CVE List - 2025 / July
Showing 2801 - 2900 of 3776 CVEs for July 2025 (Page 29 of 38)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-44109 | 2025-07-23 | A URL redirection in Pinokio v3.6.23 allows attackers to redirect victim users to attacker-controlled pages. |
| CVE-2025-46099 | 2025-07-23 | In Pluck CMS 4.7.20-dev, an authenticated attacker can upload or create a crafted PHP file under the albums module directory and access it via the module routing logic in albums.site.php,... |
| CVE-2025-46171 | 2025-07-23 | vBulletin 3.8.7 is vulnerable to a denial-of-service condition via the misc.php?do=buddylist endpoint. If an authenticated user has a sufficiently large buddy list, processing the list can consume excessive memory, exhausting... |
| CVE-2025-46686 | 2025-07-23 | Redis through 8.0.3 allows memory consumption via a multi-bulk command composed of many bulks, sent by an authenticated user. This occurs because the server allocates memory for the command arguments... |
| CVE-2025-47187 | 2025-07-23 | A vulnerability in the Mitel 6800 Series, 6900 Series, and 6900w Series SIP Phones through 6.4 SP4 (R6.4.0.4006), and the 6970 Conference Unit through 6.4 SP4 (R6.4.0.4006) or version V1... |
| CVE-2025-50477 | 2025-07-23 | A URL redirection in lbry-desktop v0.53.9 allows attackers to redirect victim users to attacker-controlled pages. |
| CVE-2025-50481 | 2025-07-23 | A cross-site scripting (XSS) vulnerability in the component /blog/blogpost/add of Mezzanine CMS v6.1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into a blog... |
| CVE-2025-54120 | 2025-07-23 | PCL Community Edition exposes login credentials in logs |
| CVE-2025-8060 | 2025-07-23 | Tenda AC23 httpd setMacFilterCfg sub_46C940 stack-based overflow |
| CVE-2025-6215 | 2025-07-23 | Omnishop <= 1.0.9 - Missing Registration Restriction to Unauthenticated Account Creation via /users/register REST Endpoint |
| CVE-2025-6054 | 2025-07-23 | YANewsflash <= 1.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting |
| CVE-2025-5818 | 2025-07-23 | Featured Image Plus – Quick & Bulk Edit with Unsplash <= 1.6.4 - Authenticated (Admin+) Server-Side Request Forgery |
| CVE-2025-6261 | 2025-07-23 | Fleetwire Fleet Management Plugin <= 1.0.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via fleetwire_list Shortcode |
| CVE-2025-6190 | 2025-07-23 | Realty Portal – Agent <= 0.3.9 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via rp_user_profile() Function |
| CVE-2025-6214 | 2025-07-23 | Omnishop <= 1.0.9 - Cross-Site Request Forgery to Arbitrary User Deletion via /users/delete REST Endpoint |
| CVE-2025-5753 | 2025-07-23 | Valuation Calculator <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via link Parameter |
| CVE-2025-7722 | 2025-07-23 | Social Streams <= 1.2.1 - Authenticated (Subscriber+) Privilege Escalation |
| CVE-2025-42947 | 2025-07-23 | Code Injection vulnerability in SAP FICA ODN framework |
| CVE-2024-53286 | 2025-07-23 | Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in DDNS Record functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with... |
| CVE-2024-53287 | 2025-07-23 | Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in VPN Setting functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to... |
| CVE-2024-53288 | 2025-07-23 | Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in NTP Region functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to... |
| CVE-2025-43881 | 2025-07-23 | Improper validation of specified quantity in input issue exists in Real-time Bus Tracking System versions prior to 1.1. If exploited, a denial of service (DoS) condition may be caused by... |
| CVE-2025-8020 | 2025-07-23 | All versions of the package private-ip are vulnerable to Server-Side Request Forgery (SSRF) where an attacker can provide an IP or hostname that resolves to a multicast IP address (224.0.0.0/4)... |
| CVE-2025-8021 | 2025-07-23 | All versions of the package files-bucket-server are vulnerable to Directory Traversal where an attacker can traverse the file system and access files outside of the intended directory. |
| CVE-2025-54454 | 2025-07-23 | Use of Hard-coded Credentials vulnerability in Samsung Electronics MagicINFO 9 Server allows Authentication Bypass.This issue affects MagicINFO 9 Server: less than 21.1080.0. |
| CVE-2025-54455 | 2025-07-23 | Use of Hard-coded Credentials vulnerability in Samsung Electronics MagicINFO 9 Server allows Authentication Bypass.This issue affects MagicINFO 9 Server: less than 21.1080.0. |
| CVE-2025-54449 | 2025-07-23 | Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. |
