CVE List - 2025 / July
Showing 2901 - 3000 of 3776 CVEs for July 2025 (Page 30 of 38)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-51089 | 2025-07-24 | Tenda AC8V4 V16.03.34.06` was discovered to contain heap overflow at /goform/GetParentControlInfo.The manipulation of the argument `mac` leads to heap-based buffer overflow. |
| CVE-2025-4393 | 2025-07-24 | Medtronic MyCareLink Patient Monitor Deserialization Vulnerability |
| CVE-2025-4394 | 2025-07-24 | Medtronic MyCareLink Patient Monitor Unencrypted Filesystem Vulnerability |
| CVE-2025-4395 | 2025-07-24 | Medtronic MyCareLink Patient Monitor Empty Password Vulnerability |
| CVE-2025-4968 | 2025-07-24 | WPBakery Page Builder <= 8.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Page Builder Elements |
| CVE-2025-7852 | 2025-07-24 | WPBookit <= 1.0.6 - Unauthenticated Arbitrary File Upload via image_upload_handle Function |
| CVE-2025-7437 | 2025-07-24 | Ebook Store <= 5.8012 - Unauthenticated Arbitrary File Upload |
| CVE-2025-7001 | 2025-07-24 | Insufficient Granularity of Access Control in GitLab |
| CVE-2025-4976 | 2025-07-24 | Exposure of Sensitive Information Due to Incompatible Policies in GitLab |
| CVE-2025-1299 | 2025-07-24 | Missing Authorization in GitLab |
| CVE-2025-0765 | 2025-07-24 | Incorrect Authorization in GitLab |
| CVE-2025-41240 | 2025-07-24 | Mounted Kubernetes Secrets under a predictable path located within the web server document root |
| CVE-2025-7745 | 2025-07-24 | Modbus TCP buffer overread |
| CVE-2025-8107 | 2025-07-24 | In OceanBase's Oracle tenant mode, a malicious user with specific privileges can achieve privilege escalation to SYS-level access by executing carefully crafted commands. This vulnerability only affects OceanBase tenants in... |
| CVE-2025-8009 | 2025-07-24 | Security Ninja – Secure Firewall & Secure Malware Scanner - 5.201 - 5.242 - Authenticated (Administrator+) Arbitrary File Read |
| CVE-2025-26397 | 2025-07-24 | SolarWinds Observability Self-Hosted Deserialization of Untrusted Data Local Privilege Escalation Vulnerability |
| CVE-2025-5084 | 2025-07-24 | Post Grid Master <= 3.4.13 - Reflected Cross-Site Scripting via argsArray['read_more_text'] |
| CVE-2025-7640 | 2025-07-24 | hiWeb Export Posts <= 0.9.0.0 - Cross-Site Request Forgery to Arbitrary File Deletion |
| CVE-2025-7780 | 2025-07-24 | Ai Engine <= 2.9.4 - Missing URL Scheme Validation to Authenticated (Subscriber+) Arbitrary File Read via simpleTranscribeAudio and get_audio Functions |
| CVE-2025-6441 | 2025-07-24 | Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition <= 4.03.31 - Unauthenticated Login Token Generation to Authentication Bypass |
| CVE-2025-7966 | 2025-07-24 | Get Youtube Subs <= 3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via subscribe_link_att Function |
| CVE-2025-8071 | 2025-07-24 | Mine CloudVod <= 2.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via audio Parameter |
| CVE-2025-6380 | 2025-07-24 | ONLYOFFICE Docs 1.1.0 - 2.2.0 - Missing Authorization to Unauthenticated Privilege Escalation via callback Function |
| CVE-2025-7822 | 2025-07-24 | WP Wallcreeper <= 1.6.1 - Missing Authorization to Authenticated (Susbcriber+) Cache Enable/Disable |
| CVE-2025-6385 | 2025-07-24 | WP Applink <= 0.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via title Parameter |
| CVE-2025-6262 | 2025-07-24 | muse.ai video embedding <= 0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via muse-ai Shortcode |
| CVE-2025-6387 | 2025-07-24 | WP Get The Table <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter |
