Total
10389 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-34102 | 2025-07-15 | N/A | N/A | ||
| A remote code execution vulnerability exists in CryptoLog (PHP version, discontinued since 2009) due to a chained exploitation of SQL injection and command injection vulnerabilities. An unauthenticated attacker can gain shell access as the web server user by first exploiting a SQL injection flaw in login.php to bypass authentication, followed by command injection in logshares_ajax.php to execute arbitrary operating system commands. The login bypass is achieved by submitting crafted SQL via the user POST parameter. Once authenticated, the attacker can abuse the lsid POST parameter in the logshares_ajax.php endpoint to inject and execute a command using $(...) syntax, resulting in code execution under the web context. This exploitation path does not exist in the ASP.NET version of CryptoLog released since 2009. | |||||
| CVE-2025-47982 | 1 Microsoft | 12 Windows 10 1607, Windows 10 1809, Windows 10 21h2 and 9 more | 2025-07-14 | N/A | 7.8 HIGH |
| Improper input validation in Windows Storage VSP Driver allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-1440 | 1 Tinywebgallery | 1 Advanced Iframe | 2025-07-14 | N/A | 5.3 MEDIUM |
| The Advanced iFrame plugin for WordPress is vulnerable to unauthorized excessive creation of options on the aip_map_url_callback() function in all versions up to, and including, 2024.5 due to insufficient restrictions. This makes it possible for unauthenticated attackers to update the advancediFrameParameterData option with an excessive amount of unvalidated data. | |||||
| CVE-2024-10986 | 1 Binary-husky | 1 Gpt Academic | 2025-07-14 | N/A | 8.8 HIGH |
| GPT Academic version 3.83 is vulnerable to a Local File Read (LFI) vulnerability through its HotReload function. This function can download and extract tar.gz files from arxiv.org. Despite implementing protections against path traversal, the application overlooks the Tarslip triggered by symlinks. This oversight allows attackers to read arbitrary local files from the victim server. | |||||
| CVE-2024-27613 | 1 Numbas | 1 Editor | 2025-07-11 | N/A | 7.3 HIGH |
| Numbas editor before 7.3 mishandles reading of themes and extensions. | |||||
| CVE-2025-6376 | 1 Rockwellautomation | 1 Arena | 2025-07-11 | N/A | 7.8 HIGH |
| A remote code execution security issue exists in the Rockwell Automation Arena®. A crafted DOE file can force Arena Simulation to write beyond the boundaries of an allocated object. Exploitation requires user interaction, such as opening a malicious file within the software. If exploited, a threat actor could execute arbitrary code on the target system. The software must run under the context of the administrator in order to cause worse case impact. This is reflected in the Rockwell CVSS score, as AT:P. | |||||
| CVE-2025-6377 | 1 Rockwellautomation | 1 Arena | 2025-07-11 | N/A | 7.8 HIGH |
| A remote code execution security issue exists in the Rockwell Automation Arena®. A crafted DOE file can force Arena Simulation to write beyond the boundaries of an allocated object. Exploitation requires user interaction, such as opening a malicious file within the software. If exploited, a threat actor could execute arbitrary code on the target system. The software must run under the context of the administrator in order to cause worse case impact. This is reflected in the Rockwell CVSS score, as AT:P. | |||||
| CVE-2025-24002 | 1 Phoenixcontact | 8 Charx Sec-3000, Charx Sec-3000 Firmware, Charx Sec-3050 and 5 more | 2025-07-11 | N/A | 5.3 MEDIUM |
| An unauthenticated remote attacker can use MQTT messages to crash a service on charging stations complying with German Calibration Law, resulting in a temporary denial-of-service for these stations until they got restarted by the watchdog. | |||||
| CVE-2025-24005 | 1 Phoenixcontact | 8 Charx Sec-3000, Charx Sec-3000 Firmware, Charx Sec-3050 and 5 more | 2025-07-11 | N/A | 7.8 HIGH |
| A local attacker with a local user account can leverage a vulnerable script via SSH to escalate privileges to root due to improper input validation. | |||||
| CVE-2022-32144 | 1 Huawei | 2 Cv81-wdm, Cv81-wdm Firmware | 2025-07-11 | N/A | 8.6 HIGH |
| There is an insufficient input verification vulnerability in Huawei product. Successful exploitation of this vulnerability may lead to service abnormal. (Vulnerability ID: HWPSIRT-2022-76192) This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2022-32144. | |||||
