Total
306735 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-45764 | 2025-08-07 | N/A | 3.2 LOW | ||
| jsrsasign v11.1.0 was discovered to contain weak encryption. NOTE: this issue has been disputed by a third party who believes that CVE IDs can be assigned for key lengths in specific applications that use a library, and should not be assigned to the default key lengths in a library. This dispute is subject to review under CNA rules 4.1.4, 4.1.14, and other rules; the dispute tagging is not meant to recommend an outcome for this CVE Record. | |||||
| CVE-2025-50484 | 1 Phpgurukul | 1 Small Crm | 2025-08-07 | N/A | 7.1 HIGH |
| Improper session invalidation in the component /crm/change-password.php of PHPGurukul Small CRM v3.0 allows attackers to execute a session hijacking attack. | |||||
| CVE-2025-45893 | 1 Opencart | 1 Opencart | 2025-08-07 | N/A | 6.1 MEDIUM |
| OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via SVG file uploads used in blog posts. The vulnerability arises because SVG files uploaded through the media manager are not properly sanitized. Attackers can craft a malicious SVG file containing embedded JavaScript | |||||
| CVE-2025-51398 | 1 Livehelperchat | 1 Live Helper Chat | 2025-08-07 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the Facebook registration page of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name parameter. | |||||
| CVE-2025-51403 | 1 Livehelperchat | 1 Live Helper Chat | 2025-08-07 | N/A | 6.5 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the department assignment editing module of of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Alias Nick parameter. | |||||
| CVE-2025-51401 | 1 Livehelperchat | 1 Live Helper Chat | 2025-08-07 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the chat transfer function of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the operator name parameter. | |||||
| CVE-2025-51400 | 1 Livehelperchat | 1 Live Helper Chat | 2025-08-07 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the Personal Canned Messages of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. | |||||
| CVE-2025-51397 | 1 Livehelperchat | 1 Live Helper Chat | 2025-08-07 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in the Facebook Chat module of Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Surname parameter under the Recipient' Lists. | |||||
| CVE-2025-51396 | 1 Livehelperchat | 1 Live Helper Chat | 2025-08-07 | N/A | 5.4 MEDIUM |
| A stored cross-site scripting (XSS) vulnerability in Live Helper Chat v4.60 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Telegram Bot Username parameter. | |||||
| CVE-2025-49087 | 1 Arm | 1 Mbed Tls | 2025-08-07 | N/A | 4.0 MEDIUM |
| In Mbed TLS 3.6.1 through 3.6.3 before 3.6.4, a timing discrepancy in block cipher padding removal allows an attacker to recover the plaintext when PKCS#7 padding mode is used. | |||||
| CVE-2025-47917 | 1 Arm | 1 Mbed Tls | 2025-08-07 | N/A | 8.9 HIGH |
| Mbed TLS before 3.6.4 allows a use-after-free in certain situations of applications that are developed in accordance with the documentation. The function mbedtls_x509_string_to_names() takes a head argument that is documented as an output argument. The documentation does not suggest that the function will free that pointer; however, the function does call mbedtls_asn1_free_named_data_list() on that argument, which performs a deep free(). As a result, application code that uses this function (relying only on documented behavior) is likely to still hold pointers to the memory blocks that were freed, resulting in a high risk of use-after-free or double-free. In particular, the two sample programs x509/cert_write and x509/cert_req are affected (use-after-free if the san string contains more than one DN). | |||||
| CVE-2025-48965 | 1 Arm | 1 Mbed Tls | 2025-08-07 | N/A | 4.0 MEDIUM |
| Mbed TLS before 3.6.4 has a NULL pointer dereference because mbedtls_asn1_store_named_data can trigger conflicting data with val.p of NULL but val.len greater than zero. | |||||
| CVE-2025-44608 | 1 Vishalmathur | 1 Cloudclassroom-php Project | 2025-08-07 | N/A | 6.5 MEDIUM |
| CloudClassroom-PHP Project v1.0 was discovered to contain a SQL injection vulnerability via the viewid parameter. | |||||
