Total
305894 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-29865 | 1 Tagfree | 1 X Free Uploader | 2025-08-07 | N/A |
| : Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in TAGFREE X-Free Uploader XFU allows Path Traversal.This issue affects X-Free Uploader: from 1.0.1.0084 before 1.0.1.0085, from 2.0.1.0034 before 2.0.1.0035. | ||||
| CVE-2025-54798 | 1 Raszi | 1 Node-tmp | 2025-08-07 | 2.5 Low |
| tmp is a temporary file and directory creator for node.js. In versions 0.2.3 and below, tmp is vulnerable to an arbitrary temporary file / directory write via symbolic link dir parameter. This is fixed in version 0.2.4. | ||||
| CVE-2025-29866 | 1 Tagfree | 1 X Free Uploader | 2025-08-07 | N/A |
| : External Control of File Name or Path vulnerability in TAGFREE X-Free Uploader XFU allows : Parameter Injection.This issue affects X-Free Uploader: from 1.0.1.0084 before 1.0.1.0085, from 2.0.1.0034 before 2.0.1.0035. | ||||
| CVE-2025-8533 | 1 Flexibits | 1 Fantastical | 2025-08-07 | N/A |
| A vulnerability was identified in the XPC services of Fantastical. The services failed to implement proper client authorization checks in its listener:shouldAcceptNewConnection method, unconditionally accepting requests from any local process. As a result, any local, unprivileged process could connect to the XPC service and access its methods. This issue has been resolved in version 4.0.16. | ||||
| CVE-2025-47907 | 1 Golang | 1 Database Sql | 2025-08-07 | 7 High |
| Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error. | ||||
| CVE-2025-54564 | 1 Chargepoint | 1 Home Flex | 2025-08-07 | 7.8 High |
| uploadsm in ChargePoint Home Flex 5.5.4.13 does not validate a user-controlled string for bz2 decompression, which allows command execution as the nobody user. | ||||
| CVE-2025-8697 | 2025-08-07 | 6.3 Medium | ||
| A vulnerability was found in agentUniverse up to 0.0.18 and classified as critical. This issue affects the function StdioServerParameters of the component MCPSessionManager/MCPTool/MCPToolkit. The manipulation leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2025-50740 | 2025-08-07 | 6.1 Medium | ||
| AutoConnect 1.4.2, an Arduino library, is vulnerable to a cross site scripting (xss) vulnerability. The AutoConnect web interface /_ac/config allows HTML/JS code to be executed via a crafted network SSID. | ||||
| CVE-2024-55399 | 2025-08-07 | 6.5 Medium | ||
| 4C Strategies Exonaut before v21.6.2.1-1 was discovered to contain a Server-Side Request Forgery (SSRF). | ||||
| CVE-2024-55398 | 2025-08-07 | 6.5 Medium | ||
| 4C Strategies Exonaut before v22.4 was discovered to contain insecure permissions. | ||||
| CVE-2024-55402 | 2025-08-07 | 5.3 Medium | ||
| 4C Strategies Exonaut before v22.4 was discovered to contain an access control issue. | ||||
| CVE-2025-46660 | 2025-08-07 | 5.3 Medium | ||
| An issue was discovered in 4C Strategies Exonaut 21.6. Passwords, stored in the database, are hashed without a salt. | ||||
| CVE-2025-32094 | 1 Akamai | 1 Ghost | 2025-08-07 | 4 Medium |
| An issue was discovered in Akamai Ghost, as used for the Akamai CDN platform before 2025-03-26. Under certain circumstances, a client making an HTTP/1.x OPTIONS request with an "Expect: 100-continue" header, and using obsolete line folding, can lead to a discrepancy in how two in-path Akamai servers interpret the request, allowing an attacker to smuggle a second request in the original request body. | ||||
| CVE-2025-35970 | 2025-08-07 | 7.5 High | ||
| On multiple products of SEIKO EPSON and FUJIFILM Corporation, the initial administrator password is easy to guess from the information available via SNMP. If the administrator password is not changed from the initial one, a remote attacker with SNMP access can log in to the product with the administrator privilege. | ||||
| CVE-2025-3770 | 1 Tianocore | 1 Edk2 | 2025-08-07 | 7 High |
| EDK2 contains a vulnerability in BIOS where an attacker may cause “Protection Mechanism Failure” by local access. Successful exploitation of this vulnerability will lead to arbitrary code execution and impact Confidentiality, Integrity, and Availability. | ||||
| CVE-2025-47188 | 2025-08-07 | 6.5 Medium | ||
| A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones, including the 6970 Conference Unit through 6.4 SP4, could allow an unauthenticated attacker to conduct a command injection attack due to insufficient parameter sanitization. A successful exploit could allow an attacker to execute arbitrary commands within the context of the phone, leading to disclosure or modification of sensitive configuration data or affecting device availability and operation. | ||||
| CVE-2025-54882 | 1 Himmelblau-idm | 1 Himmelblau | 2025-08-07 | 7.1 High |
| Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. In versions 0.8.0 through 0.9.21 and 1.0.0-beta through 1.1.0, Himmelblau stores the cloud TGT received during logon in the Kerberos credential cache. The created credential cache collection and received credentials are stored as world readable. This is fixed in versions 0.9.22 and 1.2.0. To work around this issue, remove all read access to Himmelblau caches for all users except for owners. | ||||
| CVE-2025-54885 | 2025-08-07 | N/A | ||
| Thinbus Javascript Secure Remote Password is a browser SRP6a implementation for zero-knowledge password authentication. In versions 2.0.0 and below, a protocol compliance bug causes the client to generate a fixed 252 bits of entropy instead of the intended bit length of the safe prime (defaulted to 2048 bits). The client public value is being generated from a private value that is 4 bits below the specification. This reduces the protocol's designed security margin it is now practically exploitable. The servers full sized 2048 bit random number is used to create the shared session key and password proof. This is fixed in version 2.0.1. | ||||
| CVE-2025-55136 | 2025-08-07 | 5.7 Medium | ||
| ERC (aka Emotion Recognition in Conversation) through 0.3 has insecure deserialization via a serialized object because jsonpickle is used. | ||||
| CVE-2025-55137 | 2025-08-07 | 7.4 High | ||
| LinkJoin through 882f196 mishandles lacks type checking in password reset. | ||||