CVE List - 2025 / July
Showing 1201 - 1300 of 3776 CVEs for July 2025 (Page 13 of 38)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-38250 | 2025-07-09 | Bluetooth: hci_core: Fix use-after-free in vhci_flush() |
| CVE-2025-38251 | 2025-07-09 | atm: clip: prevent NULL deref in clip_push() |
| CVE-2025-38252 | 2025-07-09 | cxl/ras: Fix CPER handler device confusion |
| CVE-2025-38253 | 2025-07-09 | HID: wacom: fix crash in wacom_aes_battery_handler() |
| CVE-2025-38254 | 2025-07-09 | drm/amd/display: Add sanity checks for drm_edid_raw() |
| CVE-2025-38255 | 2025-07-09 | lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() |
| CVE-2025-38256 | 2025-07-09 | io_uring/rsrc: fix folio unpinning |
| CVE-2025-38257 | 2025-07-09 | s390/pkey: Prevent overflow in size calculation for memdup_user() |
| CVE-2025-38258 | 2025-07-09 | mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write |
| CVE-2025-38259 | 2025-07-09 | ASoC: codecs: wcd9335: Fix missing free of regulator supplies |
| CVE-2025-38260 | 2025-07-09 | btrfs: handle csum tree error with rescue=ibadroots correctly |
| CVE-2025-38261 | 2025-07-09 | riscv: save the SR_SUM status over switches |
| CVE-2025-38262 | 2025-07-09 | tty: serial: uartlite: register uart driver in init |
| CVE-2025-38263 | 2025-07-09 | bcache: fix NULL pointer in cache_set_flush() |
| CVE-2025-38264 | 2025-07-09 | nvme-tcp: sanitize request list handling |
| CVE-2025-6514 | 2025-07-09 | OS command injection in mcp-remote when connecting to untrusted MCP servers |
| CVE-2025-53546 | 2025-07-09 | Folo allows secrets exfiltration via `pull_request_target` |
| CVE-2025-2670 | 2025-07-09 | IBM OpenPages information disclosure |
| CVE-2025-1112 | 2025-07-09 | IBM OpenPages with Watson information disclosure |
| CVE-2025-7204 | 2025-07-09 | Exposure of password hashes via API responses in ConnectWise PSA |
| CVE-2025-7381 | 2025-07-09 | Exposure of sensitive PHP information to an unauthorized control sphere in mautic/mautic images |
| CVE-2025-53650 | 2025-07-09 | Jenkins Credentials Binding Plugin 687.v619cb_15e923f and earlier does not properly mask (i.e., replace with asterisks) credentials present in exception error messages that are written to the build log. |
| CVE-2025-53651 | 2025-07-09 | Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins... |
| CVE-2025-53652 | 2025-07-09 | Jenkins Git Parameter Plugin 439.vb_0e46ca_14534 and earlier does not validate that the Git parameter value submitted to the build matches one of the offered choices, allowing attackers with Item/Build permission... |
| CVE-2025-53653 | 2025-07-09 | Jenkins Aqua Security Scanner Plugin 3.2.8 and earlier stores Scanner Tokens for Aqua API unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users... |
| CVE-2025-53654 | 2025-07-09 | Jenkins Statistics Gatherer Plugin 2.0.3 and earlier stores the AWS Secret Key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with... |
| CVE-2025-53655 | 2025-07-09 | Jenkins Statistics Gatherer Plugin 2.0.3 and earlier does not mask the AWS Secret Key on the global configuration form, increasing the potential for attackers to observe and capture it. |
| CVE-2025-53656 | 2025-07-09 | Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier stores SLM License Access Keys, client secrets, and passwords unencrypted in job config.xml files on the Jenkins controller, where they can be... |
| CVE-2025-53657 | 2025-07-09 | Jenkins ReadyAPI Functional Testing Plugin 1.11 and earlier does not mask SLM License Access Keys, client secrets, and passwords displayed on the job configuration form, increasing the potential for attackers... |
| CVE-2025-53658 | 2025-07-09 | Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not escape the Applitools URL on the build page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure... |
| CVE-2025-53659 | 2025-07-09 | Jenkins QMetry Test Management Plugin 1.13 and earlier stores Qmetry Automation API Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with... |
| CVE-2025-53660 | 2025-07-09 | Jenkins QMetry Test Management Plugin 1.13 and earlier does not mask Qmetry Automation API Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture... |
| CVE-2025-53661 | 2025-07-09 | Jenkins Testsigma Test Plan run Plugin 1.6 and earlier does not mask Testsigma API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture... |
| CVE-2025-53662 | 2025-07-09 | Jenkins IFTTT Build Notifier Plugin 1.2 and earlier stores IFTTT Maker Channel Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with... |
| CVE-2025-53663 | 2025-07-09 | Jenkins IBM Cloud DevOps Plugin 2.0.16 and earlier stores SonarQube authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended... |