| CVE-2025-54597 | 1 Linuxserver | 1 Heimdall Application Dashboard | 2025-08-07 | N/A | 7.2 HIGH |
| LinuxServer.io Heimdall before 2.7.3 allows XSS via the q parameter. | |||||
| CVE-2025-3263 | 1 Huggingface | 1 Transformers | 2025-08-07 | N/A | 5.3 MEDIUM |
| A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_configuration_file()` function within the `transformers.configuration_utils` module. The affected version is 4.49.0, and the issue is resolved in version 4.51.0. The vulnerability arises from the use of a regular expression pattern `config\.(.*)\.json` that can be exploited to cause excessive CPU consumption through crafted input strings, leading to catastrophic backtracking. This can result in model serving disruption, resource exhaustion, and increased latency in applications using the library. | |||||
| CVE-2025-3264 | 1 Huggingface | 1 Transformers | 2025-08-07 | N/A | 5.3 MEDIUM |
| A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically in the `get_imports()` function within `dynamic_module_utils.py`. This vulnerability affects versions 4.49.0 and is fixed in version 4.51.0. The issue arises from a regular expression pattern `\s*try\s*:.*?except.*?:` used to filter out try/except blocks from Python code, which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to remote code loading disruption, resource exhaustion in model serving, supply chain attack vectors, and development pipeline disruption. | |||||
| CVE-2025-3933 | 1 Huggingface | 1 Transformers | 2025-08-07 | N/A | 5.3 MEDIUM |
| A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the Hugging Face Transformers library, specifically within the DonutProcessor class's `token2json()` method. This vulnerability affects versions 4.50.3 and earlier, and is fixed in version 4.52.1. The issue arises from the regex pattern `<s_(.*?)>` which can be exploited to cause excessive CPU consumption through crafted input strings due to catastrophic backtracking. This vulnerability can lead to service disruption, resource exhaustion, and potential API service vulnerabilities, impacting document processing tasks using the Donut model. | |||||
| CVE-2025-3777 | 1 Huggingface | 1 Transformers | 2025-08-07 | N/A | 3.5 LOW |
| Hugging Face Transformers versions up to 4.49.0 are affected by an improper input validation vulnerability in the `image_utils.py` file. The vulnerability arises from insecure URL validation using the `startswith()` method, which can be bypassed through URL username injection. This allows attackers to craft URLs that appear to be from YouTube but resolve to malicious domains, potentially leading to phishing attacks, malware distribution, or data exfiltration. The issue is fixed in version 4.52.1. | |||||
| CVE-2025-5120 | 1 Huggingface | 1 Smolagents | 2025-08-07 | N/A | 10.0 CRITICAL |
| A sandbox escape vulnerability was identified in huggingface/smolagents version 1.14.0, allowing attackers to bypass the restricted execution environment and achieve remote code execution (RCE). The vulnerability stems from the local_python_executor.py module, which inadequately restricts Python code execution despite employing static and dynamic checks. Attackers can exploit whitelisted modules and functions to execute arbitrary code, compromising the host system. This flaw undermines the core security boundary intended to isolate untrusted code, posing risks such as unauthorized code execution, data leakage, and potential integration-level compromise. The issue is resolved in version 1.17.0. | |||||
| CVE-2025-1753 | 1 Llamaindex | 1 Llamaindex | 2025-08-07 | N/A | 7.8 HIGH |
| LLama-Index CLI version v0.12.20 contains an OS command injection vulnerability. The vulnerability arises from the improper handling of the `--files` argument, which is directly passed into `os.system`. An attacker who controls the content of this argument can inject and execute arbitrary shell commands. This vulnerability can be exploited locally if the attacker has control over the CLI arguments, and remotely if a web application calls the LLama-Index CLI with a user-controlled filename. This issue can lead to arbitrary code execution on the affected system. | |||||