Total
304507 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-54071 | 2025-07-22 | N/A | N/A | ||
| RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. In versions 4.0.0-beta.3 and below, an authenticated arbitrary file write vulnerability exists in the /api/saves endpoint. This can lead to Remote Code Execution on the system. The vulnerability permits arbitrary file write operations, allowing attackers to create or modify files at any filesystem location with user-supplied content. A user with viewer role or Scope.ASSETS_WRITE permission or above is required to pass authentication checks. The vulnerability is fixed in version 4.0.0-beta.4. | |||||
| CVE-2025-5240 | 2025-07-22 | N/A | 6.4 MEDIUM | ||
| The CRM and Lead Management by vcita plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘type’ parameter in all versions up to, and including, 2.7.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-7932 | 2025-07-22 | 6.5 MEDIUM | 6.3 MEDIUM | ||
| A vulnerability classified as critical has been found in D-Link DIR‑817L up to 1.04B01. This affects the function lxmldbc_system of the file ssdpcgi. The manipulation leads to command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-7644 | 2025-07-22 | N/A | 6.4 MEDIUM | ||
| The Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via URLs in all widgets in all versions up to, and including, 1.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-7687 | 2025-07-22 | N/A | 6.1 MEDIUM | ||
| The Latest Post Accordian Slider plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on the 'lpaccordian' page. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | |||||
| CVE-2025-53832 | 2025-07-22 | N/A | 7.5 HIGH | ||
| Lara Translate MCP Server is a Model Context Protocol (MCP) Server for Lara Translate API. Versions 0.0.11 and below contain a command injection vulnerability which exists in the @translated/lara-mcp MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to child_process.exec, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (|, >, &&, etc.). This vulnerability is fixed in version 0.0.12. | |||||
| CVE-2025-7945 | 2025-07-22 | 9.0 HIGH | 8.8 HIGH | ||
| A vulnerability was found in D-Link DIR-513 up to 20190831. It has been declared as critical. This vulnerability affects the function formSetWanDhcpplus of the file /goform/formSetWanDhcpplus. The manipulation of the argument curTime leads to buffer overflow. The attack can be initiated remotely. This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2025-20143 | 1 Cisco | 1 Ios Xr | 2025-07-22 | N/A | 6.7 MEDIUM |
| A vulnerability in the boot process of Cisco IOS XR Software could allow an authenticated, local attacker with high privileges to bypass the Secure Boot functionality and load unverified software on an affected device. To exploit this vulnerability, the attacker must have root-system privileges on the affected device. This vulnerability is due to insufficient verification of modules in the software load process. An attacker could exploit this vulnerability by manipulating the loaded binaries to bypass some of the integrity checks that are performed during the booting process. A successful exploit could allow the attacker to control the boot configuration, which could enable them to bypass the requirement to run Cisco-signed images or alter the security properties of the running system. Note: This vulnerability affects Cisco IOS XR Software, not the Secure Boot feature. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. | |||||
| CVE-2024-10929 | 2025-07-22 | N/A | 5.1 MEDIUM | ||
| In certain circumstances, an issue in Arm Cortex-A57, Cortex-A72 (revisions before r1p0), Cortex-A73 and Cortex-A75 may allow an adversary to gain a weak form of control over the victim's branch history. | |||||
| CVE-2025-23367 | 2025-07-22 | N/A | 6.5 MEDIUM | ||
| A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action. | |||||
| CVE-2025-54362 | 2025-07-22 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54361 | 2025-07-22 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54360 | 2025-07-22 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54359 | 2025-07-22 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54358 | 2025-07-22 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54357 | 2025-07-22 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54356 | 2025-07-22 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54355 | 2025-07-22 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54354 | 2025-07-22 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2019-6446 | 2 Fedoraproject, Numpy | 2 Fedora, Numpy | 2025-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in NumPy before 1.16.3. It uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, as demonstrated by a numpy.load call. NOTE: third parties dispute this issue because it is a behavior that might have legitimate applications in (for example) loading serialized Python object arrays from trusted and authenticated sources. | |||||