Total
361906 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-67733 | 1 Lfprojects | 1 Valkey | 2026-06-30 | N/A | 8.5 HIGH |
| Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same connection. The error handling code for lua scripts does not properly handle null characters. Versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12 fix the issue. | |||||
| CVE-2025-67269 | 1 Gpsd Project | 1 Gpsd | 2026-06-30 | N/A | 7.5 HIGH |
| An integer underflow vulnerability exists in the `nextstate()` function in `gpsd/packet.c` of gpsd versions prior to commit `ffa1d6f40bca0b035fc7f5e563160ebb67199da7`. When parsing a NAVCOM packet, the payload length is calculated using `lexer->length = (size_t)c - 4` without checking if the input byte `c` is less than 4. This results in an unsigned integer underflow, setting `lexer->length` to a very large value (near `SIZE_MAX`). The parser then enters a loop attempting to consume this massive number of bytes, causing 100% CPU utilization and a Denial of Service (DoS) condition. | |||||
| CVE-2025-67268 | 1 Gpsd Project | 1 Gpsd | 2026-06-30 | N/A | 9.8 CRITICAL |
| gpsd before commit dc966aa contains a heap-based out-of-bounds write vulnerability in the drivers/driver_nmea2000.c file. The hnd_129540 function, which handles NMEA2000 PGN 129540 (GNSS Satellites in View) packets, fails to validate the user-supplied satellite count against the size of the skyview array (184 elements). This allows an attacker to write beyond the bounds of the array by providing a satellite count up to 255, leading to memory corruption, Denial of Service (DoS), and potentially arbitrary code execution. | |||||
| CVE-2025-67030 | 1 Codehaus-plexus | 1 Plexus-utils | 2026-06-30 | N/A | 8.8 HIGH |
| Directory Traversal vulnerability in the extractFile method of org.codehaus.plexus.util.Expand in plexus-utils before 6d780b3378829318ba5c2d29547e0012d5b29642. This allows an attacker to execute arbitrary code | |||||
| CVE-2025-65518 | 1 Webpros | 1 Plesk Obsidian | 2026-06-30 | N/A | 7.5 HIGH |
| Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. The vulnerability exists in the get_password.php endpoint, where a crafted request containing a malicious payload can cause the affected web interface to continuously reload, rendering the service unavailable to legitimate users. An attacker can exploit this issue remotely without authentication, resulting in a persistent availability impact on the affected Plesk Obsidian instance. | |||||
| CVE-2025-62718 | 1 Axios | 1 Axios | 2026-06-30 | N/A | 9.9 CRITICAL |
| Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0. | |||||
| CVE-2025-61732 | 1 Golang | 1 Go | 2026-06-30 | N/A | 8.6 HIGH |
| A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. | |||||
| CVE-2025-61731 | 1 Golang | 1 Go | 2026-06-30 | N/A | 7.8 HIGH |
| Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The "#cgo pkg-config:" directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a "--log-file" argument to this directive, causing pkg-config to write to an attacker-controlled location. | |||||
| CVE-2025-61726 | 1 Golang | 1 Go | 2026-06-30 | N/A | 7.5 HIGH |
| The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. | |||||
| CVE-2025-61140 | 1 Dchester | 1 Jsonpath | 2026-06-30 | N/A | 9.8 CRITICAL |
| The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution. | |||||
| CVE-2025-61028 | 2026-06-30 | N/A | 7.5 HIGH | ||
| An issue in the time_t_to_dt component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. | |||||
| CVE-2025-61023 | 2026-06-30 | N/A | 7.5 HIGH | ||
| An issue in the st_compare component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. | |||||
| CVE-2025-61020 | 2026-06-30 | N/A | 7.5 HIGH | ||
| An issue in the sqlo_strip_in_join component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. | |||||
| CVE-2025-61018 | 2026-06-30 | N/A | 7.5 HIGH | ||
| An issue in the sqlo_place_dt_set component of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements. | |||||
| CVE-2025-59465 | 1 Nodejs | 1 Node.js | 2026-06-30 | N/A | 7.5 HIGH |
| A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: ``` server.on('secureConnection', socket => { socket.on('error', err => { console.log(err) }) }) ``` | |||||
| CVE-2025-59057 | 1 Shopify | 2 React-router, Remix-run\/react | 2026-06-30 | N/A | 7.6 HIGH |
| React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0. | |||||
| CVE-2025-59032 | 2 Dovecot, Open-xchange | 2 Dovecot, Dovecot | 2026-06-30 | N/A | 7.5 HIGH |
| ManageSieve AUTHENTICATE command crashes when using literal as SASL initial response. This can be used to crash ManageSieve service repeatedly, making it unavailable for other users. Control access to ManageSieve port, or disable the service if it's not needed. Alternatively upgrade to a fixed version. No publicly available exploits are known. | |||||
| CVE-2025-57283 | 1 Browserstack | 1 Browserstack-local | 2026-06-30 | N/A | 7.8 HIGH |
| The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js. | |||||
| CVE-2025-56005 | 1 Dabeaz | 1 Ply | 2026-06-30 | N/A | 9.8 CRITICAL |
| An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. NOTE: A third-party states that this vulnerability should be rejected because the proof of concept does not demonstrate arbitrary code execution and fails to complete successfully. | |||||
| CVE-2025-55131 | 2026-06-30 | N/A | 7.1 HIGH | ||
| A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact. | |||||