CVE List - 2025 / August
Showing 1 - 100 of 3631 CVEs for August 2025 (Page 1 of 37)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2019-19145 | 2025-08-01 | Quantum SuperLoader 3 V94.0 005E.0h devices allow attackers to access the hardcoded fa account because there are only 65536 possible passwords. |
| CVE-2023-44976 | 2025-08-01 | Hangzhou Shunwang Rentdrv2 before 2024-12-24 allows local users to terminate EDR processes and possibly have unspecified other impact via DeviceIoControl with control code 0x22E010, as exploited in the wild in... |
| CVE-2025-44139 | 2025-08-01 | Emlog Pro V2.5.7 is vulnerable to Unrestricted Upload of File with Dangerous Type via /emlog/admin/plugin.php?action=upload_zip |
| CVE-2025-45150 | 2025-08-01 | Insecure permissions in LangChain-ChatGLM-Webui commit ef829 allows attackers to arbitrarily view and download sensitive files via supplying a crafted request. |
| CVE-2025-45767 | 2025-08-01 | jose v6.0.10 was discovered to contain weak encryption. NOTE: this is disputed by a third party because the claim of "do not meet recommended security standards" does not reflect guidance... |
| CVE-2025-45778 | 2025-08-01 | A stored cross-site scripting (XSS) vulnerability in The Language Sloth Web Application v1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Description... |
| CVE-2025-46018 | 2025-08-01 | CSC Pay Mobile App 2.19.4 (fixed in version 2.20.0) contains a vulnerability allowing users to bypass payment authorization by disabling Bluetooth at a specific point during a transaction. This could... |
| CVE-2025-50460 | 2025-08-01 | A remote code execution (RCE) vulnerability exists in the ms-swift project version 3.3.0 due to unsafe deserialization in tests/run.py using yaml.load() from the PyYAML library (versions = 5.3.1). If an... |
| CVE-2025-50472 | 2025-08-01 | The modelscope/ms-swift library thru 2.6.1 is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_model_meta()` function of the `ModelFileSystemCache()` class. Attackers can execute arbitrary code and... |
| CVE-2025-50868 | 2025-08-01 | A SQL Injection vulnerability exists in the takeassessment2.php file of CloudClassroom-PHP-Project 1.0. The Q4 POST parameter is not properly sanitized before being used in SQL queries. |
| CVE-2025-50869 | 2025-08-01 | A stored Cross-Site Scripting (XSS) vulnerability exists in the qureydetails.php page of Institute-of-Current-Students 1.0, where the input fields for Query and Answer do not properly sanitize user input. Authenticated users... |
| CVE-2025-50870 | 2025-08-01 | Institute-of-Current-Students 1.0 is vulnerable to Incorrect Access Control in the mydetailsstudent.php endpoint. The myds GET parameter accepts an email address as input and directly returns the corresponding student's personal information... |
| CVE-2025-51501 | 2025-08-01 | Reflected Cross-Site Scripting (XSS) in the id parameter of the live_edit.module_settings API endpoint in Microweber CMS2.0 allows execution of arbitrary JavaScript. |
| CVE-2025-51502 | 2025-08-01 | Reflected Cross-Site Scripting (XSS) in Microweber CMS 2.0 via the layout parameter on the /admin/page/create page allows arbitrary JavaScript execution in the context of authenticated admin users. |
| CVE-2025-51504 | 2025-08-01 | Microweber CMS 2.0 is vulnerable to Cross Site Scripting (XSS)in the /projects/profile, homepage endpoint via the last name field. |
| CVE-2025-52327 | 2025-08-01 | SQL Injection vulnerability in Restaurant Order System 1.0 allows a local attacker to obtain sensitive information via the payment.php file |
| CVE-2025-52361 | 2025-08-01 | Insecure permissions in the script /etc/init.d/lighttpd in AK-Nord USB-Server-LXL Firmware v0.0.16 Build 2023-03-13 allows a locally authenticated low-privilege user to execute arbitrary commands with root privilege via editing this script... |
| CVE-2025-52390 | 2025-08-01 | Saurus CMS Community Edition since commit d886e5b0 (2010-04-23) is vulnerable to a SQL Injection vulnerability in the `prepareSearchQuery()` method in `FulltextSearch.class.php`. The application directly concatenates user-supplied input (`$search_word`) into SQL... |
| CVE-2025-53399 | 2025-08-01 | In Sipwise rtpengine before 13.4.1.1, an origin-validation error in the endpoint-learning logic of the media-relay core allows remote attackers to inject or intercept RTP/SRTP media streams via RTP packets (except... |
