CVE List - 2025 / July
Showing 2701 - 2800 of 3776 CVEs for July 2025 (Page 28 of 38)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-51862 | 2025-07-22 | Insecure Direct Object Reference (IDOR) vulnerability in TelegAI (telegai.com) thru 2025-05-26 in its chat component. An attacker can exploit this IDOR to tamper other users' conversation. Additionally, malicious contents and... |
| CVE-2025-51863 | 2025-07-22 | Self Cross Site Scripting (XSS) vulnerability in ChatGPT Unli (ChatGPTUnli.com) thru 2025-05-26 allows attackers to execute arbitrary code via a crafted SVG file to the chat interface. |
| CVE-2025-51864 | 2025-07-22 | A reflected cross-site scripting (XSS) vulnerability exists in AIBOX LLM chat (chat.aibox365.cn) through 2025-05-27, allowing attackers to hijack accounts through stolen JWT tokens. |
| CVE-2025-51865 | 2025-07-22 | Ai2 playground web service (playground.allenai.org) LLM chat through 2025-06-03 is vulnerable to Insecure Direct Object Reference (IDOR), allowing attackers to gain sensitvie information via enumerating thread keys in the URL. |
| CVE-2025-51867 | 2025-07-22 | Insecure Direct Object Reference (IDOR) vulnerability in Deepfiction AI (deepfiction.ai) thru June 3, 2025, allowing attackers to chat with the LLM using other users' credits via sensitive information gained by... |
| CVE-2025-7946 | 2025-07-22 | PHPGurukul Apartment Visitors Management System HTTP POST Request search-visitor.php cross site scripting |
| CVE-2025-7947 | 2025-07-22 | jshERP Account delete improper authorization |
| CVE-2025-7948 | 2025-07-22 | jshERP updatePwd password recovery |
| CVE-2025-7949 | 2025-07-22 | Sanluan PublicCMS preview.html redirect |
| CVE-2025-5240 | 2025-07-22 | CRM and Lead Management by vcita <= 2.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via type Parameter |
| CVE-2025-6831 | 2025-07-22 | User Registration <= 4.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via urcr_restrict Shortcode |
| CVE-2015-10137 | 2025-07-22 | Website Contact Form With File Upload <= 1.3.4 - Arbitrary File Upload |
| CVE-2012-10020 | 2025-07-22 | FoxyPress <= 0.4.2.1 - Arbitrary File Upload |
| CVE-2025-7950 | 2025-07-22 | code-projects Public Chat Room login.php sql injection |
| CVE-2025-7951 | 2025-07-22 | code-projects Public Chat Room send_message.php cross site scripting |
| CVE-2025-7952 | 2025-07-22 | TOTOLINK T6 MQTT Packet wireless.so ckeckKeepAlive command injection |
| CVE-2025-7953 | 2025-07-22 | Sanluan PublicCMS viewer.html redirect |
| CVE-2025-7495 | 2025-07-22 | WP-Members <= 3.5.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-7644 | 2025-07-22 | Pixel Gallery Addons for Elementor – Easy Grid, Creative Gallery, Drag and Drop Grid, Custom Grid Layout, Portfolio Gallery <= 1.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-6585 | 2025-07-22 | WP JobHunt <= 7.2 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary Account Deletion |
| CVE-2025-52580 | 2025-07-22 | Insertion of sensitive information into log file issue exists in "region PAY" App for Android prior to 1.5.28. If exploited, sensitive user information may be exposed to an attacker who... |
| CVE-2025-7645 | 2025-07-22 | Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) <= 3.2.8 - Unauthenticated Arbitrary File Deletion Triggered via Admin Form Submission Deletion |
| CVE-2025-38352 | 2025-07-22 | posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() |
| CVE-2025-7687 | 2025-07-22 | Latest Post Accordian Slider <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting |
| CVE-2025-7692 | 2025-07-22 | Orion Login with SMS <= 1.0.5 - Authenticated Bypass via Weak OTP |
| CVE-2025-6082 | 2025-07-22 | Birth Chart Compatibility <= 2.0 - Unauthenticated Full Path Exposure |
| CVE-2025-7685 | 2025-07-22 | Like & Share My Site <= 0.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting |
| CVE-2025-6213 | 2025-07-22 | Nginx Cache Purge Preload <= 2.1.1 - Authenticated (Administrator+) Remote Code Execution |
| CVE-2025-6187 | 2025-07-22 | bSecure 1.3.7 - 1.7.9 - Missing Authorization to Unauthenticated Privilege Escalation via order_info REST Endpoint |
