CVE List - 2025 / June
Showing 3201 - 3300 of 3683 CVEs for June 2025 (Page 33 of 37)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-41404 | 2025-06-26 | Direct request ('Forced Browsing') issue exists in iroha Board versions v0.10.12 and earlier. If this vulnerability is exploited, non-public contents may be viewed by an attacker who can log in... |
| CVE-2025-48497 | 2025-06-26 | Cross-site request forgery vulnerability exists in iroha Board versions v0.10.12 and earlier. If a user accesses a specially crafted URL while being logged in to the affected product, arbitrary learning... |
| CVE-2025-5459 | 2025-06-26 | OS Command Injection |
| CVE-2024-6174 | 2025-06-26 | When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration. |
| CVE-2025-5842 | 2025-06-26 | Modern Design Library <= 1.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via class Parameter |
| CVE-2025-5338 | 2025-06-26 | Royal Elementor Addons <= 1.7.1024 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Multiple Widgets |
| CVE-2025-6212 | 2025-06-26 | Ultra Addons for Contact Form 7 3.5.11 - 3.5.19 - Unauthenticated Stored Cross-Site Scripting via Database module |
| CVE-2024-11584 | 2025-06-26 | cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could... |
| CVE-2025-6703 | 2025-06-26 | transport/fc.rs: panic attempting to send MAX_DATA with value larger max varint |
| CVE-2025-3771 | 2025-06-26 | A path or symbolic link manipulation vulnerability in SIR 1.0.3 and prior versions allows an authenticated non-admin local user to overwrite system files with SIR backup files, which can potentially... |
| CVE-2025-3722 | 2025-06-26 | A path traversal vulnerability in System Information Reporter (SIR) 1.0.3 and prior allowed an authenticated high privileged user to issue malicious ePO post requests to System Information Reporter, leading to... |
| CVE-2025-3773 | 2025-06-26 | A sensitive information exposure vulnerability in System Information Reporter (SIR) 1.0.3 and prior allows an authenticated non-admin local user to extract sensitive information stored in a registry backup folder. |
| CVE-2025-6561 | 2025-06-26 | Hunt Electronic Hybrid DVR - Exposure of Sensitive System Information |
| CVE-2025-6562 | 2025-06-26 | Hunt Electronic Hybrid DVR - OS Command Injection |
| CVE-2025-5366 | 2025-06-26 | Stored XSS |
| CVE-2025-5966 | 2025-06-26 | Stored XSS |
| CVE-2025-6693 | 2025-06-26 | RT-Thread device.c sys_device_write memory corruption |
| CVE-2025-6694 | 2025-06-26 | LabRedesCefetRJ WeGIA Adicionar Unidade adicionar_unidade.php cross site scripting |
| CVE-2025-6695 | 2025-06-26 | LabRedesCefetRJ WeGIA Additional Categoria adicionar_categoria.php cross site scripting |
| CVE-2025-48923 | 2025-06-26 | Toc.js - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-077 |
| CVE-2025-48922 | 2025-06-26 | GLightbox - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-078 |
| CVE-2025-48921 | 2025-06-26 | Open Social - Moderately critical - Cross Site Request Forgery - SA-CONTRIB-2025-079 |
| CVE-2025-5682 | 2025-06-26 | Klaro Cookie & Consent Management - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-080 |
| CVE-2025-6674 | 2025-06-26 | CKEditor5 Youtube - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-081 |
| CVE-2025-6675 | 2025-06-26 | Enterprise MFA - TFA for Drupal - Critical - Access bypass - SA-CONTRIB-2025-082 |
| CVE-2025-6676 | 2025-06-26 | Simple XML sitemap - Moderately critical - Cross-site Scripting - SA-CONTRIB-2025-083 |
| CVE-2025-6677 | 2025-06-26 | Paragraphs table - Moderately critical - Cross Site Scripting - SA-CONTRIB-2025-084 |
| CVE-2025-49003 | 2025-06-26 | Dataease H2 JDBC Connection Remote Code Execution |
| CVE-2025-6706 | 2025-06-26 | Running certain aggregation operations with the SBE engine may lead to unexpected behavior on MongoDB Server |
| CVE-2025-6707 | 2025-06-26 | Race condition in privilege cache invalidation cycle |
| CVE-2025-6709 | 2025-06-26 | Pre-Authentication Denial of Service Vulnerability in MongoDB Server's OIDC Authentication |
| CVE-2025-52573 | 2025-06-26 | Command Injection in MCP Server ios-simulator-mcp |
| CVE-2025-6710 | 2025-06-26 | Pre-authentication Denial of Service Stack Overflow Vulnerability in JSON Parsing via Excessive Recursion in MongoDB |
| CVE-2025-6696 | 2025-06-26 | LabRedesCefetRJ WeGIA Cadastro de Atendio Cadastro_Atendido.php cross site scripting |
| CVE-2025-52887 | 2025-06-26 | cpp-httplib has unlimited number of http header fields, which causes memory leak |