| CVE-2025-54564 | 2025-08-01 | uploadsm in ChargePoint Home Flex 5.5.4.13 does not validate a user-controlled string for bz2 decompression, which allows command execution as the nobody user. |
| CVE-2025-54939 | 2025-08-01 | LiteSpeed QUIC (LSQUIC) Library before 4.3.1 has an lsquic_engine_packet_in memory leak. |
| CVE-2025-8431 | 2025-08-01 | PHPGurukul Boat Booking System add-boat.php sql injection |
| CVE-2025-5954 | 2025-08-01 | Service Finder SMS System <= 2.0.0 - Unauthenticated Privilege Escalation |
| CVE-2025-8433 | 2025-08-01 | code-projects Document Management System dell.php unlink path traversal |
| CVE-2025-5947 | 2025-08-01 | Service Finder Bookings <= 6.0 - Authentication Bypass via User Switch Cookie |
| CVE-2025-8434 | 2025-08-01 | code-projects Online Movie Streaming admin.php authorization |
| CVE-2025-7725 | 2025-08-01 | Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI <= 26.1.0 - Unauthenticated Stored Cross-Site Scripting |
| CVE-2025-7443 | 2025-08-01 | BerqWP <= 2.2.42 - Unauthenticated Arbitrary File Upload |
| CVE-2025-4523 | 2025-08-01 | IDonate 2.0.0 - 2.1.9 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via admin_donor_profile_view Function |
| CVE-2025-7845 | 2025-08-01 | Stratum – Elementor Widgets <= 1.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Google Maps and Image Hotspot Widgets |
| CVE-2025-8435 | 2025-08-01 | code-projects Online Movie Streaming admin-control.php authorization |
| CVE-2025-8436 | 2025-08-01 | projectworlds Online Admission System viewdoc.php sql injection |
| CVE-2025-8454 | 2025-08-01 | It was discovered that uscan, a tool to scan/watch upstream sources for new releases of software, included in devscripts (a collection of scripts to make the life of a Debian... |
| CVE-2025-31716 | 2025-08-01 | In bootloader, there is a possible out of bounds write due to a missing bounds check. This could lead to local denial of service with no additional execution privileges needed. |
| CVE-2025-5921 | 2025-08-01 | SureForms < 1.7.2 - Reflected XSS |
| CVE-2025-8437 | 2025-08-01 | code-projects Kitchen Treasure userregistration.php sql injection |
| CVE-2025-8438 | 2025-08-01 | code-projects Wazifa System postpublish.php sql injection |
| CVE-2025-7646 | 2025-08-01 | The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 6.3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-8439 | 2025-08-01 | code-projects Wazifa System updatesettings.php sql injection |
| CVE-2025-8441 | 2025-08-01 | code-projects Online Medicine Guide pharsignup.php sql injection |
| CVE-2025-8442 | 2025-08-01 | code-projects Online Medicine Guide cussignup.php sql injection |
| CVE-2025-8443 | 2025-08-01 | code-projects Online Medicine Guide login.php sql injection |
| CVE-2025-6398 | 2025-08-01 | A null pointer dereference vulnerability exists in the IOMap64.sys driver of ASUS AI Suite 3. The vulnerability can be triggered by a specially crafted input, which may lead to a... |
| CVE-2025-4684 | 2025-08-01 | BlockSpare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites <= 3.2.13.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Carousel and Image Slider Widgets |
| CVE-2025-6228 | 2025-08-01 | Sina Extension for Elementor <= 3.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via `Sina Posts`, `Sina Blog Post` and `Sina Table` Widgets |
| CVE-2025-41370 | 2025-08-01 | SQL injection vulnerability in Gandia Integra Total |
| CVE-2025-41371 | 2025-08-01 | SQL injection vulnerability in Gandia Integra Total |
| CVE-2025-41372 | 2025-08-01 | SQL injection vulnerability in Gandia Integra Total |
| CVE-2025-41373 | 2025-08-01 | SQL injection vulnerability in Gandia Integra Total |
| CVE-2025-41374 | 2025-08-01 | SQL injection vulnerability in Gandia Integra Total |
| CVE-2025-41375 | 2025-08-01 | SQL Injection in Limesurvey |
| CVE-2025-41376 | 2025-08-01 | CRLF Injection in Limesurvey |
| CVE-2025-48074 | 2025-08-01 | OpenEXR's Unbounded File Header Values can Lead to Out-Of-Memory Errors |
| CVE-2025-33118 | 2025-08-01 | IBM QRadar SIEM cross-site scripting |
| CVE-2023-32256 | 2025-08-01 | Kernel: ksmbd race issue from smb2 close and logoff with multichannel |
