CVE List - 2025 / July
Showing 301 - 400 of 3776 CVEs for July 2025 (Page 4 of 38)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2025-6074 | 2025-07-03 | Authentication Bypass to the MQTT configuration Web Interface |
| CVE-2025-6073 | 2025-07-03 | Stack Buffer Overflow in MQTTCore |
| CVE-2025-6072 | 2025-07-03 | Stack Buffer Overflow in MQTTCore |
| CVE-2025-6071 | 2025-07-03 | Hard Coded Key used for AES encryption |
| CVE-2025-23968 | 2025-07-03 | WordPress AiBud WP plugin <= 1.8.5 - Arbitrary File Upload vulnerability |
| CVE-2025-53368 | 2025-07-03 | Citizen is vulnerable to stored XSS attack in the legacy search bar |
| CVE-2025-53370 | 2025-07-03 | Citizen stored XSS vulnerability through short descriptions |
| CVE-2025-34061 | 2025-07-03 | PHPStudy 2016-2018 Backdoor Remote Code Execution Vulnerability |
| CVE-2025-34086 | 2025-07-03 | Bolt CMS Authenticated Remote Code Execution via Profile Injection and File Rename |
| CVE-2025-34082 | 2025-07-03 | IGEL OS Secure Terminal and Secure Shadow Remote Code Execution |
| CVE-2025-34088 | 2025-07-03 | Pandora FMS Authenticated Remote Code Execution via Ping Module |
| CVE-2025-34087 | 2025-07-03 | Pi-Hole AdminLTE Whitelist (now 'Web Allowlist') Remote Command Execution |
| CVE-2025-34089 | 2025-07-03 | Remote for Mac Unauthenticated Remote Code Execution via AppleScript Injection |
| CVE-2025-53369 | 2025-07-03 | Citizen Short Description stored XSS vulnerability through wikitext |
| CVE-2025-52554 | 2025-07-03 | n8n Improper Authorization in Workflow Execution Stop Endpoint Allows Terminating Other Users’ Workflows |
| CVE-2025-49005 | 2025-07-03 | Next.js cache poisoning due to omission of Vary header |
| CVE-2025-49826 | 2025-07-03 | Next.js DoS vulnerability via cache poisoning |
| CVE-2025-53367 | 2025-07-03 | DjVuLibre OOB-Write Vulnerability in MMRDecoder |
| CVE-2025-5322 | 2025-07-03 | VikRentCar Car Rental Management System <= 1.4.3 - Authenticated (Administrator+) Arbitrary File Upload |
| CVE-2025-26850 | 2025-07-04 | The agent in Quest KACE Systems Management Appliance (SMA) before 14.0.97 and 14.1.x before 14.1.19 potentially allows privilege escalation on managed systems. |
| CVE-2025-43711 | 2025-07-04 | Tunnelblick 3.5beta06 before 7.0, when incompletely uninstalled, allows attackers to execute arbitrary code as root (upon the next boot) by dragging a crafted Tunnelblick.app file into /Applications. |
| CVE-2025-48172 | 2025-07-04 | CHMLib through 2bef8d0, as used in SumatraPDF and other products, has a chm_lib.c _chm_decompress_block integer overflow. There is a resultant heap-based buffer overflow in _chm_fetch_bytes. |
| CVE-2025-49600 | 2025-07-04 | In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_verify may accept invalid signatures if hash computation fails and internal errors go unchecked, enabling LMS (Leighton-Micali Signature) forgery in a fault scenario. Specifically, unchecked... |
| CVE-2025-49601 | 2025-07-04 | In MbedTLS 3.3.0 before 3.6.4, mbedtls_lms_import_public_key does not check that the input buffer is at least 4 bytes before reading a 32-bit field, allowing a possible out-of-bounds read on truncated... |