| CVE-2025-54450 | 2025-07-23 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. |
| CVE-2025-54451 | 2025-07-23 | Improper Control of Generation of Code ('Code Injection') vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. |
| CVE-2025-54452 | 2025-07-23 | Improper Authentication vulnerability in Samsung Electronics MagicINFO 9 Server allows Authentication Bypass.This issue affects MagicINFO 9 Server: less than 21.1080.0. |
| CVE-2025-54453 | 2025-07-23 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. |
| CVE-2025-54448 | 2025-07-23 | Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. |
| CVE-2025-54445 | 2025-07-23 | Improper Restriction of XML External Entity Reference vulnerability in Samsung Electronics MagicINFO 9 Server allows Server Side Request Forgery.This issue affects MagicINFO 9 Server: less than 21.1080.0. |
| CVE-2025-54446 | 2025-07-23 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a Web Server.This issue affects MagicINFO... |
| CVE-2025-54447 | 2025-07-23 | Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. |
| CVE-2025-54440 | 2025-07-23 | Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. |
| CVE-2025-54441 | 2025-07-23 | Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. |
| CVE-2025-54442 | 2025-07-23 | Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. |
| CVE-2025-54443 | 2025-07-23 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a Web Server.This issue affects MagicINFO... |
| CVE-2025-54444 | 2025-07-23 | Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. |
| CVE-2025-54438 | 2025-07-23 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Samsung Electronics MagicINFO 9 Server allows Upload a Web Shell to a Web Server.This issue affects MagicINFO... |
| CVE-2025-54439 | 2025-07-23 | Unrestricted Upload of File with Dangerous Type vulnerability in Samsung Electronics MagicINFO 9 Server allows Code Injection.This issue affects MagicINFO 9 Server: less than 21.1080.0. |
| CVE-2025-6174 | 2025-07-23 | WordPress Qwizcards <= 3.9.4 - Reflected XSS |
| CVE-2025-31700 | 2025-07-23 | A vulnerability has been found in Dahua products. Attackers could exploit a buffer overflow vulnerability by sending specially crafted malicious packets, potentially causing service disruption (e.g., crashes) or remote code... |
| CVE-2025-31701 | 2025-07-23 | A vulnerability has been found in Dahua products. Attackers could exploit a buffer overflow vulnerability by sending specially crafted malicious packets, potentially causing service disruption (e.g., crashes) or remote code... |
| CVE-2025-8070 | 2025-07-23 | Windows service registered with an unquoted ImagePath vulnerability in the system registry |
| CVE-2025-41683 | 2025-07-23 | Weidmueller: Root Command Injection via Unsanitized Input in event_mail_test Endpoint |
| CVE-2025-41684 | 2025-07-23 | Weidmueller: Root Command Injection via Unsanitized Input in tls_iotgen_setting Endpoint |
| CVE-2025-41687 | 2025-07-23 | Weidmueller: Unauthenticated Stack-Based Buffer Overflow in u-link Management API |
| CVE-2025-53882 | 2025-07-23 | The logrotate configuration in the python-mailman of openSUSE allows the mailman user to sent SIGHUP to arbitrary proceess |
| CVE-2025-27930 | 2025-07-23 | Stored XSS |
| CVE-2024-41751 | 2025-07-23 | IBM SmartCloud Analytics - Log Analysis security bypass |
| CVE-2024-40686 | 2025-07-23 | IBM SmartCloud Analytics - Log Analysis HOST header injection |
| CVE-2025-50127 | 2025-07-23 | Extension - dj-extensions.com - SQLi vulnerability in DJ-Flyer component 1.0-3.2 for Joomla |
| CVE-2024-40682 | 2025-07-23 | IBM SmartCloud Analytics - Log Analysis denial of service |
| CVE-2025-54296 | 2025-07-23 | Extension - mooj.org - Stored XSS vulnerability in ProFiles component 1.0-1.5.0 for Joomla |
| CVE-2024-41750 | 2025-07-23 | IBM SmartCloud Analytics - Log Analysis security bypass |
| CVE-2025-54295 | 2025-07-23 | Extension - dj-extensions.com - Reflected XSS vulnerability in DJ-Reviews component 1.0-1.3.6 for Joomla |
| CVE-2025-54294 | 2025-07-23 | Extension - stackideas.com - SQLi vulnerability in Komento component 4.0.0-4.0.7 for Joomla |
| CVE-2025-54297 | 2025-07-23 | Extension - compojoom.com - Stored XSS vulnerability in CComment component 5.0.0-6.1.14 for Joomla |
| CVE-2025-4296 | 2025-07-23 | Open Redirect in HotelRunner's B2B |
| CVE-2024-12310 | 2025-07-23 | Bypass of Login Screen on Shared Kiosk Workstations |
| CVE-2025-4411 | 2025-07-23 | XSS in Dataprom Informatics' PACS-ACSS |