| CVE-2025-8472 | 2025-08-01 | Alpine iLX-507 vCard Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability |
| CVE-2025-8473 | 2025-08-01 | Alpine iLX-507 UPDM_wstpCBCUpdStart Command Injection Vulnerability |
| CVE-2025-8474 | 2025-08-01 | Alpine iLX-507 CarPlay Stack-based Buffer Overflow Code Execution Vulnerability |
| CVE-2025-8475 | 2025-08-01 | Alpine iLX-507 AVRCP Stack-based Buffer Overflow Remote Code Execution Vulnerability |
| CVE-2025-8476 | 2025-08-01 | Alpine iLX-507 TIDAL Improper Certificate Validation Vulnerability |
| CVE-2025-8480 | 2025-08-01 | Alpine iLX-507 Command Injection Remote Code Execution |
| CVE-2025-8477 | 2025-08-01 | Alpine iLX-507 vCard Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability |
| CVE-2025-5999 | 2025-08-01 | Vault Root Namespace Operator May Elevate Token Privileges |
| CVE-2025-6000 | 2025-08-01 | Arbitrary Remote Code Execution via Plugin Catalog Abuse |
| CVE-2025-2824 | 2025-08-01 | IBM Operational Decision Manager HTTP open redirect |
| CVE-2025-6014 | 2025-08-01 | Vault TOTP Secrets Engine Code Reuse |
| CVE-2025-6037 | 2025-08-01 | Vault Certificate Auth Method Did Not Validate Common Name For Non-CA Certificates |
| CVE-2025-6004 | 2025-08-01 | Vault Userpass and LDAP User Lockout Bypass |
| CVE-2025-49832 | 2025-08-01 | Asterisk is Vulnerable to Remote DoS and possible RCE Attacks During Memory Allocation |
| CVE-2025-53009 | 2025-08-01 | MaterialX Stack Overflow via Lack of MTLX XML Parsing Recursion Limit |
| CVE-2025-53010 | 2025-08-01 | MaterialX's unchecked nodeGraph->getOutput return is vulnerable to NULL Pointer Dereference |
| CVE-2025-53011 | 2025-08-01 | MaterialX is Vulnerable to NULL Pointer Dereference due to Unchecked implGraphOutput |
| CVE-2025-6011 | 2025-08-01 | Timing Side-Channel in Vault’s Userpass Auth Method |
| CVE-2025-53012 | 2025-08-01 | MaterialX's Lack of Import Depth Limit Leads to DoS (Denial-Of-Service) Via Stack Exhaustion |
| CVE-2025-54574 | 2025-08-01 | Squid's URN Handling can lead to Buffer Overflow |
| CVE-2025-54590 | 2025-08-01 | webfinger.js is vulnerable to Blind SSRF attacks through localhost |
| CVE-2025-6015 | 2025-08-01 | Vault Login MFA Bypass of Rate Limiting and TOTP Code Reuse |
| CVE-2025-54593 | 2025-08-01 | FreshRSS is vulnerable to RCE attacks by authenticated admin |
| CVE-2025-54595 | 2025-08-01 | Pearcleaner's unauthenticated access to privileged XPC helper allows root command execution |
| CVE-2013-10046 | 2025-08-01 | Agnitum Outpost Internet Security Local Privilege Escalation |
| CVE-2013-10059 | 2025-08-01 | D-Link Routers tools_vct.htm OS Command Injection |
| CVE-2013-10050 | 2025-08-01 | D-Link Devices tools_vct.xgi Unauthenticated RCE |
| CVE-2013-10048 | 2025-08-01 | D-Link Devices command.php Unauthenticated RCE |
| CVE-2013-10055 | 2025-08-01 | Havalite CMS Arbitary File Upload RCE |
| CVE-2013-10051 | 2025-08-01 | InstantCMS <= 1.6 Remote PHP Code Execution |
| CVE-2012-10022 | 2025-08-01 | Kloxo <= 6.1.12 Local Privilege Escalation |
| CVE-2013-10062 | 2025-08-01 | Linksys Routers apply.cgi Path Traversal |
| CVE-2013-10058 | 2025-08-01 | Linksys Routers apply.cgi Remote Command Injection |
| CVE-2013-10047 | 2025-08-01 | MiniWeb <= Build 300 Arbitrary File Upload |
| CVE-2013-10061 | 2025-08-01 | Netgear Routers setup.cgi RCE |
| CVE-2013-10060 | 2025-08-01 | Netgear Routers pppoe.cgi RCE |
| CVE-2013-10063 | 2025-08-01 | Netgear SPH200D <= 1.0.4.80 Path Traversal via HTTP GET |
| CVE-2013-10044 | 2025-08-01 | OpenEMR ≤ 4.1.1 SQL Injection Privilege Escalation and RCE |
| CVE-2013-10049 | 2025-08-01 | Raidsonic NAS Devices Unauthenticated Remote Command Execution |
| CVE-2013-10057 | 2025-08-01 | Synactis PDF In-The-Box ConnectToSynactic Stack-Based Buffer Overflow |
| CVE-2013-10053 | 2025-08-01 | ZPanel <= 10.0.0.2 htpasswd Module Username Command Execution |
| CVE-2024-13978 | 2025-08-01 | LibTIFF fax2ps tiff2pdf.c t2p_read_tiff_init null pointer dereference |
| CVE-2025-54792 | 2025-08-01 | LocalSend is Vulnerable to Man-in-the-Middle Attacks, Leading to File Interception |
| CVE-2025-54424 | 2025-08-01 | 1Panel Agent Bypasses Certificate Verification Leading to Arbitrary Command Execution |
| CVE-2025-54131 | 2025-08-01 | Cursor bypasses its allow list to execute arbitrary commands |