Total
4695 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-54133 | 1 Anysphere | 1 Cursor | 2025-08-25 | N/A | 9.6 CRITICAL |
| Cursor is a code editor built for programming with AI. In versions 1.17 through 1.2, there is a UI information disclosure vulnerability in Cursor's MCP (Model Context Protocol) deeplink handler, allowing attackers to execute 2-click arbitrary system commands through social engineering attacks. When users click malicious `cursor://anysphere.cursor-deeplink/mcp/install` links, the installation dialog does not show the arguments being passed to the command being run. If a user clicks a malicious deeplink, then examines the installation dialog and clicks through, the full command including the arguments will be executed on the machine. This is fixed in version 1.3. | |||||
| CVE-2025-54136 | 1 Anysphere | 1 Cursor | 2025-08-25 | N/A | 7.2 HIGH |
| Cursor is a code editor built for programming with AI. In versions 1.2.4 and below, attackers can achieve remote and persistent code execution by modifying an already trusted MCP configuration file inside a shared GitHub repository or editing the file locally on the target's machine. Once a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt. If an attacker has write permissions on a user's active branches of a source repository that contains existing MCP servers the user has previously approved, or allows an attacker has arbitrary file-write locally, the attacker can achieve arbitrary code execution. This is fixed in version 1.3. | |||||
| CVE-2025-54135 | 1 Anysphere | 1 Cursor | 2025-08-25 | N/A | 8.5 HIGH |
| Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions below 1.3.9, If the file is a dotfile, editing it requires approval but creating a new one doesn't. Hence, if sensitive MCP files, such as the .cursor/mcp.json file don't already exist in the workspace, an attacker can chain a indirect prompt injection vulnerability to hijack the context to write to the settings file and trigger RCE on the victim without user approval. This is fixed in version 1.3.9. | |||||
| CVE-2025-27392 | 1 Siemens | 2 Scalance Lpe9403, Scalance Lpe9403 Firmware | 2025-08-25 | N/A | 7.2 HIGH |
| A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0). Affected devices do not properly sanitize user input when creating new VXLAN configurations. This could allow an authenticated highly-privileged remote attacker to execute arbitrary code on the device. | |||||
| CVE-2025-6183 | 2025-08-22 | N/A | N/A | ||
| The StrongDM macOS client incorrectly processed JSON-formatted messages. Attackers could potentially modify macOS system configuration by crafting a malicious JSON message. | |||||
| CVE-2025-6181 | 2025-08-22 | N/A | N/A | ||
| The StrongDM Windows service incorrectly handled input validation. Authenticated attackers could potentially exploit this leading to privilege escalation. | |||||
| CVE-2010-20059 | 2025-08-22 | N/A | N/A | ||
| FreeNAS 0.7.2 prior to revision 5543 includes an unauthenticated commandâexecution backdoor in its web interface. The exec_raw.php script exposes a cmd parameter that is passed directly to the underlying shell without sanitation. | |||||
| CVE-2025-57771 | 2025-08-22 | N/A | 8.1 HIGH | ||
| Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions prior to 3.25.5, Roo-Code fails to properly handle process substitution and single ampersand characters in the command parsing logic for auto-execute commands. If a user has enabled auto-approved execution for a command such as ls, an attacker who can submit crafted prompts to the agent may inject arbitrary commands to be executed alongside the intended command. Exploitation requires attacker access to submit prompts and for the user to have enabled auto-approved command execution, which is disabled by default. This vulnerability could allow an attacker to execute arbitrary code. The issue is fixed in version 3.25.5. | |||||
| CVE-2025-3128 | 2025-08-22 | N/A | 9.8 CRITICAL | ||
| A remote unauthenticated attacker who has bypassed authentication could execute arbitrary OS commands to disclose, tamper with, destroy or delete information in Mitsubishi Electric smartRTU, or cause a denial-of service condition on the product. | |||||
| CVE-2025-27393 | 1 Siemens | 2 Scalance Lpe9403, Scalance Lpe9403 Firmware | 2025-08-22 | N/A | 7.2 HIGH |
| A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0). Affected devices do not properly sanitize user input when creating new users. This could allow an authenticated highly-privileged remote attacker to execute arbitrary code on the device. | |||||
| CVE-2025-27394 | 1 Siemens | 2 Scalance Lpe9403, Scalance Lpe9403 Firmware | 2025-08-22 | N/A | 7.2 HIGH |