| CVE-2025-49809 | 2025-07-04 | mtr through 0.95, in certain privileged contexts, mishandles execution of a program specified by the MTR_PACKET environment variable. NOTE: mtr on macOS may often have Sudo rules, as an indirect... |
| CVE-2025-52496 | 2025-07-04 | Mbed TLS before 3.6.4 has a race condition in AESNI detection if certain compiler optimizations occur. An attacker may be able to extract an AES key from a multithreaded program,... |
| CVE-2025-52497 | 2025-07-04 | Mbed TLS before 3.6.4 has a PEM parsing one-byte heap-based buffer underflow, in mbedtls_pem_read_buffer and two mbedtls_pk_parse functions, via untrusted PEM input. |
| CVE-2025-53602 | 2025-07-04 | Zipkin through 3.5.1 has a /heapdump endpoint (associated with the use of Spring Boot Actuator), a similar issue to CVE-2025-48927. |
| CVE-2025-6786 | 2025-07-04 | DocCheck Login <= 1.1.5 - Unauthorized Post Access |
| CVE-2025-5933 | 2025-07-04 | RD Contacto <= 1.4 - Cross-Site Request Forgery to Settings Update |
| CVE-2025-7046 | 2025-07-04 | Portfolio for Elementor & Image Gallery | PowerFolio <= 3.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom JS |
| CVE-2025-6739 | 2025-07-04 | WPQuiz <= 0.4.2 - Authenticated (Contributor+) SQL Injection |
| CVE-2025-6041 | 2025-07-04 | yContributors <= 0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting |
| CVE-2025-6238 | 2025-07-04 | AI Engine 2.8.4 - Insecure OAuth Implementation |
| CVE-2025-5956 | 2025-07-04 | WP Human Resource Management 2.0.0 - 2.2.17 - Missing Authorization to Authenticated (Employee+) Arbitrary User Deletion via ajax_delete_employee Function |
| CVE-2025-6729 | 2025-07-04 | PayMaster for WooCommerce <= 0.4.31 - Authenticated (Subscriber+) Server-Side Request Forgery |
| CVE-2025-6586 | 2025-07-04 | Download Plugin <= 2.2.8 - Authenticated (Administrator+) Arbitrary File Upload |
| CVE-2025-5953 | 2025-07-04 | WP Human Resource Management 2.0.0 - 2.2.17 - Missing Authorization to Authenticated (Employee+) Privilege Escalation via wp_ajax_hrm_insert_employee AJAX Action |
| CVE-2025-6814 | 2025-07-04 | Booking X 1.0 - 1.1.2 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via export_now() Function |
| CVE-2025-6787 | 2025-07-04 | Smart Docs <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-6783 | 2025-07-04 | GoZen Forms <= 1.1.5 - Unauthenticated SQL Injection via emdedSc() |
| CVE-2025-5924 | 2025-07-04 | WP Firebase Push Notification <= 1.2.0 - Cross-Site Request Forgery to Broadcast Notification |
| CVE-2025-6782 | 2025-07-04 | GoZen Forms <= 1.1.5 - Unauthenticated SQL Injection via dirGZActiveForm() |
| CVE-2025-6039 | 2025-07-04 | ProcessingJS for WordPress <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-7053 | 2025-07-04 | Cockpit save cross site scripting |
| CVE-2025-5567 | 2025-07-04 | Shortcodes Ultimate <= 7.4.0 - Authenticted (Contributor+) Stored Cross-Site Scripting via 'data-url' Attribute |
| CVE-2025-6944 | 2025-07-04 | Uncode Core <= 2.9.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes |
| CVE-2025-5372 | 2025-07-04 | Libssh: incorrect return code handling in ssh_kdf() in libssh |
| CVE-2025-53599 | 2025-07-04 | Whale browser for iOS before 3.9.1.4206 allow an attacker to execute malicious scripts in the browser via a crafted javascript scheme. |
| CVE-2025-53600 | 2025-07-04 | Whale browser before 4.32.315.22 allow an attacker to bypass the Same-Origin Policy in a dual-tab environment. |
| CVE-2024-11937 | 2025-07-04 | Premium Addons for Elementor <= 4.10.69 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-6673 | 2025-07-04 | Easy restaurant menu manager <= 2.0.1 - Authenticated (Contributot+) Stored Cross-Site Scripting via `nsc_eprm_menu_link` Shortcode |
| CVE-2025-32918 | 2025-07-04 | Livestatus injection in autocomplete endpoint |
| CVE-2025-5351 | 2025-07-04 | Libssh: double free vulnerability in libssh key export functions |
| CVE-2024-9453 | 2025-07-04 | Jenkins-image: sensitive data disclosure when using openshift jenkins image |
| CVE-2025-53566 | 2025-07-04 | WordPress WP Visitor Statistics (Real Time Traffic) plugin <= 7.8 - Cross Site Scripting (XSS) Vulnerability |
| CVE-2025-53568 | 2025-07-04 | WordPress Radio Station plugin <= 2.5.12 - Cross Site Request Forgery (CSRF) Vulnerability |
| CVE-2025-53569 | 2025-07-04 | WordPress Trust Payments Gateway for WooCommerce (JavaScript Library) plugin <= 1.3.6 - Cross Site Request Forgery (CSRF) Vulnerability |
| CVE-2025-23972 | 2025-07-04 | WordPress Contact Form 7 reCAPTCHA plugin <= 1.2.0 - Cross Site Request Forgery (CSRF) Vulnerability |
| CVE-2025-24735 | 2025-07-04 | WordPress Chatra Live Chat + ChatBot + Cart Saver plugin <= 1.0.11 - Cross Site Scripting (XSS) Vulnerability |
| CVE-2025-24748 | 2025-07-04 | WordPress All In One Slider Responsive plugin <= 3.7.9 - SQL Injection Vulnerability |
| CVE-2025-24757 | 2025-07-04 | WordPress MyRewards plugin <= 5.4.13.1 - Cross Site Scripting (XSS) Vulnerability |
| CVE-2025-24764 | 2025-07-04 | WordPress (Simply) Guest Author Name plugin <= 4.36 - Cross Site Scripting (XSS) Vulnerability |
| CVE-2025-26591 | 2025-07-04 | WordPress WP fancybox plugin <= 1.0.4 - Cross Site Scripting (XSS) Vulnerability |
| CVE-2025-27326 | 2025-07-04 | WordPress Video Gallery Block – Display your videos as a gallery in a professional way plugin <= 1.1.0 - Cross Site Scripting (XSS) Vulnerability |
| CVE-2025-27358 | 2025-07-04 | WordPress Frontend File Manager plugin <= 23.2 - Content Injection Vulnerability |
| CVE-2025-28951 | 2025-07-04 | WordPress Bulk Featured Image plugin <= 1.2.1 - Arbitrary File Upload Vulnerability |
| CVE-2025-28957 | 2025-07-04 | WordPress OwnerRez plugin <= 1.2.1 - Cross Site Scripting (XSS) Vulnerability |
| CVE-2025-28963 | 2025-07-04 | WordPress URL Shortener plugin <= 3.0.7 - Server Side Request Forgery (SSRF) Vulnerability |
| CVE-2025-28967 | 2025-07-04 | WordPress Contact Us page - Contact people LITE plugin <= 3.7.4 - SQL Injection Vulnerability |
| CVE-2025-28969 | 2025-07-04 | WordPress Gallery Widget plugin <= 1.2.1 - SQL Injection Vulnerability |