| CVE-2025-52900 | 2025-06-26 | File Browser has Insecure File Permissions |
| CVE-2025-52902 | 2025-06-26 | File Browser has Stored Cross-Site Scripting vulnerability |
| CVE-2025-53002 | 2025-06-26 | LLaMA-Factory Remote Code Execution (RCE) Vulnerability |
| CVE-2025-53007 | 2025-06-26 | arduino-esp32 vulnerable to CRLF injection in WebServer.cpp |
| CVE-2025-6697 | 2025-06-26 | LabRedesCefetRJ WeGIA Adicionar tipo adicionar_tipoEntrada.php cross site scripting |
| CVE-2025-6698 | 2025-06-26 | LabRedesCefetRJ WeGIA Adicionar tipo adicionar_tipoSaida.php cross site scripting |
| CVE-2025-36034 | 2025-06-26 | IBM InfoSphere DataStage Flow Designer information disclosure |
| CVE-2025-6699 | 2025-06-26 | LabRedesCefetRJ WeGIA Cadastro de Funcionário cadastro_funcionario.php cross site scripting |
| CVE-2025-6700 | 2025-06-26 | Xuxueli xxl-sso login cross site scripting |
| CVE-2025-34042 | 2025-06-26 | Beward N100 IP Camera Remote Command Execution |
| CVE-2025-34043 | 2025-06-26 | Vacron NVR Remote Command Execution |
| CVE-2025-34044 | 2025-06-26 | WIFISKY 7-Layer Flow Control Router Remote Command Execution |
| CVE-2025-34045 | 2025-06-26 | WeiPHP Path Traversal Arbitrary File Read |
| CVE-2025-34046 | 2025-06-26 | Fanwei E-Office Unauthenticated File Upload |
| CVE-2025-34048 | 2025-06-26 | D-Link DSL-2730U/2750U/2750E Path Traversal Arbitrary File Read |
| CVE-2025-34049 | 2025-06-26 | OptiLink ONT1GEW GPON Remote Code Execution |
| CVE-2025-6701 | 2025-06-26 | Xuxueli xxl-sso doLogin redirect |
| CVE-2025-6702 | 2025-06-26 | linlinjava litemall post improper authorization |
| CVE-2025-34047 | 2025-06-26 | Leadsec VPN Path Traversal Arbitrary File Read |
| CVE-2025-52477 | 2025-06-26 | Octo-STS Vulnerable to Unauthenticated SSRF with HTTP Response Reflection in OIDC Flow |
| CVE-2025-53013 | 2025-06-26 | Himmelblau offline auth permits authentication with invalid Hello PIN |
| CVE-2025-52903 | 2025-06-26 | File Browser Allows Execution of Shell Commands That Can Spawn Other Commands |
| CVE-2025-52904 | 2025-06-26 | File Browser: Command Execution not Limited to Scope |
| CVE-2025-53121 | 2025-06-26 | Stored XSS in multiple 33.0.8files in opennms/opennms |
| CVE-2025-5995 | 2025-06-26 | Canon EOS Webcam Utility Pro for MAC OS contains an insecure permission issue potentially leading to code execution and privilege escalation |
| CVE-2025-49592 | 2025-06-26 | n8n Login Flow has Open Redirect Vulnerability |
| CVE-2025-53122 | 2025-06-26 | SQLi in OpenNMS Horizon and Meridian |
| CVE-2013-1424 | 2025-06-26 | Buffer overflow vulnerability in matplotlib.This issue affects matplotlib: before upstream commit ba4016014cb4fb4927e36ce8ea429fed47dcb787. |
| CVE-2025-52555 | 2025-06-26 | CephFS Permission Escalation Vulnerability in Ceph Fuse mounted FS |
| CVE-2014-0468 | 2025-06-26 | Vulnerability in fusionforge in the shipped Apache configuration, where the web server may execute scripts that the users would have uploaded in their raw SCM repositories (SVN, Git, Bzr...). This... |
| CVE-2014-7210 | 2025-06-26 | pdns specific as packaged in Debian in version before 3.3.1-1 creates a too privileged MySQL user. It was discovered that the maintainer scripts of pdns-backend-mysql grant too wide database permissions... |
| CVE-2014-6274 | 2025-06-26 | S3 and Glacier remotes creds embedded in the git repo were not encrypted |
| CVE-2015-0842 | 2025-06-26 | yubiserver before 0.6 is prone to SQL injection issues, potentially leading to an authentication bypass. |
| CVE-2015-0843 | 2025-06-26 | yubiserver before 0.6 is prone to buffer overflows due to misuse of sprintf. |
| CVE-2015-0849 | 2025-06-26 | pycode-browser before version 1.0 is prone to a predictable temporary file vulnerability. |
| CVE-2025-5731 | 2025-06-26 | Infinispan: credential leakage in infinispan cli |
| CVE-2025-6731 | 2025-06-26 | yzcheng90 X-SpringBoot APK File apk uploadApk path traversal |
| CVE-2025-6732 | 2025-06-26 | UTT HiPER 840G API setSysAdm strcpy buffer overflow |
| CVE-2025-6733 | 2025-06-26 | UTT HiPER 840G API formConfigDnsFilterGlobal sub_416928 buffer overflow |
| CVE-2025-3699 | 2025-06-26 | Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation G-50 Version 3.37 and prior, G-50-W Version 3.37 and prior, G-50A Version 3.37 and prior, GB-50 Version 3.37 and prior,... |
| CVE-2025-6734 | 2025-06-26 | UTT HiPER 840G API formP2PLimitConfig sub_484E40 buffer overflow |
