary file paths. This allows the attacker to read sensitive files on the server, leading to information leakage, including API keys and private information. The issue affects version 20240310 of the application. | |||||
| CVE-2024-4284 | 1 Mintplexlabs | 1 Anythingllm | 2025-07-10 | N/A | 4.9 MEDIUM |
| A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id` attribute to a value of 0. This issue affects the current version of the software, with the latest commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. By exploiting this vulnerability, an attacker, with manager or admin privileges, can render a chosen account completely inaccessible. The application's mechanism for suspending accounts does not provide a means to reverse this condition through the UI, leading to uncontrolled resource consumption. The vulnerability is introduced due to the lack of input validation and sanitization in the user modification endpoint and the middleware's token validation logic. This issue has been addressed in version 1.0.0 of the software. | |||||
| CVE-2024-3279 | 1 Mintplexlabs | 1 Anythingllm | 2025-07-10 | N/A | 9.1 CRITICAL |
| An improper access control vulnerability exists in the mintplex-labs/anything-llm application, specifically within the import endpoint. This vulnerability allows an anonymous attacker, without an account in the application, to import their own database file, leading to the deletion or spoofing of the existing `anythingllm.db` file. By exploiting this vulnerability, attackers can serve malicious data to users or collect information about them. The vulnerability stems from the application's failure to properly restrict access to the data-import functionality, allowing unauthorized database manipulation. | |||||
| CVE-2018-6541 | 2 Canonical, Gdraheim | 2 Ubuntu Linux, Zziplib | 2025-07-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| In ZZIPlib 0.13.67, there is a bus error caused by loading of a misaligned address (when handling disk64_trailer local entries) in __zzip_fetch_disk_trailer (zzip/zip.c). Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file. | |||||
| CVE-2018-6484 | 2 Canonical, Gdraheim | 2 Ubuntu Linux, Zziplib | 2025-07-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| In ZZIPlib 0.13.67, there is a memory alignment error and bus error in the __zzip_fetch_disk_trailer function of zzip/zip.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file. | |||||
| CVE-2018-6542 | 1 Gdraheim | 1 Zziplib | 2025-07-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| In ZZIPlib 0.13.67, there is a bus error (when handling a disk64_trailer seek value) caused by loading of a misaligned address in the zzip_disk_findfirst function of zzip/mmapped.c. | |||||
| CVE-2020-18770 | 1 Gdraheim | 1 Zziplib | 2025-07-10 | N/A | 5.5 MEDIUM |
| An issue was discovered in function zzip_disk_entry_to_file_header in mmapped.c in zziplib 0.13.69, which will lead to a denial-of-service. | |||||
| CVE-2018-6540 | 2 Canonical, Gdraheim | 2 Ubuntu Linux, Zziplib | 2025-07-10 | 4.3 MEDIUM | 6.5 MEDIUM |
| In ZZIPlib 0.13.67, there is a bus error caused by loading of a misaligned address in the zzip_disk_findfirst function of zzip/mmapped.c. Remote attackers could leverage this vulnerability to cause a denial of service via a crafted zip file. | |||||
| CVE-2024-13451 | 1 Bitapps | 1 Bit Form | 2025-07-10 | N/A | 5.3 MEDIUM |
| The Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.17.4 via file uploads due to insufficient directory listing prevention and lack of randomization of file names. This makes it possible for unauthenticated attackers to extract sensitive data including files uploaded via a form. The vulnerability was partially patched in version 2.17.5. | |||||