| CVE-2025-53472 | 2025-07-22 | WRC-BE36QS-B and WRC-W701-B contain an improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in WebGUI. If exploited, an arbitrary OS command may be executed... |
| CVE-2025-46267 | 2025-07-22 | Hidden functionality issue exists in WRC-BE36QS-B and WRC-W701-B. If exploited, the product's hidden debug function may be enabled by a remote attacker who can log in to WebGUI. |
| CVE-2025-7427 | 2025-07-22 | Uncontrolled Search Path Element in Arm Development Studio before 2025 |
| CVE-2025-7899 | 2025-07-22 | Insecure Direct Object Reference in extension "powermail" (powermail) |
| CVE-2025-7900 | 2025-07-22 | Insecure Direct Object Reference in extension "femanager" (femanager) |
| CVE-2025-4285 | 2025-07-22 | SQLi in Rolantis Information Technologies' Agentis |
| CVE-2025-4284 | 2025-07-22 | Reflected XSS in Rolantis Information Technologies' Agentis |
| CVE-2025-7705 | 2025-07-22 | Authentication bypass due to compatibility mode enabled by default |
| CVE-2025-34143 | 2025-07-22 | ETQ Reliance CG Authentication Bypass via Trailing Space RCE |
| CVE-2025-34142 | 2025-07-22 | ETQ Reliance CG < SE.2025.1 / < 2025.1.2 XXE Injection in SSO SAML Handler |
| CVE-2025-34140 | 2025-07-22 | ETQ Reliance CG/NXG API Authorization Bypass via ;localized-text URI Suffix |
| CVE-2025-34141 | 2025-07-22 | ETQ Reliance CG < SE.2025.1 Reflected XSS in `SQLConverterServlet` |
| CVE-2015-10140 | 2025-07-22 | Ajax Load More < 2.8.1.2 - Subscriber+ File Upload & Deletion |
| CVE-2025-8017 | 2025-07-22 | Tenda AC7 httpd setMacFilterCfg formSetMacFilterCfg stack-based overflow |
| CVE-2025-4294 | 2025-07-22 | XSS in HotelRunner's B2B |
| CVE-2025-4295 | 2025-07-22 | Host Header Injection in HotelRunner's B2B |
| CVE-2025-4878 | 2025-07-22 | Libssh: use of uninitialized variable in privatekey_from_file() |
| CVE-2025-8018 | 2025-07-22 | code-projects Food Ordering Review System reservation_page.php sql injection |
| CVE-2025-8015 | 2025-07-22 | Shortcodes Ultimate <= 7.4.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Title and Slide Link |
| CVE-2025-35966 | 2025-07-22 | A null pointer dereference vulnerability exists in the CDB2SQLQUERY protocol buffer message handling of Bloomberg Comdb2 8.1. A specially crafted protocol buffer message can lead to a denial of service.... |
| CVE-2025-36512 | 2025-07-22 | A denial of service vulnerability exists in the Bloomberg Comdb2 8.1 database when handling a distributed transaction heartbeat. A specially crafted protocol buffer message can lead to a denial of... |
| CVE-2025-48498 | 2025-07-22 | A null pointer dereference vulnerability exists in the Distributed Transaction component of Bloomberg Comdb2 8.1 when processing a number of fields used for coordination. A specially crafted protocol buffer message... |
| CVE-2025-46354 | 2025-07-22 | A denial of service vulnerability exists in the Distributed Transaction Commit/Abort Operation functionality of Bloomberg Comdb2 8.1. A specially crafted network packet can lead to a denial of service. An... |
| CVE-2025-36520 | 2025-07-22 | A null pointer dereference vulnerability exists in the net_connectmsg Protocol Buffer Message functionality of Bloomberg Comdb2 8.1. A specially crafted network packets can lead to a denial of service. An... |
| CVE-2025-8019 | 2025-07-22 | Shenzhen Libituo Technology LBT-T300-T310 appy.cgi sub_40B6F0 buffer overflow |
| CVE-2025-7371 | 2025-07-22 | Okta On-Premises Provisioning (OPP) agents log certain user data during administrator-initiated password resets. This vulnerability allows an attacker with access to the local servers running OPP agents to retrieve user... |
| CVE-2025-5042 | 2025-07-22 | RFA File Parsing Out-of-Bounds Read Vulnerability |
| CVE-2025-6523 | 2025-07-22 | Use of weak credentials in emergency authentication component in Devolutions Server allows an unauthenticated attacker to bypass authentication via brute forcing the short emergency codes generated by the server within... |
| CVE-2025-6741 | 2025-07-22 | Improper access control in secure message component in Devolutions Server allows an authenticated user to steal unauthorized entries via the secure message entry attachment feature This issue affects the following... |
| CVE-2024-38335 | 2025-07-22 | IBM Security QRadar Network Threat Analytics denial of service |
