Total
306485 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-1166 | 1 Remyandrade | 1 Food Menu Manager | 2025-08-01 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability has been found in SourceCodester Food Menu Manager 1.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file endpoint/update.php. The manipulation leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-1289 | 1 Coffee-code | 1 Plugin Oficial | 2025-08-01 | N/A | 4.8 MEDIUM |
| The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2025-1303 | 1 Coffee-code | 1 Plugin Oficial | 2025-08-01 | N/A | 6.1 MEDIUM |
| The Plugin Oficial WordPress plugin through 1.7.3 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against only unauthenticated users. | |||||
| CVE-2025-4567 | 1 Infornweb | 1 Post Slider And Post Carousel | 2025-08-01 | N/A | 4.8 MEDIUM |
| The Post Slider and Post Carousel with Post Vertical Scrolling Widget WordPress plugin before 3.2.10 does not validate and escape some of its Widget options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2025-47042 | 1 Adobe | 1 Experience Manager | 2025-08-01 | N/A | 5.4 MEDIUM |
| Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2025-47041 | 1 Adobe | 1 Experience Manager | 2025-08-01 | N/A | 5.4 MEDIUM |
| Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2025-47040 | 1 Adobe | 1 Experience Manager | 2025-08-01 | N/A | 5.4 MEDIUM |
| Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2025-47039 | 1 Adobe | 1 Experience Manager | 2025-08-01 | N/A | 5.4 MEDIUM |
| Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2023-6786 | 1 Hkdigit | 1 Payment Gateway For Telcell | 2025-08-01 | N/A | 6.1 MEDIUM |
| The Payment Gateway for Telcell WordPress plugin through 2.0.1 does not validate the api_url parameter before redirecting the user to its value, leading to an Open Redirect issue | |||||
| CVE-2024-33601 | 3 Debian, Gnu, Netapp | 20 Debian Linux, Glibc, H300s and 17 more | 2025-08-01 | N/A | 7.3 HIGH |
| nscd: netgroup cache may terminate daemon on memory allocation failure The Name Service Cache Daemon's (nscd) netgroup cache uses xmalloc or xrealloc and these functions may terminate the process due to a memory allocation failure resulting in a denial of service to the clients. The flaw was introduced in glibc 2.15 when the cache was added to nscd. This vulnerability is only present in the nscd binary. | |||||
| CVE-2024-9418 | 1 Superagi | 1 Superagi | 2025-08-01 | N/A | 6.5 MEDIUM |
| In version 0.0.14 of transformeroptimus/superagi, the API endpoint `/api/users/get/{id}` returns the user's password in plaintext. This vulnerability allows an attacker to retrieve the password of another user, leading to potential account takeover. | |||||
| CVE-2025-0183 | 1 Binary-husky | 1 Gpt Academic | 2025-08-01 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability exists in the Latex Proof-Reading Module of binary-husky/gpt_academic version 3.9.0. This vulnerability allows an attacker to inject malicious scripts into the `debug_log.html` file generated by the module. When an admin visits this debug report, the injected scripts can execute, potentially leading to unauthorized actions and data access. | |||||
| CVE-2024-8537 | 1 Modelscope | 1 Agentscope | 2025-08-01 | N/A | 9.1 CRITICAL |
| A path traversal vulnerability exists in the modelscope/agentscope application, affecting all versions. The vulnerability is present in the /delete-workflow endpoint, allowing an attacker to delete arbitrary files from the filesystem. This issue arises due to improper input validation, enabling the attacker to manipulate file paths and delete sensitive files outside of the intended directory. | |||||
| CVE-2024-8438 | 1 Modelscope | 1 Agentscope | 2025-08-01 | N/A | 7.5 HIGH |
| A path traversal vulnerability exists in modelscope/agentscope version v.0.0.4. The API endpoint `/api/file` does not properly sanitize the `path` parameter, allowing an attacker to read arbitrary files on the server. | |||||
| CVE-2024-8027 | 1 Youdao | 1 Qanything | 2025-08-01 | N/A | 6.1 MEDIUM |
| A stored Cross-Site Scripting (XSS) vulnerability exists in netease-youdao/QAnything. Attackers can upload malicious knowledge files to the knowledge base, which can trigger XSS attacks during user chats. This vulnerability affects all versions prior to the fix. | |||||
| CVE-2024-8024 | 1 Youdao | 1 Qanything | 2025-08-01 | N/A | 7.5 HIGH |
| A CORS misconfiguration vulnerability exists in netease-youdao/qanything version 1.4.1. This vulnerability allows an attacker to bypass the Same-Origin Policy, potentially leading to sensitive information exposure. Properly implementing a restrictive CORS policy is crucial to prevent such security issues. | |||||
| CVE-2024-8020 | 1 Lightningai | 1 Pytorch Lightning | 2025-08-01 | N/A | 7.5 HIGH |
| A vulnerability in lightning-ai/pytorch-lightning version 2.3.2 allows an attacker to cause a denial of service by sending an unexpected POST request to the `/api/v1/state` endpoint of `LightningApp`. This issue occurs due to improper handling of unexpected state values, which results in the server shutting down. | |||||
| CVE-2024-8019 | 1 Lightningai | 1 Pytorch Lightning | 2025-08-01 | N/A | 9.1 CRITICAL |
| In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the `LightningApp` when running on a Windows host. The vulnerability occurs at the `/api/v1/upload_file/` endpoint, allowing an attacker to write or overwrite arbitrary files by providing a crafted filename. This can lead to potential remote code execution (RCE) by overwriting critical files or placing malicious files in sensitive locations. | |||||
| CVE-2024-6866 | 1 Flask-cors Project | 1 Flask-cors | 2025-08-01 | N/A | 7.5 HIGH |
| corydolphin/flask-cors version 4.01 contains a vulnerability where the request path matching is case-insensitive due to the use of the `try_match` function, which is originally intended for matching hosts. This results in a mismatch because paths in URLs are case-sensitive, but the regex matching treats them as case-insensitive. This misconfiguration can lead to significant security vulnerabilities, allowing unauthorized origins to access paths meant to be restricted, resulting in data exposure and potential data leaks. | |||||
| CVE-2024-6844 | 1 Flask-cors Project | 1 Flask-cors | 2025-08-01 | N/A | 5.3 MEDIUM |
| A vulnerability in corydolphin/flask-cors version 4.0.1 allows for inconsistent CORS matching due to the handling of the '+' character in URL paths. The request.path is passed through the unquote_plus function, which converts the '+' character to a space ' '. This behavior leads to incorrect path normalization, causing potential mismatches in CORS configuration. As a result, endpoints may not be matched correctly to their CORS settings, leading to unexpected CORS policy application. This can cause unauthorized cross-origin access or block valid requests, creating security vulnerabilities and usability issues. | |||||