| CVE-2025-6735 | 2025-06-26 | juzaweb CMS Import Page imports improper authorization |
| CVE-2025-6736 | 2025-06-26 | juzaweb CMS Add New Themes Page install improper authorization |
| CVE-2025-44163 | 2025-06-27 | RaspAP raspap-webgui 3.3.1 is vulnerable to Directory Traversal in ajax/networking/get_wgkey.php. An authenticated attacker can send a crafted POST request with a path traversal payload in the `entity` parameter to overwrite... |
| CVE-2025-44557 | 2025-06-27 | A state machine transition flaw in the Bluetooth Low Energy (BLE) stack of Cypress PSoC4 v3.66 allows attackers to bypass the pairing process and authentication via a crafted pairing_failed packet. |
| CVE-2025-44559 | 2025-06-27 | An issue in the Bluetooth Low Energy (BLE) stack of Realtek RTL8762E BLE SDK v1.4.0 allows attackers within Bluetooth range to cause a Denial of Service (DoS) via sending a... |
| CVE-2025-45729 | 2025-06-27 | D-Link DIR-823-Pro 1.02 has improper permission control, allowing unauthorized users to turn on and access Telnet services. |
| CVE-2025-45737 | 2025-06-27 | An issue in NetEase (Hangzhou) Network Co., Ltd NeacSafe64 Driver before v1.0.0.8 allows attackers to escalate privileges via sending crafted IOCTL commands to the NeacSafe64.sys component. |
| CVE-2025-45851 | 2025-06-27 | An issue in Hikvision DS-2CD1321-I V5.7.21 build 230819 allows attackers to cause a Denial of Service (DoS) via sending a crafted POST request to the endpoint /ISAPI/Security/challenge. The vendor has... |
| CVE-2025-46415 | 2025-06-27 | A race condition in the Nix, Lix, and Guix package managers allows the removal of content from arbitrary folders. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before... |
| CVE-2025-46416 | 2025-06-27 | The Nix, Lix, and Guix package managers allow a bypass of build isolation in which a user can elevate their privileges to the build user account (e.g., nixbld or guixbuild).... |
| CVE-2025-47818 | 2025-06-27 | Flock Safety Gunshot Detection devices before 1.3 have a hard-coded password for a connection. |
| CVE-2025-47819 | 2025-06-27 | Flock Safety Gunshot Detection devices before 1.3 have an on-chip debug interface with improper access control. |
| CVE-2025-47820 | 2025-06-27 | Flock Safety Gunshot Detection devices before 1.3 have cleartext storage of code. |
| CVE-2025-47821 | 2025-06-27 | Flock Safety Gunshot Detection devices before 1.3 have a hardcoded password for a system. |
| CVE-2025-47822 | 2025-06-27 | Flock Safety LPR (License Plate Reader) devices with firmware through 2.2 have an on-chip debug interface with improper access control. |
| CVE-2025-47823 | 2025-06-27 | Flock Safety LPR (License Plate Reader) devices with firmware through 2.2 have a hardcoded password for a system. |
| CVE-2025-47824 | 2025-06-27 | Flock Safety LPR (License Plate Reader) devices with firmware through 2.2 have cleartext storage of code. |
| CVE-2025-50367 | 2025-06-27 | A stored blind XSS vulnerability exists in the Contact Page of the Phpgurukul Medical Card Generation System 1.0 mcgs/contact.php. The name field fails to properly sanitize user input, allowing an... |
| CVE-2025-50369 | 2025-06-27 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the Manage Card functionality (/mcgs/admin/manage-card.php) of PHPGurukul Medical Card Generation System 1.0. The vulnerable endpoint allows an authorized admin to delete medical... |
| CVE-2025-50370 | 2025-06-27 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the Inquiry Management functionality /mcgs/admin/readenq.php of the Phpgurukul Medical Card Generation System 1.0. The vulnerable endpoint allows an authenticated admin to delete... |
| CVE-2025-50528 | 2025-06-27 | A buffer overflow vulnerability exists in the fromNatStaticSetting function of Tenda AC6 <=V15.03.05.19 via the page parameter. |
| CVE-2025-52207 | 2025-06-27 | PBXCoreREST/Controllers/Files/PostController.php in MikoPBX through 2024.1.114 allows uploading a PHP script to an arbitrary directory. |
| CVE-2025-52991 | 2025-06-27 | The Nix, Lix, and Guix package managers default to using temporary build directories in a world-readable and world-writable location. This allows standard users to deceive the package manager into using... |
| CVE-2025-52992 | 2025-06-27 | The Nix, Lix, and Guix package managers fail to properly set permissions when a derivation build fails. This may allow arbitrary processes to modify the content of a store outside... |