| CVE-2025-3669 | 2025-07-24 | Supreme Addons for Beaver Builder <= 1.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via auto_qrcodesabb Shortcode |
| CVE-2025-6539 | 2025-07-24 | Voltax Video Player <= 1.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter |
| CVE-2025-6382 | 2025-07-24 | Taeggie Feed <= 0.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via name Attribute |
| CVE-2025-4608 | 2025-07-24 | Structured Content <= 1.6.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via sc_fs_local_business Shortcode |
| CVE-2025-7695 | 2025-07-24 | Dataverse Integration 2.77 - 2.81 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via reset_password_link REST Route |
| CVE-2025-6588 | 2025-07-24 | FunnelCockpit <= 1.4.2 - Reflected Cross-Site Scripting via `error` Parameter |
| CVE-2025-7835 | 2025-07-24 | iThoughts Advanced Code Editor <= 1.2.10 - Cross-Site Request Forgery to Settings Update |
| CVE-2025-7690 | 2025-07-24 | Affiliate Plus <= 1.3.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting |
| CVE-2025-7959 | 2025-07-24 | Station Pro <= 2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via width and height Parameters |
| CVE-2025-40680 | 2025-07-24 | Encryption of sensitive data in CapillaryScope missing |
| CVE-2025-5243 | 2025-07-24 | Arbitrary File Upload in SMG Software's Information Portal |
| CVE-2025-4822 | 2025-07-24 | SQLi in Bayraktar Solar Energies' ScadaWatt Otopilot |
| CVE-2025-4784 | 2025-07-24 | SQLi in Moderec's Tourtella |
| CVE-2025-8114 | 2025-07-24 | : null pointer dereference in libssh kex session id calculation |
| CVE-2025-36005 | 2025-07-24 | IBM MQ Operator information disclosure |
| CVE-2025-33013 | 2025-07-24 | IBM MQ Operator information disclosure |
| CVE-2025-33109 | 2025-07-24 | IBM i privilege escalation |
| CVE-2025-48732 | 2025-07-24 | An incomplete blacklist exists in the .htaccess sample of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to a arbitrary code execution. An... |
| CVE-2025-25214 | 2025-07-24 | A race condition vulnerability exists in the aVideoEncoder.json.php unzip functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A series of specially crafted HTTP request can lead to arbitrary... |
| CVE-2025-41420 | 2025-07-24 | A cross-site scripting (xss) vulnerability exists in the userLogin cancelUri parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary... |
| CVE-2025-36548 | 2025-07-24 | A cross-site scripting (xss) vulnerability exists in the LoginWordPress loginForm cancelUri parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to... |
| CVE-2025-50128 | 2025-07-24 | A cross-site scripting (xss) vulnerability exists in the videoNotFound 404ErrorMsg parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary... |
| CVE-2025-53084 | 2025-07-24 | A cross-site scripting (xss) vulnerability exists in the videosList page parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary... |
| CVE-2025-46410 | 2025-07-24 | A cross-site scripting (xss) vulnerability exists in the managerPlaylists PlaylistOwnerUsersId parameter functionality of WWBN AVideo 14.4 and dev master commit 8a8954ff. A specially crafted HTTP request can lead to arbitrary... |
| CVE-2025-47061 | 2025-07-24 | Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) |
| CVE-2025-46996 | 2025-07-24 | Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) |
| CVE-2025-46993 | 2025-07-24 | Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) |
| CVE-2025-5039 | 2025-07-24 | Privilege Ecalation due to Untrusted Search Path Vulnerability |
| CVE-2025-8115 | 2025-07-24 | PHPGurukul Taxi Stand Management System new-autoortaxi-entry-form.php cross site scripting |