| CVE-2025-40599 | 2025-07-23 | An authenticated arbitrary file upload vulnerability exists in the SMA 100 series web management interface. A remote attacker with administrative privileges can exploit this flaw to upload arbitrary files to... |
| CVE-2025-54090 | 2025-07-23 | Apache HTTP Server: 'RewriteCond expr' always evaluates to true in 2.4.64 |
| CVE-2022-4978 | 2025-07-23 | Steppschuh Remote Control Server 3.1.1.12 Unauthenticated RCE |
| CVE-2018-25114 | 2025-07-23 | osCommerce 2.3.4.1 Installer Unauthenticated Configuration File Injection PHP Code Execution |
| CVE-2018-25113 | 2025-07-23 | Dicoogle PACS Web Server 2.5.0 Unauthenticated Path Traversal |
| CVE-2017-20198 | 2025-07-23 | DC/OS Marathon UI < 1.9.0 Unauthenticated RCE via Docker Mount Abuse |
| CVE-2016-15045 | 2025-07-23 | Deepin lastore-daemon Privilege Escalation via Unsigned .deb Installation |
| CVE-2015-10141 | 2025-07-23 | Xdebug Remote Debugger Unauthenticated OS Command Execution |
| CVE-2010-10012 | 2025-07-23 | httpdASM 0.92 Path Traversal |
| CVE-2025-36116 | 2025-07-23 | IBM Db2 Mirror for i cross-site websocket hijacking |
| CVE-2025-36117 | 2025-07-23 | IBM Db2 Mirror for i session fixation |
| CVE-2025-40596 | 2025-07-23 | A Stack-based buffer overflow vulnerability in the SMA100 series web interface allows remote, unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution. |
| CVE-2025-33020 | 2025-07-23 | IBM Engineering Systems Design Rhapsody information disclosure |
| CVE-2025-40597 | 2025-07-23 | A Heap-based buffer overflow vulnerability in the SMA100 series web interface allows remote, unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution. |
| CVE-2025-33076 | 2025-07-23 | IBM Engineering Systems Design Rhapsody code execution |
| CVE-2025-33077 | 2025-07-23 | IBM Engineering Systems Design Rhapsody code execution |
| CVE-2025-40598 | 2025-07-23 | A Reflected cross-site scripting (XSS) vulnerability exists in the SMA100 series web interface, allowing a remote unauthenticated attacker to potentially execute arbitrary JavaScript code. |
| CVE-2025-6018 | 2025-07-23 | Pam-config: lpe from unprivileged to allow_active in pam |
| CVE-2025-8069 | 2025-07-23 | Local Privilege Escalation Vulnerability in AWS Client VPN Windows Client |
| CVE-2025-2633 | 2025-07-23 | Out of Bounds Read Vulnerability in NI LabVIEW when loading fonts |
| CVE-2025-2634 | 2025-07-23 | Out of Bounds Read Vulnerability in NI LabVIEW when building font map |
| CVE-2025-4700 | 2025-07-23 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab |
| CVE-2025-4439 | 2025-07-23 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab |
| CVE-2025-8058 | 2025-07-23 | The regcomp function in the GNU C library version from 2.4 to 2.41 is subject to a double free if some previous allocation fails. It can be accomplished either by... |
| CVE-2025-53942 | 2025-07-23 | authentik has an insufficient check for account active status during OAuth/SAML authentication |
| CVE-2025-47281 | 2025-07-23 | Kyverno's Improper JMESPath Variable Evaluation Leads to Denial of Service |
| CVE-2025-53537 | 2025-07-23 | LibHTP's memory leak with lzma can lead to resource starvation |
| CVE-2025-54377 | 2025-07-23 | Roo Code Lacks Line Break Validation in its Command Execution Tool |
| CVE-2025-32019 | 2025-07-23 | Harbor's repository description page allows for XSS |
| CVE-2016-15044 | 2025-07-23 | Kaltura < 11.1.0-2 PHP Object Injection RCE |
| CVE-2025-54365 | 2025-07-23 | fastapi-guard patch contains bypassable RegEx |
| CVE-2025-45702 | 2025-07-24 | SoftPerfect Pty Ltd Connection Quality Monitor v1.1 was discovered to store all credentials in plaintext. |
| CVE-2025-45731 | 2025-07-24 | A group deletion race condition in 2FAuth v5.5.0 causes data inconsistencies and orphaned accounts when a group is deleted while other operations are pending. |
| CVE-2025-51082 | 2025-07-24 | Tenda AC8V4 V16.03.34.06` was discovered to contain stack overflow at /goform/fast_setting_wifi_set. The manipulation of the argument `timeZone` leads to stack-based buffer overflow. |
| CVE-2025-51085 | 2025-07-24 | Tenda AC8V4 V16.03.34.06` was discovered to contain stack overflow at /goform/SetSysTimeCfg. The manipulation of the argument `timeZone` and `timeType` leads to stack-based buffer overflow. |
| CVE-2025-51087 | 2025-07-24 | Tenda AC8V4 V16.03.34.06` was discovered to contain stack overflow at /goform/saveParentControlInfo. The manipulation of the argument time leads to stack-based buffer overflow. |
| CVE-2025-51088 | 2025-07-24 | Tenda AC8V4 V16.03.34.06` was discovered to contain stack overflow at /goform/WifiGuestSet. The manipulation of the argument `shareSpeed` leads to stack-based buffer overflow. |