| CVE-2024-45031 | 1 Apache | 1 Syncope | 2025-07-10 | N/A | 6.1 MEDIUM |
| When editing objects in the Syncope Console, incomplete HTML tags could be used to bypass HTML sanitization. This made it possible to inject stored XSS payloads which would trigger for other users during ordinary usage of the application. XSS payloads could also be injected in Syncope Enduser when editing “Personal Information” or “User Requests”: such payloads would trigger for administrators in Syncope Console, thus enabling session hijacking. Users are recommended to upgrade to version 3.0.9, which fixes this issue. | |||||
| CVE-2024-3584 | 1 Qdrant | 1 Qdrant | 2025-07-10 | N/A | 7.5 HIGH |
| qdrant/qdrant version 1.9.0-dev is vulnerable to path traversal due to improper input validation in the `/collections/{name}/snapshots/upload` endpoint. By manipulating the `name` parameter through URL encoding, an attacker can upload a file to an arbitrary location on the system, such as `/root/poc.txt`. This vulnerability allows for the writing and overwriting of arbitrary files on the server, potentially leading to a full takeover of the system. The issue is fixed in version 1.9.0. | |||||
| CVE-2024-3829 | 1 Qdrant | 1 Qdrant | 2025-07-10 | N/A | 9.1 CRITICAL |
| qdrant/qdrant version 1.9.0-dev is vulnerable to arbitrary file read and write during the snapshot recovery process. Attackers can exploit this vulnerability by manipulating snapshot files to include symlinks, leading to arbitrary file read by adding a symlink that points to a desired file on the filesystem and arbitrary file write by including a symlink and a payload file in the snapshot's directory structure. This vulnerability allows for the reading and writing of arbitrary files on the server, which could potentially lead to a full takeover of the system. The issue is fixed in version v1.9.0. | |||||
| CVE-2024-4287 | 1 Mintplexlabs | 1 Anythingllm | 2025-07-10 | N/A | 7.2 HIGH |
| In mintplex-labs/anything-llm, a vulnerability exists due to improper input validation in the workspace update process. Specifically, the application fails to validate or format JSON data sent in an HTTP POST request to `/api/workspace/:workspace-slug/update`, allowing it to be executed as part of a database query without restrictions. This flaw enables users with a manager role to craft a request that includes nested write operations, effectively allowing them to create new Administrator accounts. | |||||
| CVE-2024-34365 | 1 Apache | 1 Karaf Cave | 2025-07-10 | N/A | 9.1 CRITICAL |
| ** UNSUPPORTED WHEN ASSIGNED ** Improper Input Validation vulnerability in Apache Karaf Cave.This issue affects all versions of Apache Karaf Cave. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users.NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |||||
| CVE-2024-4321 | 1 Gaizhenbiao | 1 Chuanhuchatgpt | 2025-07-10 | N/A | 7.5 HIGH |
| A Local File Inclusion (LFI) vulnerability exists in the gaizhenbiao/chuanhuchatgpt application, specifically within the functionality for uploading chat history. The vulnerability arises due to improper input validation when handling file paths during the chat history upload process. An attacker can exploit this vulnerability by intercepting requests and manipulating the 'name' parameter to specify arbitrary file paths. This allows the attacker to read sensitive files on the server, leading to information leakage, including API keys and private information. The issue affects version 20240310 of the application. | |||||
| CVE-2025-26647 | 1 Microsoft | 7 Windows Server 2008, Windows Server 2012, Windows Server 2016 and 4 more | 2025-07-10 | N/A | 8.8 HIGH |
| Improper input validation in Windows Kerberos allows an unauthorized attacker to elevate privileges over a network. | |||||
| CVE-2025-24058 | 1 Microsoft | 10 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 7 more | 2025-07-10 | N/A | 7.8 HIGH |
| Improper input validation in Windows DWM Core Library allows an authorized attacker to elevate privileges locally. | |||||
| CVE-2025-27737 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 12 more | 2025-07-10 | N/A | 8.6 HIGH |
| Improper input validation in Windows Security Zone Mapping allows an unauthorized attacker to bypass a security feature locally. | |||||
| CVE-2025-29811 | 1 Microsoft | 5 Windows 11 22h2, Windows 11 23h2, Windows 11 24h2 and 2 more | 2025-07-10 | N/A | 7.8 HIGH |
| Improper input validation in Windows Mobile Broadband allows an authorized attacker to elevate privileges locally. | |||||