| CVE-2025-6998 | 2025-07-24 | Calibre Web 0.6.24 & Autocaliweb 0.7.0 - ReDoS |
| CVE-2025-31953 | 2025-07-24 | HCL iAutomate is affected by hardcoded credentials |
| CVE-2025-7404 | 2025-07-24 | Calibre Web 0.6.24 & Autocaliweb 0.7.0 - Blind C |
| CVE-2025-6260 | 2025-07-24 | Network Thermostat X-Series WiFi Thermostats Missing Authentication for Critical Function |
| CVE-2025-31955 | 2025-07-24 | HCL iAutomate is affected by a sensitive data exposure vulnerability |
| CVE-2025-31952 | 2025-07-24 | HCL iAutomate is affected by an insufficient session expiration |
| CVE-2025-8123 | 2025-07-24 | deerwms deer-wms-2 edit sql injection |
| CVE-2025-32429 | 2025-07-24 | XWiki Platform vulnerable to SQL injection through getdeleteddocuments.vm template sort parameter |
| CVE-2025-3614 | 2025-07-24 | ElementsKit Elementor Addons and Templates <= 3.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Widget |
| CVE-2025-53940 | 2025-07-24 | Quiet uses insecure, inconsistent verification on local backend token |
| CVE-2025-54379 | 2025-07-24 | eKuiper API endpoints handling SQL queries with user-controlled table names. |
| CVE-2025-22165 | 2025-07-24 | This Medium severity ACE (Arbitrary Code Execution) vulnerability was introduced in version 4.2.8 of Sourcetree for Mac. This ACE (Arbitrary Code Execution) vulnerability, with a CVSS Score of 5.9, allows... |
| CVE-2025-0249 | 2025-07-24 | HCL IEM is affected by an improper invalidation of access or JWT token vulnerability |
| CVE-2025-0250 | 2025-07-24 | HCL IEM is affected by an authorization token sent in cookie vulnerability |
| CVE-2025-7742 | 2025-07-24 | Authentication Bypass in LG Innotek Camera |
| CVE-2025-8124 | 2025-07-24 | deerwms deer-wms-2 unallocatedList sql injection |
| CVE-2023-53155 | 2025-07-25 | goform/formTest in EmbedThis GoAhead 2.5 allows HTML injection via the name parameter. |
| CVE-2024-48729 | 2025-07-25 | An issue in ETSI Open-Source MANO (OSM) 14.0.x before 14.0.3, 15.0.x before 15.0.2, 16.0.0, and 17.0.0 allows a remote authenticated attacker to escalate privileges via the /osm/admin/v1/users component. |
| CVE-2024-48730 | 2025-07-25 | The default configuration in ETSI Open-Source MANO (OSM) v.14.x, v.15.x, v.16.x, v.17.x does not impose any restrictions on the authentication attempts performed by the default admin user, allowing a remote... |
| CVE-2025-29628 | 2025-07-25 | An issue in Gardyn 4 allows a remote attacker to obtain sensitive information and execute arbitrary code via a request |
| CVE-2025-29629 | 2025-07-25 | An issue in Gardyn 4 allows a remote attacker to obtain sensitive information and execute arbitrary code via the Gardyn Home component |
| CVE-2025-29630 | 2025-07-25 | An issue in Gardyn 4 allows a remote attacker with the corresponding ssh private key can gain remote root access to affected devices |
| CVE-2025-29631 | 2025-07-25 | An issue in Gardyn 4 allows a remote attacker execute arbitrary code |
| CVE-2025-30086 | 2025-07-25 | CNCF Harbor 2.13.x before 2.13.1 and 2.12.x before 2.12.4 allows information disclosure by administrators who can exploit an ORM Leak present in the /api/v2.0/users endpoint to leak users' password hash... |
| CVE-2025-30135 | 2025-07-25 | An issue was discovered on IROAD Dashcam FX2 devices. Dumping Files Over HTTP and RTSP Without Authentication can occur. It lacks authentication controls on its HTTP and RTSP interfaces, allowing... |
| CVE-2025-43712 | 2025-07-25 | JHipster before v.8.9.0 allows privilege escalation via a modified authorities parameter. Upon registering in the JHipster portal and logging in as a standard user, the authorities parameter in the response... |