| CVE-2025-53664 | 2025-07-09 | Jenkins Apica Loadtest Plugin 1.10 and earlier stores Apica Loadtest LTP authentication tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with... |
| CVE-2025-53665 | 2025-07-09 | Jenkins Apica Loadtest Plugin 1.10 and earlier does not mask Apica Loadtest LTP authentication tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture... |
| CVE-2025-53666 | 2025-07-09 | Jenkins Dead Man's Snitch Plugin 0.1 stores Dead Man's Snitch tokens unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read... |
| CVE-2025-53667 | 2025-07-09 | Jenkins Dead Man's Snitch Plugin 0.1 does not mask Dead Man's Snitch tokens displayed on the job configuration form, increasing the potential for attackers to observe and capture them. |
| CVE-2025-53668 | 2025-07-09 | Jenkins VAddy Plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read... |
| CVE-2025-53669 | 2025-07-09 | Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. |
| CVE-2025-53670 | 2025-07-09 | Jenkins Nouvola DiveCloud Plugin 1.08 and earlier stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by... |
| CVE-2025-53671 | 2025-07-09 | Jenkins Nouvola DiveCloud Plugin 1.08 and earlier does not mask DiveCloud API Keys and Credentials Encryption Keys displayed on the job configuration form, increasing the potential for attackers to observe... |
| CVE-2025-53672 | 2025-07-09 | Jenkins Kryptowire Plugin 0.2 and earlier stores the Kryptowire API key unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access... |
| CVE-2025-53673 | 2025-07-09 | Jenkins Sensedia Api Platform tools Plugin 1.0 stores the Sensedia API Manager integration token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by... |
| CVE-2025-53674 | 2025-07-09 | Jenkins Sensedia Api Platform tools Plugin 1.0 does not mask the Sensedia API Manager integration token on the global configuration form, increasing the potential for attackers to observe and capture... |
| CVE-2025-53675 | 2025-07-09 | Jenkins Warrior Framework Plugin 1.2 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or... |
| CVE-2025-53676 | 2025-07-09 | Jenkins Xooa Plugin 0.0.7 and earlier stores the Xooa Deployment Token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with access... |
| CVE-2025-53677 | 2025-07-09 | Jenkins Xooa Plugin 0.0.7 and earlier does not mask the Xooa Deployment Token on the global configuration form, increasing the potential for attackers to observe and capture it. |
| CVE-2025-53678 | 2025-07-09 | Jenkins User1st uTester Plugin 1.1 and earlier stores the uTester JWT token unencrypted in its global configuration file on the Jenkins controller, where it can be viewed by users with... |
| CVE-2025-53742 | 2025-07-09 | Jenkins Applitools Eyes Plugin 1.16.5 and earlier stores Applitools API keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read... |
| CVE-2025-53743 | 2025-07-09 | Jenkins Applitools Eyes Plugin 1.16.5 and earlier does not mask Applitools API keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. |
| CVE-2025-53548 | 2025-07-09 | @clerk/backend Performs Insufficient Verification of Data Authenticity |
| CVE-2025-36599 | 2025-07-09 | Dell PowerFlex Manager VM, versions prior to 4.6.2.1, contains an Insertion of Sensitive Information into Log File vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability,... |
| CVE-2025-53620 | 2025-07-09 | Crashing any Qwik Server |
| CVE-2025-6377 | 2025-07-09 | Arena® Simulation Out-Of-Bounds Write Remote Code Execution Vulnerability |
| CVE-2025-6376 | 2025-07-09 | Arena® Simulation Out-Of-Bounds Write Remote Code Execution Vulnerability |
| CVE-2025-53624 | 2025-07-09 | docusaurus-plugin-content-gists Exposes GitHub Personal Access Token |
| CVE-2025-6970 | 2025-07-09 | Events Manager <= 7.0.3 - Unauthenticated SQL Injection via `orderby` Parameter |
| CVE-2025-6975 | 2025-07-09 | Event Manager <= 7.0.3 - Reflected Cross-Site Scripting via `calendar_header` Parameter |
| CVE-2025-6976 | 2025-07-09 | Events Manager <= 7.0.3 - Authenticated(Contributor+) Stored Cross-Site Scripting via Plugin Shortcodes |
| CVE-2025-0139 | 2025-07-09 | Autonomous Digital Experience Manager: Privilege Escalation (PE) Vulnerability |
| CVE-2025-0140 | 2025-07-09 | GlobalProtect App: Non Admin User Can Disable the GlobalProtect App |
| CVE-2025-0141 | 2025-07-09 | GlobalProtect App: Privilege Escalation (PE) Vulnerability |
| CVE-2023-50458 | 2025-07-10 | In Dradis before 4.11.0, the Output Console shows a job queue that may contain information about other users' jobs. |
| CVE-2024-36697 | 2025-07-10 | A cross-site scripting (XSS) vulnerability in the Admin Login page of Allworx System Software v9.1.9.12 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into... |
