Total
11398 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-54614 | 1 Huawei | 1 Harmonyos | 2026-06-17 | N/A | 6.2 MEDIUM |
| Input verification vulnerability in the home screen module. Impact: Successful exploitation of this vulnerability may affect availability. | |||||
| CVE-2025-54564 | 2026-06-17 | N/A | 7.8 HIGH | ||
| uploadsm in ChargePoint Home Flex 5.5.4.13 does not validate a user-controlled string for bz2 decompression, which allows command execution as the nobody user. | |||||
| CVE-2025-54385 | 1 Xwiki | 1 Xwiki | 2026-06-17 | N/A | 9.8 CRITICAL |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In versions between 17.0.0-rc1 to 17.2.2 and versions 16.10.5 and below, it's possible to execute any SQL query in Oracle by using the function like DBMS_XMLGEN or DBMS_XMLQUERY. The XWiki#searchDocuments APIs pass queries directly to Hibernate without sanitization. Even when these APIs enforce a specific SELECT clause, attackers can still inject malicious code through HQL's native function support in other parts of the query (such as the WHERE clause). This is fixed in versions 16.10.6 and 17.3.0-rc-1. | |||||
| CVE-2025-54368 | 2026-06-17 | N/A | N/A | ||
| uv is a Python package and project manager written in Rust. In versions 0.8.5 and earlier, remote ZIP archives were handled in a streamwise fashion, and file entries were not reconciled against the archive's central directory. An attacker could contrive a ZIP archive that would extract with legitimate contents on some package installers, and malicious contents on others due to multiple local file entries. An attacker could also contrive a "stacked" ZIP input with multiple internal ZIPs, which would be handled differently by different package installers. The attacker could choose which installer to target in both scenarios. This issue is fixed in version 0.8.6. To work around this issue, users may choose to set UV_INSECURE_NO_ZIP_VALIDATION=1 to revert to the previous behavior. | |||||
| CVE-2025-54365 | 1 Fastapi-guard | 1 Fastapi Guard | 2026-06-17 | N/A | 7.5 HIGH |
| fastapi-guard is a security library for FastAPI that provides middleware to control IPs, log requests, detect penetration attempts and more. In version 3.0.1, the regular expression patched to mitigate the ReDoS vulnerability by limiting the length of string fails to catch inputs that exceed this limit. This type of patch fails to detect cases in which the string representing the attributes of a <script> tag exceeds 100 characters. As a result, most of the regex patterns present in version 3.0.1 can be bypassed. This is fixed in version 3.0.2. | |||||
| CVE-2025-54327 | 1 Samsung | 6 Exynos 1280, Exynos 1280 Firmware, Exynos 1380 and 3 more | 2026-06-17 | N/A | 6.5 MEDIUM |
| An issue was discovered in VTS in Samsung Mobile Processor and Wearable Processor Exynos 1280, 2200, 1380, W920, W930, W1000. Improper input validation in the VTS driver leads to an arbitrary write. | |||||
| CVE-2025-54306 | 1 Thermofisher | 1 Torrent Suite Software | 2026-06-17 | N/A | 7.2 HIGH |
| An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. A remote code execution vulnerability exists in the network configuration functionality, stemming from insufficient input validation when processing network configuration parameters through administrative endpoints. The application allows administrators to modify the server's network configuration through the Django application. This configuration is processed by Bash scripts (TSsetnoproxy and TSsetproxy) that write user-controlled data directly to environment variables without proper sanitization. After updating environment variables, the scripts execute a source command on /etc/environment; if an attacker injects malicious data into environment variables, this command can enable arbitrary command execution. The vulnerability begins with the /admin/network endpoint, which passes user-supplied form data as arguments to subprocess.Popen calls. The user-supplied input is then used to update environment variables in TSsetnoproxy and TSsetproxy, and finally source $environment is executed. | |||||
| CVE-2025-54250 | 1 Adobe | 1 Experience Manager | 2026-06-17 | N/A | 4.9 MEDIUM |
| Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A high-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized write access. | |||||
| CVE-2025-54248 | 1 Adobe | 1 Experience Manager | 2026-06-17 | N/A | 7.7 HIGH |
| Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. Scope is changed | |||||
| CVE-2025-54247 | 1 Adobe | 1 Experience Manager | 2026-06-17 | N/A | 6.5 MEDIUM |
| Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures and gain unauthorized read access. | |||||
| CVE-2025-54236 | 1 Adobe | 3 Commerce, Commerce B2b, Magento | 2026-06-17 | N/A | 9.1 CRITICAL |
| Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction. | |||||
| CVE-2025-54134 | 1 Psu | 1 Haxcms-nodejs | 2026-06-17 | N/A | 6.5 MEDIUM |
| HAX CMS NodeJs allows users to manage their microsite universe with a NodeJs backend. In versions 11.0.8 and below, the HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the listFiles and saveFiles endpoints. This vulnerability exists because the application does not properly handle exceptions which occur as a result of changes to user-modifiable URL parameters. This is fixed in version 11.0.9. | |||||
| CVE-2025-54123 | 1 Hoverfly | 1 Hoverfly | 2026-06-17 | N/A | 9.8 CRITICAL |
| Hoverfly is an open source API simulation tool. In versions 1.11.3 and prior, the middleware functionality in Hoverfly is vulnerable to command injection vulnerability at `/api/v2/hoverfly/middleware` endpoint due to insufficient validation and sanitization in user input. The vulnerability exists in the middleware management API endpoint `/api/v2/hoverfly/middleware`. This issue is born due to combination of three code level flaws: Insufficient Input Validation in middleware.go line 94-96; Unsafe Command Execution in local_middleware.go line 14-19; and Immediate Execution During Testing in hoverfly_service.go line 173. This allows an attacker to gain remote code execution (RCE) on any system running the vulnerable Hoverfly service. Since the input is directly passed to system commands without proper checks, an attacker can upload a malicious payload or directly execute arbitrary commands (including reverse shells) on the host server with the privileges of the Hoverfly process. Commit 17e60a9bc78826deb4b782dca1c1abd3dbe60d40 in version 1.12.0 disables the set middleware API by default, and subsequent changes to documentation make users aware of the security changes of exposing the set middleware API. | |||||
| CVE-2025-53939 | 1 Accellion | 1 Kiteworks | 2026-06-17 | N/A | 6.3 MEDIUM |
| Kiteworks is a private data network (PDN). Prior to version 9.1.0, improper input validation when managing roles of a shared folder could lead to unexpectedly elevate another user's permissions on the share. This issue has been patched in version 9.1.0. | |||||
| CVE-2025-53809 | 1 Microsoft | 2 Windows 11 24h2, Windows Server 2025 | 2026-06-17 | N/A | 6.5 MEDIUM |
| Improper input validation in Windows Local Security Authority Subsystem Service (LSASS) allows an authorized attacker to deny service over a network. | |||||
| CVE-2025-53652 | 1 Jenkins | 1 Git Parameter | 2026-06-17 | N/A | 8.2 HIGH |
| Jenkins Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices, allowing attackers with Item/Build permission to inject arbitrary values into Git parameters. | |||||
| CVE-2025-53502 | 2026-06-17 | N/A | 6.5 MEDIUM | ||
| Improper Input Validation vulnerability in Wikimedia Foundation Mediawiki - FeaturedFeeds Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - FeaturedFeeds Extension: 1.39.X, 1.42.X, 1.43.X. | |||||
| CVE-2025-53471 | 2026-06-17 | N/A | 5.1 MEDIUM | ||
| Emerson ValveLink products receive input or data, but does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. | |||||
| CVE-2025-53076 | 1 Samsung | 1 Rlottie | 2026-06-17 | N/A | 9.8 CRITICAL |
| Improper Input Validation vulnerability in Samsung Open Source rLottie allows Overread Buffers.This issue affects rLottie: V0.2. | |||||
| CVE-2025-53075 | 1 Samsung | 1 Rlottie | 2026-06-17 | N/A | 9.8 CRITICAL |
| Improper Input Validation vulnerability in Samsung Open Source rLottie allows Path Traversal.This issue affects rLottie: V0.2. | |||||