| CVE-2025-44608 | 2025-07-25 | CloudClassroom-PHP Project v1.0 was discovered to contain a SQL injection vulnerability via the viewid parameter. |
| CVE-2025-45406 | 2025-07-25 | A stored cross-site scripting (XSS) vulnerability in CodeIgniter4 v4.6.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the debugbar_time parameter. NOTE: this is... |
| CVE-2025-45466 | 2025-07-25 | Unitree Go1 <= Go1_2022_05_11 is vulnerale to Incorrect Access Control due to authentication credentials being hardcoded in plaintext. |
| CVE-2025-45467 | 2025-07-25 | Unitree Go1 <= Go1_2022_05_11 is vulnerable to Insecure Permissions as the firmware update functionality (via Wi-Fi/Ethernet) implements an insecure verification mechanism that solely relies on MD5 checksums for firmware integrity... |
| CVE-2025-45777 | 2025-07-25 | An issue in the OTP mechanism of Chavara Family Welfare Centre Chavara Matrimony Site v2.0 allows attackers to bypass authentication via supplying a crafted request. |
| CVE-2025-45892 | 2025-07-25 | OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via the blog editor. The vulnerability arises because input in the blog's editor is not properly sanitized or... |
| CVE-2025-45893 | 2025-07-25 | OpenCart version 4.1.0.4 is vulnerable to a Stored Cross-Site Scripting (XSS) attack via SVG file uploads used in blog posts. The vulnerability arises because SVG files uploaded through the media... |
| CVE-2025-45939 | 2025-07-25 | Apwide Golive 10.2.0 Jira plugin allows Server-Side Request Forgery (SSRF) via the test webhook function. |
| CVE-2025-45960 | 2025-07-25 | Cross Site Scripting vulnerability in tawk.to Live Chat v.1.6.1 allows a remote attacker to execute arbitrary code via the web application stores and displays user-supplied input without proper input validation... |
| CVE-2025-46198 | 2025-07-25 | Cross Site Scripting vulnerability in grav v.1.7.48, v.1.7.47 and v.1.7.46 allows an attacker to execute arbitrary code via the onerror attribute of the img element |
| CVE-2025-46199 | 2025-07-25 | Cross Site Scripting vulnerability in grav v.1.7.48 and before allows an attacker to execute arbitrary code via a crafted script to the form fields |
| CVE-2025-51411 | 2025-07-25 | A reflected cross-site scripting (XSS) vulnerability exists in Institute-of-Current-Students v1.0 via the email parameter in the /postquerypublic endpoint. The application fails to properly sanitize user input before reflecting it in... |
| CVE-2025-52360 | 2025-07-25 | A Cross-Site Scripting (XSS) vulnerability exists in the OPAC search feature of Koha Library Management System v24.05. Unsanitized input entered in the search field is reflected in the search history... |
| CVE-2025-54558 | 2025-07-25 | OpenAI Codex CLI before 0.9.0 auto-approves ripgrep (aka rg) execution even with the --pre or --hostname-bin or --search-zip or -z flag. |
| CVE-2025-54566 | 2025-07-25 | hw/pci/pcie_sriov.c in QEMU through 10.0.3 has a migration state inconsistency, a related issue to CVE-2024-26327. |
| CVE-2025-54567 | 2025-07-25 | hw/pci/pcie_sriov.c in QEMU through 10.0.3 mishandles the VF Enable bit write mask, a related issue to CVE-2024-26327. |
| CVE-2025-54568 | 2025-07-25 | Akamai Rate Control alpha before 2025 allows attackers to send requests above the stipulated thresholds because the rate is measured separately for each edge node. |
| CVE-2025-54596 | 2025-07-25 | Abnormal Security /v1.0/rbac/users_v2/{USER_ID}/ before 2025-02-19 allows downgrading the privileges of other user accounts. |