CVE List - 2025 / September
Showing 2401 - 2500 of 4322 CVEs for September 2025 (Page 25 of 44)
| CVE ID | Date | Title |
|---|---|---|
| CVE-2022-50350 | 2025-09-16 | scsi: target: iscsi: Fix a race condition between login_work and the login thread |
| CVE-2022-50351 | 2025-09-16 | cifs: Fix xid leak in cifs_create() |
| CVE-2022-50352 | 2025-09-16 | net: hns: fix possible memory leak in hnae_ae_register() |
| CVE-2023-53304 | 2025-09-16 | netfilter: nft_set_rbtree: fix overlap expiration walk |
| CVE-2023-53305 | 2025-09-16 | Bluetooth: L2CAP: Fix use-after-free |
| CVE-2023-53306 | 2025-09-16 | fsdax: force clear dirty mark if CoW |
| CVE-2023-53307 | 2025-09-16 | rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails |
| CVE-2023-53308 | 2025-09-16 | net: fec: Better handle pm_runtime_get() failing in .remove() |
| CVE-2023-53309 | 2025-09-16 | drm/radeon: Fix integer overflow in radeon_cs_parser_init |
| CVE-2023-53310 | 2025-09-16 | power: supply: axp288_fuel_gauge: Fix external_power_changed race |
| CVE-2023-53311 | 2025-09-16 | nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput |
| CVE-2023-53312 | 2025-09-16 | net: fix net_dev_start_xmit trace event vs skb_transport_offset() |
| CVE-2023-53313 | 2025-09-16 | md/raid10: fix wrong setting of max_corr_read_errors |
| CVE-2023-53314 | 2025-09-16 | fbdev/ep93xx-fb: Do not assign to struct fb_info.dev |
| CVE-2023-53315 | 2025-09-16 | wifi: ath11k: Fix SKB corruption in REO destination ring |
| CVE-2023-53316 | 2025-09-16 | drm/msm/dp: Free resources after unregistering them |
| CVE-2023-53317 | 2025-09-16 | ext4: fix WARNING in mb_find_extent |
| CVE-2023-53318 | 2025-09-16 | recordmcount: Fix memory leaks in the uwrite function |
| CVE-2023-53319 | 2025-09-16 | KVM: arm64: Handle kvm_arm_init failure correctly in finalize_pkvm |
| CVE-2023-53320 | 2025-09-16 | scsi: mpi3mr: Fix issues in mpi3mr_get_all_tgt_info() |
| CVE-2023-53321 | 2025-09-16 | wifi: mac80211_hwsim: drop short frames |
| CVE-2023-53322 | 2025-09-16 | scsi: qla2xxx: Wait for io return on terminate rport |
| CVE-2023-53323 | 2025-09-16 | ext2/dax: Fix ext2_setsize when len is page aligned |
| CVE-2023-53324 | 2025-09-16 | drm/msm/mdp5: Don't leak some plane state |
| CVE-2023-53325 | 2025-09-16 | drm/mediatek: dp: Change logging to dev for mtk_dp_aux_transfer() |
| CVE-2023-53326 | 2025-09-16 | powerpc: Don't try to copy PPR for task with NULL pt_regs |
| CVE-2023-53327 | 2025-09-16 | iommufd/selftest: Catch overflow of uptr and length |
| CVE-2023-53328 | 2025-09-16 | fs/ntfs3: Enhance sanity check while generating attr_list |
| CVE-2023-53329 | 2025-09-16 | workqueue: fix data race with the pwq->stats[] increment |
| CVE-2023-53330 | 2025-09-16 | caif: fix memory leak in cfctrl_linkup_request() |
| CVE-2023-53331 | 2025-09-16 | pstore/ram: Check start of empty przs during init |
| CVE-2023-53332 | 2025-09-16 | genirq/ipi: Fix NULL pointer deref in irq_data_get_affinity_mask() |
| CVE-2023-53333 | 2025-09-16 | netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one |
| CVE-2023-53334 | 2025-09-16 | USB: chipidea: fix memory leak with using debugfs_lookup() |
| CVE-2025-59050 | 2025-09-16 | Greenshot — Insecure .NET deserialization via WM_COPYDATA enables local code execution |
| CVE-2025-58174 | 2025-09-16 | LAM profile editor stored cross-site scripting vulnerability |
| CVE-2025-59160 | 2025-09-16 | matrix-js-sdk has insufficient validation when considering a room to be upgraded by another |
| CVE-2025-10492 | 2025-09-16 | Jaspersoft Library Deserialisation Vulnerability |
| CVE-2025-59161 | 2025-09-16 | In Element Web and Element Desktop, a malicious room can hide an unrelated room and cause it to be left when the malicious room is left |
| CVE-2025-59334 | 2025-09-16 | Linkr allows manifest tampering leading to arbitrary file injection |
| CVE-2025-59336 | 2025-09-16 | Relative Path Traversal in Luanox |
| CVE-2025-54262 | 2025-09-16 | Substance3D - Stager | Out-of-bounds Read (CWE-125) |
| CVE-2025-54237 | 2025-09-16 | Substance3D - Stager | Out-of-bounds Read (CWE-125) |
