Total
304758 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-55402 | 2025-08-06 | N/A | N/A | ||
| 4C Strategies Exonaut before v22.4 was discovered to contain an access control issue. | |||||
| CVE-2024-55398 | 2025-08-06 | N/A | N/A | ||
| 4C Strategies Exonaut before v22.4 was discovered to contain insecure permissions. | |||||
| CVE-2025-54879 | 2025-08-06 | N/A | N/A | ||
| Mastodon is a free, open-source social network server based on ActivityPub Mastodon which facilitates LDAP configuration for authentication. In versions 3.1.5 through 4.2.24, 4.3.0 through 4.3.11 and 4.4.0 through 4.4.3, Mastodon's rate-limiting system has a critical configuration error where the email-based throttle for confirmation emails incorrectly checks the password reset path instead of the confirmation path, effectively disabling per-email limits for confirmation requests. This allows attackers to bypass rate limits by rotating IP addresses and send unlimited confirmation emails to any email address, as only a weak IP-based throttle (25 requests per 5 minutes) remains active. The vulnerability enables denial-of-service attacks that can overwhelm mail queues and facilitate user harassment through confirmation email spam. This is fixed in versions 4.2.24, 4.3.11 and 4.4.3. | |||||
| CVE-2025-51052 | 2025-08-06 | N/A | N/A | ||
| A path traversal vulnerability in Vedo Suite 2024.17 allows remote authenticated attackers to read arbitrary filesystem files by exploiting an unsanitized 'file_get_contents()' function call in '/api_vedo/template'. | |||||
| CVE-2025-7769 | 2025-08-06 | N/A | N/A | ||
| Tigo Energy's CCA is vulnerable to a command injection vulnerability in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called, allowing remote code execution due to improper handling of user input. When used with default credentials, this enables attackers to execute arbitrary commands on the device that could cause potential unauthorized access, service disruption, and data exposure. | |||||
| CVE-2024-55399 | 2025-08-06 | N/A | N/A | ||
| 4C Strategies Exonaut before v21.6.2.1-1 was discovered to contain a Server-Side Request Forgery (SSRF). | |||||
| CVE-2024-8244 | 2025-08-06 | N/A | N/A | ||
| The filepath.Walk and filepath.WalkDir functions are documented as not following symbolic links, but both functions are susceptible to a TOCTOU (time of check/time of use) race condition where a portion of the path being walked is replaced with a symbolic link while the walk is in progress. | |||||
| CVE-2024-58261 | 1 Sequoia-pgp | 1 Sequoia-openpgp | 2025-08-06 | N/A | 7.5 HIGH |
| The sequoia-openpgp crate 1.13.0 before 1.21.0 for Rust allows an infinite loop of "Reading a cert: Invalid operation: Not a Key packet" messages for RawCertParser operations that encounter an unsupported primary key type. | |||||
| CVE-2025-50738 | 1 Usememos | 1 Memos | 2025-08-06 | N/A | N/A |
| The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo. This can be exploited by an attacker to disclose the viewing user's IP address, browser User-Agent string, and potentially other request-specific information to the attacker-controlled server, leading to information disclosure and user tracking. | |||||
| CVE-2025-52358 | 1 Vivaldigroup | 3 Icontrol\+ Server, Vivaldi Domotica Icontrol, Vivaldi Domotica Icontrol Firmware | 2025-08-06 | N/A | N/A |
| A cross-site scripting vulnerability in Vivaldi United Group iCONTROL+ Server including Firmware version 4.7.8.0.eden Logic version 5.32 and below. This issue allows attackers to inject JavaScript payloads within the error or edit-menu-item parameters which are then executed in the victim's browser session. | |||||
| CVE-2025-28172 | 1 Grandstream | 2 Ucm6510, Ucm6510 Firmware | 2025-08-06 | N/A | N/A |
| Grandstream Networks UCM6510 v1.0.20.52 and before is vulnerable to Improper Restriction of Excessive Authentication Attempts. An attacker can perform an arbitrary number of authentication attempts using different passwords and eventually gain access to the targeted account using a brute force attack. | |||||
| CVE-2024-42645 | 1 Flashmq | 1 Flashmq | 2025-08-06 | N/A | N/A |
| An issue in FlashMQ v1.14.0 allows attackers to cause an assertion failure via sending a crafted retain message, leading to a Denial of Service (DoS). | |||||
| CVE-2024-42644 | 1 Flashmq | 1 Flashmq | 2025-08-06 | N/A | N/A |
| FlashMQ v1.14.0 was discovered to contain an assertion failure in the function PublishCopyFactory::getNewPublish, which occurs when the QoS value of the publish object is greater than 0. | |||||
| CVE-2025-28171 | 1 Grandstream | 2 Ucm6510, Ucm6510 Firmware | 2025-08-06 | N/A | N/A |
| An issue in Grandstream UCM6510 v.1.0.20.52 and before allows a remote attacker to obtain sensitive information via the Login function at /cgi and /webrtccgi. | |||||
| CVE-2025-44137 | 1 Maptiler | 1 Tileserver Php | 2025-08-06 | N/A | N/A |
| MapTiler Tileserver-php v2.0 is vulnerable to Directory Traversal. The renderTile function within tileserver.php is responsible for delivering tiles that are stored as files on the server via web request. Creating the path to a file allows the insertion of "../" and thus read any file on the web server. Affected GET parameters are "TileMatrix", "TileRow", "TileCol" and "Format" | |||||
| CVE-2025-44136 | 1 Maptiler | 1 Tileserver Php | 2025-08-06 | N/A | N/A |
| MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting (XSS). The GET parameter "layer" is reflected in an error message without html encoding. This leads to XSS and allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victim's browser. | |||||
| CVE-2025-28170 | 1 Grandstream | 2 Gxp1628, Gxp1628 Firmware | 2025-08-06 | N/A | N/A |
| Grandstream Networks GXP1628 <=1.0.4.130 is vulnerable to Incorrect Access Control. The device is configured with directory listing enabled, allowing unauthorized access to sensitive directories and files. | |||||
| CVE-2025-51970 | 1 Puneethreddyhc | 1 Online Shopping System Advanced | 2025-08-06 | N/A | N/A |
| A SQL Injection vulnerability exists in the action.php endpoint of PuneethReddyHC Online Shopping System Advanced 1.0 due to improper sanitization of user-supplied input in the keyword POST parameter. | |||||
| CVE-2022-40799 | 1 Dlink | 2 Dnr-322l, Dnr-322l Firmware | 2025-08-06 | N/A | 8.8 HIGH |
| Data Integrity Failure in 'Backup Config' in D-Link DNR-322L <= 2.60B15 allows an authenticated attacker to execute OS level commands on the device. | |||||
| CVE-2020-25078 | 1 Dlink | 18 Dcs-2530l, Dcs-2530l Firmware, Dcs-2670l and 15 more | 2025-08-06 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered on D-Link DCS-2530L before 1.06.01 Hotfix and DCS-2670L through 2.02 devices. The unauthenticated /config/getuser endpoint allows for remote administrator password disclosure. | |||||