Total
303945 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-11405 | 1 Hellomohsinkhan | 1 Wp Front-end Login And Register | 2025-07-16 | N/A | 6.1 MEDIUM |
| The WP Front-end login and register plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the email and wpmp_reset_password_token parameters in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2025-3785 | 1 Dlink | 2 Dwr-m961, Dwr-m961 Firmware | 2025-07-16 | 9.0 HIGH | 8.8 HIGH |
| A vulnerability has been found in D-Link DWR-M961 1.1.36 and classified as critical. This vulnerability affects unknown code of the file /boafrm/formStaticDHCP of the component Authorization Interface. The manipulation of the argument Hostname leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.49 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2025-6756 | 1 Themefic | 1 Ultimate Addons For Contact Form 7 | 2025-07-16 | N/A | 6.4 MEDIUM |
| The Ultra Addons for Contact Form 7 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's UACF7_CUSTOM_FIELDS shortcode in all versions up to, and including, 3.5.21 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-22454 | 1 Ivanti | 1 Secure Access Client | 2025-07-16 | N/A | 7.8 HIGH |
| Insufficiently restrictive permissions in Ivanti Secure Access Client before 22.7R4 allows a local authenticated attacker to escalate their privileges. | |||||
| CVE-2025-5559 | 1 Bernhard-riedl | 1 Timezonecalculator | 2025-07-16 | N/A | 6.4 MEDIUM |
| The TimeZoneCalculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'timezonecalculator_output' shortcode in all versions up to, and including, 3.37 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-45638 | 2 Ibm, Linux | 2 Security Qradar Edr, Linux Kernel | 2025-07-16 | N/A | 4.1 MEDIUM |
| IBM Security QRadar 3.12 EDR stores user credentials in plain text which can be read by a local privileged user. | |||||
| CVE-2024-45643 | 2 Ibm, Linux | 2 Security Qradar Edr, Linux Kernel | 2025-07-16 | N/A | 5.9 MEDIUM |
| IBM Security QRadar 3.12 EDR uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt sensitive credential information. | |||||
| CVE-2024-32119 | 1 Fortinet | 1 Forticlientems | 2025-07-16 | N/A | 4.8 MEDIUM |
| An improper authentication vulnerability [CWE-287] in Fortinet FortiClientEMS version 7.4.0 and before 7.2.4 allows an unauthenticated attacker with the knowledge of the targeted user's FCTUID and VDOM to perform operations such as uploading or tagging on behalf of the targeted user via specially crafted TCP requests. | |||||
| CVE-2023-48786 | 1 Fortinet | 1 Forticlientems | 2025-07-16 | N/A | 4.3 MEDIUM |
| A server-side request forgery vulnerability [CWE-918] in Fortinet FortiClientEMS version 7.4.0 through 7.4.2 and before 7.2.6 may allow an authenticated attacker to perform internal requests via crafted HTTP or HTTPS requests. | |||||
| CVE-2025-22859 | 1 Fortinet | 2 Forticlientems, Forticlientems Cloud | 2025-07-16 | N/A | 5.3 MEDIUM |
| A Relative Path Traversal vulnerability [CWE-23] in FortiClientEMS 7.4.0 through 7.4.1 and FortiClientEMS Cloud 7.4.0 through 7.4.1 may allow a remote unauthenticated attacker to perform a limited arbitrary file write on the system via upload requests. | |||||
| CVE-2025-1796 | 1 Langgenius | 1 Dify | 2025-07-16 | N/A | 8.8 HIGH |
| A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts, by exploiting a weak pseudo-random number generator (PRNG) used for generating password reset codes. The application uses `random.randint` for this purpose, which is not suitable for cryptographic use and can be cracked. An attacker with access to workflow tools can extract the PRNG output and predict future password reset codes, leading to a complete compromise of the application. | |||||
| CVE-2025-5874 | 2025-07-16 | 4.0 MEDIUM | 4.6 MEDIUM | ||
| A vulnerability was found in Redash up to 10.1.0/25.1.0. It has been rated as problematic. This issue affects the function run_query of the file /query_runner/python.py of the component getattr Handler. The manipulation leads to sandbox issue. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor explains, that "[t]he Python data source is disabled by default and is clearly marked in our documentation as discouraged due to its security implications. Users who choose to enable it are doing so at their own risk, with full awareness that it bypasses standard safeguards." | |||||
| CVE-2025-52690 | 2025-07-16 | N/A | 8.1 HIGH | ||
| Successful exploitation of the vulnerability could allow an attacker to execute arbitrary commands as root, potentially leading to the loss of confidentiality, integrity, availability, and full control of the access point. | |||||
| CVE-2025-52689 | 2025-07-16 | N/A | 9.8 CRITICAL | ||
| Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the login request, potentially allowing the attacker to modify the behaviour of the access point. | |||||
| CVE-2025-52688 | 2025-07-16 | N/A | 9.8 CRITICAL | ||
| Successful exploitation of the vulnerability could allow an attacker to inject commands with root privileges on the access point, potentially leading to the loss of confidentiality, integrity, availability, and full control of the access point. | |||||
| CVE-2025-50059 | 2025-07-16 | N/A | 8.6 HIGH | ||
| Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u451-perf, 11.0.27, 17.0.15, 21.0.7, 24.0.1; Oracle GraalVM for JDK: 17.0.15, 21.0.7 and 24.0.1; Oracle GraalVM Enterprise Edition: 21.3.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. While the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 8.6 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). | |||||
| CVE-2025-34300 | 2025-07-16 | N/A | N/A | ||
| A template injection vulnerability exists in Sawtooth Software’s Lighthouse Studio versions prior to 9.16.14 via the ciwweb.pl http://ciwweb.pl/ Perl web application. Exploitation allows an unauthenticated attacker can execute arbitrary commands. | |||||
| CVE-2024-52968 | 1 Fortinet | 1 Forticlient | 2025-07-16 | N/A | 6.7 MEDIUM |
| An improper authentication in Fortinet FortiClientMac 7.0.11 through 7.2.4 allows attacker to gain improper access to MacOS via empty password. | |||||
| CVE-2025-22227 | 2025-07-16 | N/A | 6.1 MEDIUM | ||
| In some specific scenarios with chained redirects, Reactor Netty HTTP client leaks credentials. In order for this to happen, the HTTP client must have been explicitly configured to follow redirects. | |||||
| CVE-2024-40586 | 1 Fortinet | 1 Forticlient | 2025-07-16 | N/A | 6.7 MEDIUM |
| An Improper Access Control vulnerability [CWE-284] in FortiClient Windows version 7.4.0, version 7.2.6 and below, version 7.0.13 and below may allow a local user to escalate his privileges via FortiSSLVPNd service pipe. | |||||