| CVE-2025-47967 | 2025-09-16 | Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability |
| CVE-2025-49728 | 2025-09-16 | Microsoft PC Manager Security Feature Bypass Vulnerability |
| CVE-2025-10562 | 2025-09-16 | Campcodes Grocery Sales and Inventory System ajax.php sql injection |
| CVE-2025-34183 | 2025-09-16 | Ilevia EVE X1 Server 4.7.18.0.eden Credentials Leak Through Log Disclosure |
| CVE-2025-34184 | 2025-09-16 | Ilevia EVE X1 Server 4.7.18.0.eden Neuro-Core Unauthenticated Code Injection |
| CVE-2025-34185 | 2025-09-16 | Ilevia EVE X1 Server 4.7.18.0.eden Unauthenticated File Disclosure |
| CVE-2025-34186 | 2025-09-16 | Ilevia EVE X1/X5 Server 4.7.18.0.eden Authentication Bypass |
| CVE-2025-34187 | 2025-09-16 | Ilevia EVE X1/X5 Server 4.7.18.0.eden Reverse Rootshell |
| CVE-2025-10563 | 2025-09-16 | Campcodes Grocery Sales and Inventory System ajax.php sql injection |
| CVE-2025-10564 | 2025-09-16 | Campcodes Grocery Sales and Inventory System ajax.php sql injection |
| CVE-2025-10565 | 2025-09-16 | Campcodes Grocery Sales and Inventory System ajax.php sql injection |
| CVE-2025-9708 | 2025-09-16 | Kubernetes C# Client: improper certificate validation in custom CA mode may lead to man-in-the-middle attacks |
| CVE-2025-10566 | 2025-09-16 | Campcodes Grocery Sales and Inventory System index.php cross site scripting |
| CVE-2025-43805 | 2025-09-16 | Liferay Portal 7.3.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, and 7.3 GA through update 35 does not perform an authorization check when... |
| CVE-2025-37131 | 2025-09-16 | Authenticated Arbitrary File Read allows Data Exposure in CLI Interface |
| CVE-2025-37126 | 2025-09-16 | Authenticated Remote Code Execution in HPE Aruba Networking EdgeConnect SD-WAN Gateways Command Line Interface |
| CVE-2025-37130 | 2025-09-16 | Unrestricted Binary allows File Enumeration in Underlying Operating System |
| CVE-2025-37127 | 2025-09-16 | Authenticated Replay Attack contains Cryptographic Vulnerability |
| CVE-2025-37129 | 2025-09-16 | Authenticated Remote Code Execution allows Exploit in Scripts Feature |
| CVE-2025-37128 | 2025-09-16 | Authenticated Arbitrary Process Termination allows potential System Disruption in ECOS |
| CVE-2025-43804 | 2025-09-16 | Cross-site scripting (XSS) vulnerability in Search widget in Liferay Portal 7.4.3.93 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4 allows remote attackers to inject arbitrary web script or HTML... |
| CVE-2025-37124 | 2025-09-16 | Unauthenticated Access Vulnerability allows Transit Traffic Misrouting in SD-WAN Edge Interface |
| CVE-2025-37123 | 2025-09-16 | Authenticated Command Injection leads to Unauthorized Actions in CLI Interface |
| CVE-2025-37125 | 2025-09-16 | Broken access control vulnerability in Firewall Configuration Leads to Unauthorized Access to Internal Network Resources |
| CVE-2025-50709 | 2025-09-17 | An issue in Perplexity AI GPT-4 allows a remote attacker to obtain sensitive information via a GET parameter |
| CVE-2025-54390 | 2025-09-17 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the ResetPasswordRequest operation of Zimbra Collaboration (ZCS) when the zimbraFeatureResetPasswordStatus attribute is enabled. An attacker can exploit this by tricking an authenticated... |
| CVE-2025-55904 | 2025-09-17 | Open5GS v2.7.5, prior to commit 67ba7f92bbd7a378954895d96d9d7b05d5b64615, is vulnerable to a NULL pointer dereference when a multipart/related HTTP POST request with an empty HTTP body is sent to the SBI of... |
| CVE-2025-56648 | 2025-09-17 | npm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when... |
| CVE-2025-57055 | 2025-09-17 | WonderCMS 3.5.0 is vulnerable to Server-Side Request Forgery (SSRF) in the custom module installation functionality. An authenticated administrator can supply a malicious URL via the pluginThemeUrl POST parameter. The server... |
| CVE-2025-59304 | 2025-09-17 | A directory traversal issue in Swetrix Web Analytics API 3.1.1 before 7d8b972 allows a remote attacker to achieve Remote Code Execution via a crafted HTTP request. |
