Total
305870 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-11398 | 1 Synology | 1 Router Manager | 2025-07-29 | N/A | 8.1 HIGH |
| Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in OTP reset functionality in Synology Router Manager (SRM) before 1.3.1-9346-9 allows remote authenticated users to delete arbitrary files via unspecified vectors. | |||||
| CVE-2024-11603 | 1 Lm-sys | 1 Fastchat | 2025-07-29 | N/A | 7.5 HIGH |
| A Server-Side Request Forgery (SSRF) vulnerability exists in lm-sys/fastchat version 0.2.36. The vulnerability is present in the `/queue/join?` endpoint, where insufficient validation of the path parameter allows an attacker to send crafted requests. This can lead to unauthorized access to internal networks or the AWS metadata endpoint, potentially exposing sensitive data and compromising internal servers. | |||||
| CVE-2024-11625 | 1 Progress | 1 Sitefinity | 2025-07-29 | N/A | 7.7 HIGH |
| Information Exposure Through an Error Message vulnerability in Progress Software Corporation Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421. | |||||
| CVE-2024-11626 | 1 Progress | 1 Sitefinity | 2025-07-29 | N/A | 8.4 HIGH |
| Improper Neutralization of Input During CMS Backend (adminstrative section) Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Progress Sitefinity.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421. | |||||
| CVE-2024-53286 | 1 Synology | 1 Router Manager | 2025-07-29 | N/A | 7.2 HIGH |
| Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in DDNS Record functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to execute arbitrary code via unspecified vectors. | |||||
| CVE-2024-53287 | 1 Synology | 1 Router Manager | 2025-07-29 | N/A | 5.9 MEDIUM |
| Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in VPN Setting functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2024-53288 | 1 Synology | 1 Router Manager | 2025-07-29 | N/A | 5.9 MEDIUM |
| Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in NTP Region functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2024-11627 | 1 Progress | 1 Sitefinity | 2025-07-29 | N/A | 6.8 MEDIUM |
| : Insufficient Session Expiration vulnerability in Progress Sitefinity allows : Session Fixation.This issue affects Sitefinity: from 4.0 through 14.4.8142, from 15.0.8200 through 15.0.8229, from 15.1.8300 through 15.1.8327, from 15.2.8400 through 15.2.8421. | |||||
| CVE-2024-11681 | 2 Apple, Macports | 2 Macos, Macports | 2025-07-29 | N/A | 6.8 MEDIUM |
| A malicious or compromised MacPorts mirror can execute arbitrary commands as root on the machine of a client running port selfupdate against the mirror. | |||||
| CVE-2024-11738 | 1 Rustls Project | 1 Rustls | 2025-07-29 | N/A | 5.3 MEDIUM |
| A flaw was found in Rustls 0.23.13 and related APIs. This vulnerability allows denial of service (panic) via a fragmented TLS ClientHello message. | |||||
| CVE-2024-3571 | 1 Langchain | 1 Langchain | 2025-07-29 | N/A | 8.8 HIGH |
| langchain-ai/langchain is vulnerable to path traversal due to improper limitation of a pathname to a restricted directory ('Path Traversal') in its LocalFileStore functionality. An attacker can leverage this vulnerability to read or write files anywhere on the filesystem, potentially leading to information disclosure or remote code execution. The issue lies in the handling of file paths in the mset and mget methods, where user-supplied input is not adequately sanitized, allowing directory traversal sequences to reach unintended directories. | |||||
| CVE-2024-9415 | 1 Superagi | 1 Superagi | 2025-07-29 | N/A | 8.8 HIGH |
| A Path Traversal vulnerability exists in the file upload functionality of transformeroptimus/superagi version 0.0.14. This vulnerability allows an attacker to upload an arbitrary file to the server, potentially leading to remote code execution or overwriting any file on the server. | |||||
| CVE-2024-9431 | 1 Superagi | 1 Superagi | 2025-07-29 | N/A | 8.8 HIGH |
| In version v0.0.14 of transformeroptimus/superagi, there is an improper privilege management vulnerability. After logging into the system, users can change the passwords of other users, leading to potential account takeover. | |||||
| CVE-2025-4478 | 2025-07-29 | N/A | 7.1 HIGH | ||
| A flaw was found in the FreeRDP used by Anaconda's remote install feature, where a crafted RDP packet could trigger a segmentation fault. This issue causes the service to crash and remain defunct, resulting in a denial of service. It occurs pre-boot and is likely due to a NULL pointer dereference. Rebooting is required to recover the system. | |||||
| CVE-2025-47712 | 2025-07-29 | N/A | 4.3 MEDIUM | ||
| A flaw exists in the nbdkit "blocksize" filter that can be triggered by a specific type of client request. When a client requests block status information for a very large data range, exceeding a certain limit, it causes an internal error in the nbdkit, leading to a denial of service. | |||||
| CVE-2024-9447 | 1 Superagi | 1 Superagi | 2025-07-29 | N/A | 6.5 MEDIUM |
| An information disclosure vulnerability exists in the latest version of transformeroptimus/superagi. The `/get/organisation/` endpoint does not verify the user's organization, allowing any authenticated user to retrieve sensitive configuration details, including API keys, of any organization. This could lead to unauthorized access to services and significant data breaches or financial loss. | |||||
| CVE-2024-1183 | 1 Gradio Project | 1 Gradio | 2025-07-29 | N/A | 6.5 MEDIUM |
| An SSRF (Server-Side Request Forgery) vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an internal network. By manipulating the 'file' parameter in a GET request, an attacker can discern the status of internal ports based on the presence of a 'Location' header or a 'File not allowed' error in the response. | |||||
| CVE-2024-7995 | 1 Autodesk | 1 Vred | 2025-07-29 | N/A | 7.8 HIGH |
| A maliciously crafted binary file when downloaded could lead to escalation of privileges to NT AUTHORITY/SYSTEM due to an untrusted search path being utilized in the VRED Design application. Exploitation of this vulnerability may lead to code execution. | |||||
| CVE-2024-11958 | 1 Llamaindex | 1 Llamaindex | 2025-07-29 | N/A | 9.8 CRITICAL |
| A SQL injection vulnerability exists in the `duckdb_retriever` component of the run-llama/llama_index repository, specifically in the latest version. The vulnerability arises from the construction of SQL queries without using prepared statements, allowing an attacker to inject arbitrary SQL code. This can lead to remote code execution (RCE) by installing the shellfs extension and executing malicious commands. | |||||
| CVE-2025-5335 | 1 Autodesk | 1 Installer | 2025-07-29 | N/A | 7.8 HIGH |
| A maliciously crafted binary file when downloaded could lead to escalation of privileges to NT AUTHORITY/SYSTEM due to an untrusted search path being utilized in the Autodesk Installer application. Exploitation of this vulnerability may lead to code execution. | |||||