Total
12442 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2024-11079 | 1 Redhat | 5 Ansible Automation Platform, Ansible Automation Platform Developer, Ansible Automation Platform Inside and 2 more | 2025-07-05 | 5.5 Medium |
| A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks. | ||||
| CVE-2024-3657 | 1 Redhat | 5 Directory Server, Directory Server E4s, Directory Server Eus and 2 more | 2025-07-05 | 7.5 High |
| A flaw was found in 389-ds-base. A specially-crafted LDAP query can potentially cause a failure on the directory server, leading to a denial of service | ||||
| CVE-2025-7060 | 2025-07-04 | 4.1 Medium | ||
| A vulnerability was found in Monitorr up to 1.7.6m. It has been classified as problematic. This affects an unknown part of the file assets/config/_installation/mkdbajax.php of the component Installer. The manipulation of the argument datadir leads to improper input validation. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-8445 | 1 Redhat | 3 Directory Server, Enterprise Linux, Rhel Els | 2025-07-04 | 5.7 Medium |
| The fix for CVE-2024-2199 in 389-ds-base was insufficient to cover all scenarios. In certain product versions, an authenticated user may cause a server crash while modifying `userPassword` using malformed input. | ||||
| CVE-2024-1019 | 1 Owasp | 1 Modsecurity | 2025-07-03 | 8.6 High |
| ModSecurity / libModSecurity 3.0.0 to 3.0.11 is affected by a WAF bypass for path-based payloads submitted via specially crafted request URLs. ModSecurity v3 decodes percent-encoded characters present in request URLs before it separates the URL path component from the optional query string component. This results in an impedance mismatch versus RFC compliant back-end applications. The vulnerability hides an attack payload in the path component of the URL from WAF rules inspecting it. A back-end may be vulnerable if it uses the path component of request URLs to construct queries. Integrators and users are advised to upgrade to 3.0.12. The ModSecurity v2 release line is not affected by this vulnerability. | ||||
| CVE-2023-45177 | 5 Hp, Ibm, Linux and 2 more | 8 Hp-ux, Aix, I and 5 more | 2025-07-03 | 5.3 Medium |
| IBM MQ 9.0 LTS, 9.1 LTS, 9.2 LTS, 9.3 LTS and 9.3 CD is vulnerable to a denial-of-service attack due to an error within the MQ clustering logic. IBM X-Force ID: 268066. | ||||
| CVE-2025-53502 | 2025-07-03 | 6.5 Medium | ||
| Improper Input Validation vulnerability in Wikimedia Foundation Mediawiki - FeaturedFeeds Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - FeaturedFeeds Extension: 1.39.X, 1.42.X, 1.43.X. | ||||
| CVE-2025-32079 | 2025-07-03 | N/A | ||
| Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - GrowthExperiments allows HTTP DoS.This issue affects Mediawiki - GrowthExperiments: from 1.39 through 1.43. | ||||
| CVE-2025-32073 | 2025-07-03 | N/A | ||
| Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - HTML Tags allows Cross-Site Scripting (XSS).This issue affects Mediawiki - HTML Tags: from 1.39 through 1.43. | ||||
| CVE-2025-32071 | 2025-07-03 | N/A | ||
| Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Wikidata Extension allows Cross-Site Scripting (XSS) from widthheight message via ImageHandler::getDimensionsString()This issue affects Mediawiki - Wikidata Extension: from 1.39 through 1.43. | ||||
| CVE-2025-32070 | 2025-07-03 | N/A | ||
| Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - AJAX Poll Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - AJAX Poll Extension: from 1.39 through 1.43. | ||||
| CVE-2025-32069 | 2025-07-03 | N/A | ||
| Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Wikibase Media Info Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Wikibase Media Info Extension: from 1.39 through 1.43. | ||||
| CVE-2025-32067 | 2025-07-03 | N/A | ||
| Improper Input Validation vulnerability in The Wikimedia Foundation Mediawiki - Growth Experiments Extension allows Cross-Site Scripting (XSS).This issue affects Mediawiki - Growth Experiments Extension: from 1.39 through 1.43. | ||||
| CVE-2025-34054 | 2025-07-03 | N/A | ||
| An unauthenticated command injection vulnerability exists in AVTECH DVR devices via Search.cgi?action=cgi_query. The use of wget without input sanitization allows attackers to inject shell commands through the username or queryb64str parameters, executing commands as root. | ||||
| CVE-2025-34060 | 2025-07-03 | N/A | ||
| A PHP objection injection vulnerability exists in the Monero Project’s Laravel-based forum software due to unsafe handling of untrusted input in the /get/image/ endpoint. The application passes a user-supplied link parameter directly to file_get_contents() without validation. MIME type checks using PHP’s finfo can be bypassed via crafted stream filter chains that prepend spoofed headers, allowing access to internal Laravel configuration files. An attacker can extract the APP_KEY from config/app.php, forge encrypted cookies, and trigger unsafe unserialize() calls, leading to reliable remote code execution. | ||||
| CVE-2025-34055 | 2025-07-03 | N/A | ||
| An OS command injection vulnerability exists in AVTECH DVR, NVR, and IP camera devices within the adcommand.cgi endpoint, which interfaces with the ActionD daemon. Authenticated users can invoke the DoShellCmd operation, passing arbitrary input via the strCmd parameter. This input is executed directly by the system shell without sanitation allowing attackers to execute commands as the root user. | ||||
| CVE-2025-34056 | 2025-07-03 | N/A | ||
| An OS command injection vulnerability exists in AVTECH IP camera, DVR, and NVR devices via the PwdGrp.cgi endpoint, which handles user and group management operations. Authenticated users can supply input through the pwd or grp parameters, which are directly embedded into system commands without proper sanitation. This allows for the execution of arbitrary shell commands with root privileges. | ||||
| CVE-2025-52891 | 2025-07-03 | 6.5 Medium | ||
| ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off. | ||||
| CVE-2025-6563 | 2025-07-03 | N/A | ||
| A cross-site scripting vulnerability is present in the hotspot of MikroTik's RouterOS on versions below 7.19.2. An attacker can inject the `javascript` protocol in the `dst` parameter. When the victim browses to the malicious URL and logs in, the XSS executes. The POST request used to login, can also be converted to a GET request, allowing an attacker to send a specifically crafted URL that automatically logs in the victim (into the attacker's account) and triggers the payload. | ||||
| CVE-2025-27023 | 2025-07-03 | 6.5 Medium | ||
| Lack or insufficent input validation in WebGUI CLI web in Infinera G42 version R6.1.3 allows remote authenticated users to read all OS files via crafted CLI commands. Details: The web interface based management of the Infinera G42 appliance enables the feature of executing a restricted set of commands. This feature also offers the option to execute a script-file already present on the target device. When a non-script or incorrect file is specified, the content of the file is shown along with an error message. Due to an execution of the http service with a privileged user all files on the file system can be viewed this way. | ||||