| A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0). Affected devices do not properly sanitize user input when creating new SNMP users. This could allow an authenticated highly-privileged remote attacker to execute arbitrary code on the device. | |||||
| CVE-2025-27398 | 1 Siemens | 2 Scalance Lpe9403, Scalance Lpe9403 Firmware | 2025-08-22 | N/A | 2.7 LOW |
| A vulnerability has been identified in SCALANCE LPE9403 (6GK5998-3GS00-2AC2) (All versions < V4.0). Affected devices do not properly neutralize special characters when interpreting user controlled log paths. This could allow an authenticated highly-privileged remote attacker to execute a limited set of binaries that are already present on the filesystem. | |||||
| CVE-2025-53637 | 1 Meshtastic | 1 Meshtastic Firmware | 2025-08-22 | N/A | 4.1 MEDIUM |
| Meshtastic is an open source mesh networking solution. The main_matrix.yml GitHub Action is triggered by the pull_request_target event, which has extensive permissions, and can be initiated by an attacker who forked the repository and created a pull request. In the shell code execution part, user-controlled input is interpolated unsafely into the code. If this were to be exploited, attackers could inject unauthorized code into the repository. This vulnerability is fixed in 2.6.6. | |||||
| CVE-2024-4507 | 1 Ruijie | 54 Rg-uac 6000-cc, Rg-uac 6000-cc Firmware, Rg-uac 6000-e10 and 51 more | 2025-08-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in Ruijie RG-UAC up to 20240428 and classified as critical. This issue affects some unknown processing of the file /view/IPV6/ipv6StaticRoute/static_route_add_ipv6.php. The manipulation of the argument text_prefixlen/text_gateway/devname leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263111. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-4255 | 1 Ruijie | 54 Rg-uac 6000-cc, Rg-uac 6000-cc Firmware, Rg-uac 6000-e10 and 51 more | 2025-08-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability, which was classified as critical, has been found in Ruijie RG-UAC up to 20240419. This issue affects some unknown processing of the file /view/network Config/GRE/gre_edit_commit.php. The manipulation of the argument name leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-262145 was assigned to this vulnerability. | |||||
| CVE-2024-4508 | 1 Ruijie | 54 Rg-uac 6000-cc, Rg-uac 6000-cc Firmware, Rg-uac 6000-e10 and 51 more | 2025-08-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in Ruijie RG-UAC up to 20240428. It has been classified as critical. Affected is an unknown function of the file /view/IPV6/ipv6StaticRoute/static_route_edit_ipv6.php. The manipulation of the argument oldipmask/oldgateway/olddevname leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263112. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-4509 | 1 Ruijie | 54 Rg-uac 6000-cc, Rg-uac 6000-cc Firmware, Rg-uac 6000-e10 and 51 more | 2025-08-21 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in Ruijie RG-UAC up to 20240428. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /view/IPV6/naborTable/add_commit.php. The manipulation of the argument ip_addr/mac_addr leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-263113 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-4813 | 1 Ruijie | 54 Rg-uac 6000-cc, Rg-uac 6000-cc Firmware, Rg-uac 6000-e10 and 51 more | 2025-08-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical has been found in Ruijie RG-UAC up to 20240506. Affected is an unknown function of the file /view/networkConfig/physicalInterface/interface_commit.php. The manipulation of the argument name leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to apply a patch to fix this issue. VDB-263934 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-4814 | 1 Ruijie | 54 Rg-uac 6000-cc, Rg-uac 6000-cc Firmware, Rg-uac 6000-e10 and 51 more | 2025-08-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability classified as critical was found in Ruijie RG-UAC up to 20240506. Affected by this vulnerability is an unknown functionality of the file /view/networkConfig/RouteConfig/StaticRoute/static_route_edit_commit.php. The manipulation of the argument oldipmask/oldgateway leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-263935. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2024-4815 | 1 Ruijie | 54 Rg-uac 6000-cc, Rg-uac 6000-cc Firmware, Rg-uac 6000-e10 and 51 more | 2025-08-21 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability, which was classified as critical, has been found in Ruijie RG-UAC up to 20240506. Affected by this issue is some unknown functionality of the file /view/bugSolve/viewData/detail.php. The manipulation of the argument filename leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-263936. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||