| CVE-2025-27889 | 2025-07-10 | Wing FTP Server before 7.4.4 does not properly validate and sanitize the url parameter of the downloadpass.html endpoint, allowing injection of an arbitrary link. If a user clicks a crafted... |
| CVE-2025-28243 | 2025-07-10 | An issue in Alteryx Server v.2023.1.1.460 allows HTML injection via a crafted script to the pages component. |
| CVE-2025-28244 | 2025-07-10 | Insecure Permissions vulnerability in the Local Storage in Alteryx Server 2023.1.1.460 allows remote attackers to obtain valid user session tokens from localStorage, leading to account takeover |
| CVE-2025-28245 | 2025-07-10 | Cross-site scripting (XSS) vulnerability in Alteryx Server 2023.1.1.460 allows remote attackers to inject arbitrary web script or HTML via the notification body. |
| CVE-2025-44251 | 2025-07-10 | Ecovacs Deebot T10 1.7.2 transmits Wi-Fi credentials in cleartext during the pairing process. |
| CVE-2025-45662 | 2025-07-10 | A cross-site scripting (XSS) vulnerability in the component /master/login.php of mpgram-web commit 94baadb allows attackers to execute arbitrary Javascript in the context of a user's browser via a crafted payload. |
| CVE-2025-47811 | 2025-07-10 | In Wing FTP Server through 7.4.4, the administrative web interface (listening by default on port 5466) runs as root or SYSTEM by default. The web application itself offers several legitimate... |
| CVE-2025-47812 | 2025-07-10 | In Wing FTP Server before 7.4.4. the user and admin web interfaces mishandle '\0' bytes, ultimately allowing injection of arbitrary Lua code into user session files. This can be used... |
| CVE-2025-47813 | 2025-07-10 | loginok.html in Wing FTP Server before 7.4.4 discloses the full local installation path of the application when using a long value in the UID cookie. |
| CVE-2025-4406 | 2025-07-10 | wpForo Forum <= 2.4.5 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Avatar |
| CVE-2025-5807 | 2025-07-10 | Gwolle Guestbook <= 4.9.2 - Unauthenticated Stored Cross-Site Scripting via `gwolle_gb_content` Parameter |
| CVE-2025-35983 | 2025-07-10 | Improper Certificate Validation (CWE-295) in the Controller 7000 OneLink implementation could allow an unprivileged attacker to perform a limited denial of service or perform privileged overrides during the initial configuration... |
| CVE-2025-44003 | 2025-07-10 | Missing Release of Resource after Effective Lifetime (CWE-772) in the Gallagher T-Series Reader allows an attacker with physical access to the reader to perform a limited denial of service when... |
| CVE-2025-46406 | 2025-07-10 | A Privilege Context Switching Error (CWE-270) in the Command Center Server could allow a privileged Operator with high level access in one Division to perform limited privileged activities across the... |
| CVE-2025-7387 | 2025-07-10 | Lana Downloads Manager <= 1.10.0 - Authenticated (Administrator+) Stored Cross-Site Scripting |
| CVE-2025-6234 | 2025-07-10 | Hostel < 1.1.5.8 - Reflected XSS |
| CVE-2025-6236 | 2025-07-10 | Hostel < 1.1.5.9 - Admin+ Stored XSS |
| CVE-2025-38265 | 2025-07-10 | serial: jsm: fix NPE during jsm_uart_port_init |
| CVE-2025-38266 | 2025-07-10 | pinctrl: mediatek: eint: Fix invalid pointer dereference for v1 platforms |
| CVE-2025-38267 | 2025-07-10 | ring-buffer: Do not trigger WARN_ON() due to a commit_overrun |
| CVE-2025-38268 | 2025-07-10 | usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work |
| CVE-2025-38269 | 2025-07-10 | btrfs: exit after state insertion failure at btrfs_convert_extent_bit() |
| CVE-2025-38270 | 2025-07-10 | net: drv: netdevsim: don't napi_complete() from netpoll |
| CVE-2025-38271 | 2025-07-10 | net: prevent a NULL deref in rtnl_create_link() |
| CVE-2025-38272 | 2025-07-10 | net: dsa: b53: do not enable EEE on bcm63xx |
| CVE-2025-38273 | 2025-07-10 | net: tipc: fix refcount warning in tipc_aead_encrypt |
| CVE-2025-38274 | 2025-07-10 | fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt() |
| CVE-2025-38275 | 2025-07-10 | phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug |
| CVE-2025-38276 | 2025-07-10 | fs/dax: Fix "don't skip locked entries when scanning entries" |
| CVE-2025-38277 | 2025-07-10 | mtd: nand: ecc-mxic: Fix use of uninitialized variable ret |
| CVE-2025-38278 | 2025-07-10 | octeontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback |
| CVE-2025-38279 | 2025-07-10 | bpf: Do not include stack ptr register in precision backtracking bookkeeping |
| CVE-2025-38280 | 2025-07-10 | bpf: Avoid __bpf_prog_ret0_warn when jit fails |
| CVE-2025-38281 | 2025-07-10 | wifi: mt76: mt7996: Add NULL check in mt7996_thermal_init |