| CVE-2025-28971 | 2025-07-04 | WordPress Easy Elements Hider plugin <= 2.0 - Cross Site Scripting (XSS) Vulnerability |
| CVE-2025-29001 | 2025-07-04 | WordPress WooCommerce Shop Page Builder plugin <= 2.27.7 - Broken Access Control Vulnerability |
| CVE-2025-29007 | 2025-07-04 | WordPress LMSACE Connect plugin <= 3.4 - Broken Access Control Vulnerability |
| CVE-2025-29012 | 2025-07-04 | WordPress CF7 7 Mailchimp Add-on plugin <= 2.2 - Broken Access Control Vulnerability |
| CVE-2025-30929 | 2025-07-04 | WordPress fluXtore plugin <= 1.6.0 - Broken Access Control Vulnerability |
| CVE-2025-30943 | 2025-07-04 | WordPress Posts Slider Shortcode plugin <= 1.0 - Cross Site Scripting (XSS) Vulnerability |
| CVE-2025-30947 | 2025-07-04 | WordPress Cool fade popup plugin <= 10.1 - SQL Injection Vulnerability |
| CVE-2025-30969 | 2025-07-04 | WordPress iFrame Images Gallery plugin <= 9.0 - SQL Injection Vulnerability |
| CVE-2025-30979 | 2025-07-04 | WordPress Pixelating image slideshow gallery plugin <= 8.0 - SQL Injection Vulnerability |
| CVE-2025-30983 | 2025-07-04 | WordPress Card flip image slideshow plugin <= 1.5 - Cross Site Scripting (XSS) Vulnerability |
| CVE-2025-5920 | 2025-07-04 | Sharable Password Protected Posts < 1.1.1 - Unauthenticated Password Protect Post Access |
| CVE-2025-38174 | 2025-07-04 | thunderbolt: Do not double dequeue a configuration request |
| CVE-2025-38175 | 2025-07-04 | binder: fix yet another UAF in binder_devices |
| CVE-2025-38176 | 2025-07-04 | binder: fix use-after-free in binderfs_evict_inode() |
| CVE-2025-7060 | 2025-07-04 | Monitorr Installer mkdbajax.php input validation |
| CVE-2025-49431 | 2025-07-04 | WordPress MF Plus WPML <= 1.1 - Settings Change Vulnerability |
| CVE-2025-49418 | 2025-07-04 | WordPress Allmart <= 1.0.0 - Server Side Request Forgery (SSRF) Vulnerability |
| CVE-2025-49417 | 2025-07-04 | WordPress WooCommerce Product Multi-Action <= 1.3 - Deserialization of untrusted data Vulnerability |
| CVE-2025-49414 | 2025-07-04 | WordPress FW Gallery <= 8.0.0 - Arbitrary File Upload Vulnerability |
| CVE-2025-49070 | 2025-07-04 | WordPress Elessi < 6.4.1 - Local File Inclusion Vulnerability |
| CVE-2025-4414 | 2025-07-04 | WordPress CMSMasters Content Composer < 2.5.7 - Local File Inclusion Vulnerability |
| CVE-2025-52833 | 2025-07-04 | WordPress LMS <= 9.1 - SQL Injection Vulnerability |
| CVE-2025-52832 | 2025-07-04 | WordPress NGG Smart Image Search <= 3.4.1 - SQL Injection Vulnerability |
| CVE-2025-52831 | 2025-07-04 | WordPress Video List Manager <= 1.7 - SQL Injection Vulnerability |
| CVE-2025-52830 | 2025-07-04 | WordPress bSecure – Your Universal Checkout <= 1.7.9 - SQL Injection Vulnerability |
| CVE-2025-52828 | 2025-07-04 | WordPress Red Art <= 3.7 - PHP Object Injection Vulnerability |
| CVE-2025-52813 | 2025-07-04 | WordPress MobiLoud <= 4.6.5 - Broken Access Control Vulnerability |
| CVE-2025-52807 | 2025-07-04 | WordPress Kossy - Minimalist eCommerce WordPress Theme <= 1.45 - Local File Inclusion Vulnerability |
| CVE-2025-52805 | 2025-07-04 | WordPress Leyka <= 3.31.9 - Local File Inclusion Vulnerability |