| CVE-2025-7723 | 2025-07-22 | Authenticated command injection on VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2 |
| CVE-2025-7724 | 2025-07-22 | Unauthenticated command injection on VIGI NVR1104H-4P V1 and VIGI NVR2016H-16MP V2 |
| CVE-2025-8027 | 2025-07-22 | JavaScript engine only wrote partial return value to stack |
| CVE-2025-8028 | 2025-07-22 | Large branch table could lead to truncated instruction |
| CVE-2025-8029 | 2025-07-22 | javascript: URLs executed on object and embed tags |
| CVE-2025-8036 | 2025-07-22 | DNS rebinding circumvents CORS |
| CVE-2025-8037 | 2025-07-22 | Nameless cookies shadow secure cookies |
| CVE-2025-8030 | 2025-07-22 | Potential user-assisted code execution in “Copy as cURL” command |
| CVE-2025-8031 | 2025-07-22 | Incorrect URL stripping in CSP reports |
| CVE-2025-8032 | 2025-07-22 | XSLT documents could bypass CSP |
| CVE-2025-8038 | 2025-07-22 | CSP frame-src was not correctly enforced for paths |
| CVE-2025-8039 | 2025-07-22 | Search terms persisted in URL bar |
| CVE-2025-8033 | 2025-07-22 | Incorrect JavaScript state machine for generators |
| CVE-2025-8034 | 2025-07-22 | Memory safety bugs fixed in Firefox ESR 115.26, Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 |
| CVE-2025-8040 | 2025-07-22 | Memory safety bugs fixed in Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 |
| CVE-2025-8035 | 2025-07-22 | Memory safety bugs fixed in Firefox ESR 128.13, Thunderbird ESR 128.13, Firefox ESR 140.1, Thunderbird ESR 140.1, Firefox 141 and Thunderbird 141 |
| CVE-2025-8043 | 2025-07-22 | Focus incorrectly truncated URLs towards the beginning instead of around the origin. This vulnerability affects Firefox < 141 and Thunderbird < 141. |
| CVE-2025-8044 | 2025-07-22 | Memory safety bugs fixed in Firefox 141 and Thunderbird 141 |
| CVE-2025-8010 | 2025-07-22 | Type Confusion in V8 in Google Chrome prior to 138.0.7204.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
| CVE-2025-8011 | 2025-07-22 | Type Confusion in V8 in Google Chrome prior to 138.0.7204.168 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) |
| CVE-2025-53703 | 2025-07-22 | DuraComm DP-10iN-100-MU Cleartext Transmission of Sensitive Information |
| CVE-2025-54138 | 2025-07-22 | LibreNMS has Authenticated Local File Inclusion in ajax_form.php that Allows RCE |
| CVE-2025-54137 | 2025-07-22 | NodeJS version of the HAX CMS application is distributed with Default Secrets |
| CVE-2025-54140 | 2025-07-22 | pyLoad has Path Traversal Vulnerability in json/upload Endpoint that allows Arbitrary File Write |
| CVE-2025-54072 | 2025-07-22 | yt-dlp allows `--exec` command injection when using placeholder on Windows |
| CVE-2025-54141 | 2025-07-22 | ViewVC's standalone server exposes arbitrary server filesystem content |
| CVE-2025-48733 | 2025-07-22 | DuraComm DP-10iN-100-MU Missing Authentication for Critical Function |
| CVE-2025-53538 | 2025-07-22 | Suricata's mishandling of data on HTTP2 stream 0 can lead to resource starvation |
| CVE-2025-41425 | 2025-07-22 | DuraComm DP-10iN-100-MU Cross-site Scripting |
| CVE-2025-7766 | 2025-07-22 | Lantronix Provisioning Manager Improper Restriction of XML External Entity Reference |
| CVE-2025-43020 | 2025-07-22 | Poly Clariti Manager - Multiple Security Vulnerabilities |
| CVE-2025-43021 | 2025-07-22 | Poly Clariti Manager - Multiple Security Vulnerabilities |
| CVE-2025-43022 | 2025-07-22 | Poly Clariti Manager - Multiple Security Vulnerabilities |
| CVE-2025-43483 | 2025-07-22 | Poly Clariti Manager - Multiple Security Vulnerabilities |
| CVE-2025-43484 | 2025-07-22 | Poly Clariti Manager - Multiple Security Vulnerabilities |
| CVE-2025-43485 | 2025-07-22 | Poly Clariti Manager - Multiple Security Vulnerabilities |
| CVE-2025-43486 | 2025-07-22 | Poly Clariti Manager - Multiple Security Vulnerabilities |
| CVE-2025-54139 | 2025-07-22 | HAX CMS' application pages are vulnerable to clickjacking |
| CVE-2025-43487 | 2025-07-22 | Poly Clariti Manager - Multiple Security Vulnerabilities |
| CVE-2025-43488 | 2025-07-22 | Poly Clariti Manager - Multiple Security Vulnerabilities |
| CVE-2025-43489 | 2025-07-22 | Poly Clariti Manager - Multiple Security Vulnerabilities |