| CVE-2025-59518 | 2025-09-17 | In LemonLDAP::NG before 2.16.7 and 2.17 through 2.21 before 2.21.3, OS command injection can occur in the Safe jail. It does not Localize _ during rule evaluation. Thus, an administrator... |
| CVE-2025-10166 | 2025-09-17 | Social Media Shortcodes <= 1.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-8394 | 2025-09-17 | Productive Style <= 1.1.23 - Authenticated (Contributor+) Stored Cross-Site Scripting via display_productive_breadcrumb Shortcode |
| CVE-2025-10143 | 2025-09-17 | Catch Dark Mode <= 2.0 - Authenticated (Contributor+) Local File Inclusion |
| CVE-2025-9851 | 2025-09-17 | Appointmind <= 4.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-10050 | 2025-09-17 | Developer Loggers for Simple History <= 0.5 - Authenticated (Admin+) Local File Inclusion |
| CVE-2025-9629 | 2025-09-17 | USS Upyun <= 1.5.0 - Cross-Site Request Forgery |
| CVE-2025-9891 | 2025-09-17 | User Sync – Remote User Sync <= 1.0.2 - Cross-Site Request Forgery to Plugin Deactivation |
| CVE-2025-8153 | 2025-09-17 | Cross-site Scripting vulnerability in NEC Corporation UNIVERGE IX from Ver.9.5 to Ver.10.7, from Ver.10.8.21 to Ver.10.8.36, from Ver.10.9.11 to Ver.10.9.24, from Ver.10.10.21 to Ver.10.10.31, Ver.10.11.6 and UNIVERGE IX-R/IX-V Ver1.3.16, Ver1.3.21... |
| CVE-2025-10584 | 2025-09-17 | Portabilis i-Educar educar_calendario_anotacao_cad.php cross site scripting |
| CVE-2025-9818 | 2025-09-17 | Vulnerability caused by unquoted file paths of Windows services registered by the Uninterruptible Power Supply (UPS) management application |
| CVE-2025-55075 | 2025-09-17 | Hidden functionality issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, SSH may be enabled by a remote authenticated attacker. |
| CVE-2025-58116 | 2025-09-17 | Improper neutralization of special elements used in an OS command ('OS Command Injection') issue exists in WN-7D36QR and WN-7D36QR/UE. If this vulnerability is exploited, an arbitrary OS command may be... |
| CVE-2025-10589 | 2025-09-17 | N-Partner|N-Reporter, N-Cloud, N-Probe - OS Command Injection |
| CVE-2025-10188 | 2025-09-17 | The Hack Repair Guy's Plugin Archiver <= 2.0.4 - Cross-Site Request Forgery to Arbitrary Directory Deletion in /wp-content |
| CVE-2025-10125 | 2025-09-17 | Memberlite Shortcodes <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting |
| CVE-2025-59307 | 2025-09-17 | RAID Manager provided by Century Corporation registers a Windows service with an unquoted file path. A user with the write permission on the root directory of the system drive may... |
| CVE-2025-10042 | 2025-09-17 | Quiz Maker <= 6.7.0.56 - Unauthenticated SQL Injection |
| CVE-2025-10058 | 2025-09-17 | WP Import – Ultimate CSV XML Importer for WordPress <= 7.27 - Authenticated (Subscriber+) Arbitrary File Deletion |
| CVE-2025-10057 | 2025-09-17 | WP Import – Ultimate CSV XML Importer for WordPress 7.20 - 7.28 - Authenticated (Subscriber+) Remote Code Execution via Code Injection |
| CVE-2025-9447 | 2025-09-17 | Out-Of-Bounds Read affecting the PAR file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025 |
| CVE-2025-9449 | 2025-09-17 | Use After Free vulnerability affecting the PAR file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025 |
| CVE-2025-9450 | 2025-09-17 | Use of Uninitialized Variable vulnerability affecting the JT file reading procedure in SOLIDWORKS eDrawings on Release SOLIDWORKS Desktop 2025 |
| CVE-2025-9215 | 2025-09-17 | StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More <= 1.5.0 - Authenticated (Subscriber+) Arbitrary File Download |
| CVE-2025-9203 | 2025-09-17 | Media Player Addons for Elementor <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widget Fields |
| CVE-2025-9216 | 2025-09-17 | StoreEngine – Powerful WordPress eCommerce Plugin for Payments, Memberships, Affiliates, Sales & More <= 1.5.0 - Authenticated (Subscriber+) Arbitrary File Upload |
| CVE-2025-9565 | 2025-09-17 | Blocksy Companion <= 2.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via blocksy_newsletter_subscribe Shortcode |