Total
363821 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-56432 | 1 Nagios | 1 Nagios Xi | 2026-07-05 | N/A | 6.1 MEDIUM |
| A cross-site scripting (XSS) vulnerability exists in Nagios XI 2024R2. The vulnerability allows remote attackers to execute arbitrary JavaScript in the context of a logged-in user's session via a specially crafted URL. The issue resides in a web component responsible for rendering performance-related data. | |||||
| CVE-2025-56422 | 1 Limesurvey | 1 Limesurvey | 2026-07-05 | N/A | 9.8 CRITICAL |
| A deserialization vulnerability in LimeSurvey before v6.15.0+250623 allows a remote attacker to execute arbitrary code on the server. | |||||
| CVE-2025-56421 | 1 Limesurvey | 1 Limesurvey | 2026-07-05 | N/A | 7.5 HIGH |
| SQL Injection vulnerability in LimeSurvey before v.6.15.4+250710 allows a remote attacker to obtain sensitive information from the database. | |||||
| CVE-2025-56401 | 1 Ziragroup | 1 Wbrm | 2026-07-05 | N/A | 7.6 HIGH |
| ZIRA Group WBRM 7.0 is vulnerable to SQL Injection in referenceLookupsByTableNameAndColumnName. | |||||
| CVE-2025-56400 | 1 Tuya | 3 Smartlife, Tuya, Tuya Smart | 2026-07-05 | N/A | 8.8 HIGH |
| Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK, allows an attacker to link their own Amazon Alexa account to a victim's Tuya account. The applications fail to validate the OAuth state parameter during the account linking flow, enabling a cross-site request forgery (CSRF)-like attack. By tricking the victim into clicking a crafted authorization link, an attacker can complete the OAuth flow on the victim's behalf, resulting in unauthorized Alexa access to the victim's Tuya-connected devices. This affects users regardless of prior Alexa linkage and does not require the Tuya application to be active at the time. Successful exploitation may allow remote control of devices such as cameras, doorbells, door locks, or alarms. | |||||
| CVE-2025-56399 | 2026-07-05 | N/A | 8.8 HIGH | ||
| alexusmai laravel-file-manager 3.3.1 and before allows an authenticated attacker to achieve Remote Code Execution (RCE) through a crafted file upload. A file with a '.png` extension containing PHP code can be uploaded via the file manager interface. Although the upload appears to fail client-side validation, the file is still saved on the server. The attacker can then use the rename API to change the file extension to `.php`, and upon accessing it via a public URL, the server executes the embedded code. | |||||
| CVE-2025-56304 | 1 Yzmcms | 1 Yzmcms | 2026-07-05 | N/A | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in YzmCMS thru 7.3 via the referer header in the register page. | |||||
| CVE-2025-56295 | 1 Carmelo | 1 Computer Laboratory System | 2026-07-05 | N/A | 7.3 HIGH |
| code-projects Computer Laboratory System 1.0 has a file upload vulnerability. Staff can upload malicious files by uploading PHP backdoor files when modifying personal avatar information and use web shell connection tools to obtain server permissions. | |||||
| CVE-2025-56293 | 1 Fabian | 1 Human Resource Integrated System | 2026-07-05 | N/A | 5.4 MEDIUM |
| code-projects Human Resource Integrated System 1.0 is vulnerable to Cross Site Scripting (XSS) in the Add Child Information section in the Childs Name field. | |||||
| CVE-2025-56289 | 1 Fabian | 1 Document Management System | 2026-07-05 | N/A | 5.4 MEDIUM |
| code-projects Document Management System 1.0 has a Cross Site Scripting (XSS) vulnerability, where attackers can leak admin's cookie information by entering malicious XSS code in the Company field when adding files. | |||||
| CVE-2025-56274 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2026-07-05 | N/A | 8.1 HIGH |
| SourceCodester Web-based Pharmacy Product Management System 1.0 is vulnerable to Incorrect Access Control, which allows low-privileged users to forge high privileged (such as admin) sessions and perform sensitive operations such as adding new users. | |||||
| CVE-2025-56231 | 1 Tonec | 1 Internet Download Manager | 2026-07-05 | N/A | 9.1 CRITICAL |
| Tonec Internet Download Manager 6.42.41.1 and earlier suffers from Missing SSL Certificate Validation, which allows attackers to bypass update protections. | |||||
| CVE-2025-56200 | 1 Validator Project | 1 Validator | 2026-07-05 | N/A | 6.1 MEDIUM |
| A URL validation bypass vulnerability exists in validator.js through version 13.15.15. The isURL() function uses '://' as a delimiter to parse protocols, while browsers use ':' as the delimiter. This parsing difference allows attackers to bypass protocol and domain validation by crafting URLs leading to XSS and Open Redirect attacks. | |||||
| CVE-2025-56157 | 1 Langgenius | 1 Dify | 2026-07-05 | N/A | 9.8 CRITICAL |
| Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration does not make PostgreSQL (on TCP port 5432) exposed by default in version 1.0.1 or later. | |||||
| CVE-2025-55849 | 1 Weiphp | 1 Weiphp | 2026-07-05 | N/A | 8.4 HIGH |
| WeiPHP v5.0 and before is vulnerable to SQL Injection via the SucaiController.class.php file and the cancelTemplatee | |||||
| CVE-2025-55618 | 1 Hyundai | 1 Navigation | 2026-07-05 | N/A | 7.3 HIGH |
| In Hyundai Navigation App STD5W.EUR.HMC.230516.afa908d, an attacker can inject HTML payloads in the profile name field in navigation app which then get rendered. | |||||
| CVE-2025-55564 | 1 Tenda | 2 Ac15, Ac15 Firmware | 2026-07-05 | N/A | 7.5 HIGH |
| Tenda AC15 v15.03.05.19_multi_TD01 has a stack overflow via the list parameter in the fromSetIpMacBind function. | |||||
| CVE-2025-55462 | 1 Eramba | 1 Eramba | 2026-07-05 | N/A | 6.5 MEDIUM |
| A CORS misconfiguration in Eramba Community and Enterprise Editions v3.26.0 allows an attacker-controlled Origin header to be reflected in the Access-Control-Allow-Origin response along with Access-Control-Allow-Credentials: true. This permits malicious third-party websites to perform authenticated cross-origin requests against the Eramba API, including endpoints like /system-api/login and /system-api/user/me. The response includes sensitive user session data (ID, name, email, access groups), which is accessible to the attacker's JavaScript. This flaw enables full session hijack and data exfiltration without user interaction. Eramba versions 3.23.3 and earlier were tested and appear unaffected. The vulnerability is present in default installations, requiring no custom configuration. | |||||
| CVE-2025-55422 | 1 Foxcms | 1 Foxcms | 2026-07-05 | N/A | 8.8 HIGH |
| In FoxCMS 1.2.6, there is a reflected Cross Site Scripting (XSS) vulnerability in /index.php/plus. | |||||
| CVE-2025-55409 | 1 Foxcms | 1 Foxcms | 2026-07-05 | N/A | 8.8 HIGH |
| FoxCMS 1.2.6, there is a Cross Site Scripting vulnerability in /index.php/article. This allows attackers to execute arbitrary code. | |||||
