Total
304867 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-48498 | 2025-07-25 | N/A | 7.5 HIGH | ||
| A null pointer dereference vulnerability exists in the Distributed Transaction component of Bloomberg Comdb2 8.1 when processing a number of fields used for coordination. A specially crafted protocol buffer message can lead to a denial of service. An attacker can simply connect to a database instance over TCP and send the crafted message to trigger this vulnerability. | |||||
| CVE-2025-6174 | 2025-07-25 | N/A | 6.1 MEDIUM | ||
| The Qwizcards | online quizzes and flashcards WordPress plugin through 3.9.4 does not sanitise and escape the "_stylesheet" parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin or any other user. | |||||
| CVE-2025-44109 | 2025-07-25 | N/A | 5.4 MEDIUM | ||
| A URL redirection in Pinokio v3.6.23 allows attackers to redirect victim users to attacker-controlled pages. | |||||
| CVE-2025-51459 | 2025-07-25 | N/A | 6.5 MEDIUM | ||
| File Upload vulnerability in agent.hub.controller.refresh_plugins in eosphoros-ai DB-GPT 0.7.0 allows remote attackers to execute arbitrary code via a malicious plugin ZIP file uploaded to the /v1/personal/agent/upload endpoint, interacting with plugin_hub._sanitize_filename and plugins_util.scan_plugins. | |||||
| CVE-2025-51863 | 2025-07-25 | N/A | 6.1 MEDIUM | ||
| Self Cross Site Scripting (XSS) vulnerability in ChatGPT Unli (ChatGPTUnli.com) thru 2025-05-26 allows attackers to execute arbitrary code via a crafted SVG file to the chat interface. | |||||
| CVE-2025-4393 | 2025-07-25 | N/A | 6.5 MEDIUM | ||
| Medtronic MyCareLink Patient Monitor has an internal service that deserializes data, which allows a local attacker to interact with the service by crafting a binary payload to crash the service or elevate privileges. This issue affects MyCareLink Patient Monitor models 24950 and 24952: before June 25, 2025 | |||||
| CVE-2025-41425 | 2025-07-25 | N/A | 8.1 HIGH | ||
| DuraComm SPM-500 DP-10iN-100-MU is vulnerable to a cross-site scripting attack. This could allow an attacker to prevent legitimate users from accessing the web interface. | |||||
| CVE-2025-43487 | 2025-07-25 | N/A | N/A | ||
| A potential privilege escalation through Sudo vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.2. The firmware flaw does not properly implement access controls. HP has addressed the issue in the latest software update. | |||||
| CVE-2025-46099 | 2025-07-25 | N/A | 7.1 HIGH | ||
| In Pluck CMS 4.7.20-dev, an authenticated attacker can upload or create a crafted PHP file under the albums module directory and access it via the module routing logic in albums.site.php, resulting in arbitrary command execution through a GET parameter. | |||||
| CVE-2025-54297 | 2025-07-25 | N/A | N/A | ||
| A stored XSS vulnerability in CComment component 5.0.0-6.1.14 for Joomla was discovered. | |||||
| CVE-2025-43881 | 2025-07-25 | N/A | 4.3 MEDIUM | ||
| Improper validation of specified quantity in input issue exists in Real-time Bus Tracking System versions prior to 1.1. If exploited, a denial of service (DoS) condition may be caused by an attacker who can log in to the administrative page of the affected product. | |||||
| CVE-2025-8021 | 2025-07-25 | N/A | 7.5 HIGH | ||
| All versions of the package files-bucket-server are vulnerable to Directory Traversal where an attacker can traverse the file system and access files outside of the intended directory. | |||||
| CVE-2025-7766 | 2025-07-25 | N/A | 8.0 HIGH | ||
| Lantronix Provisioning Manager is vulnerable to XML external entity attacks in configuration files supplied by network devices, leading to unauthenticated remote code execution on hosts with Provisioning Manager installed. | |||||
| CVE-2025-53703 | 2025-07-25 | N/A | 7.5 HIGH | ||
| DuraComm SPM-500 DP-10iN-100-MU transmits sensitive data without encryption over a channel that could be intercepted by attackers. | |||||
| CVE-2025-46354 | 2025-07-25 | N/A | 7.5 HIGH | ||
| A denial of service vulnerability exists in the Distributed Transaction Commit/Abort Operation functionality of Bloomberg Comdb2 8.1. A specially crafted network packet can lead to a denial of service. An attacker can send a malicious packet to trigger this vulnerability. | |||||
| CVE-2025-5818 | 2025-07-25 | N/A | 5.5 MEDIUM | ||
| The Featured Image Plus – Quick & Bulk Edit with Unsplash plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.4 via the fip_get_image_options() function. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | |||||
| CVE-2025-41240 | 2025-07-25 | N/A | 10.0 CRITICAL | ||
| Three Bitnami Helm charts mount Kubernetes Secrets under a predictable path (/opt/bitnami/*/secrets) that is located within the web server document root. In affected versions, this can lead to unauthenticated access to sensitive credentials via HTTP/S. A remote attacker could retrieve these secrets by accessing specific URLs if the application is exposed externally. The issue affects deployments using the default value of usePasswordFiles=true, which mounts secrets as files into the container filesystem. | |||||
| CVE-2025-43020 | 2025-07-25 | N/A | N/A | ||
| A potential command injection vulnerability has been identified in the Poly Clariti Manager for versions prior to 10.12.2. The vulnerability could allow a privileged user to submit arbitrary input. HP has addressed the issue in the latest software update. | |||||
| CVE-2025-31700 | 2025-07-25 | N/A | 8.1 HIGH | ||
| A vulnerability has been found in Dahua products. Attackers could exploit a buffer overflow vulnerability by sending specially crafted malicious packets, potentially causing service disruption (e.g., crashes) or remote code execution (RCE). Some devices may have deployed protection mechanisms such as Address Space Layout Randomization (ASLR), which reduces the likelihood of successful RCE exploitation. However, denial-of-service (DoS) attacks remain a concern. | |||||
| CVE-2025-42947 | 2025-07-25 | N/A | 5.5 MEDIUM | ||
| SAP FICA ODN framework allows a high privileged user to inject value inside the local variable which can then be executed by the application. An attacker could thereby control the behaviour of the application causing high impact on integrity, low impact on availability and no impact on confidentiality of the application. | |||||