Total
304758 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-4068 | 1 Jonschlinkert | 1 Braces | 2025-08-04 | N/A | N/A |
| The NPM package `braces`, versions prior to 3.0.3, fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In `lib/parse.js,` if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash. | |||||
| CVE-2024-25079 | 1 Insyde | 1 Insydeh2o | 2025-08-04 | N/A | N/A |
| A memory corruption vulnerability in HddPassword in Insyde InsydeH2O kernel 5.2 before 05.29.09, kernel 5.3 before 05.38.09, kernel 5.4 before 05.46.09, kernel 5.5 before 05.54.09, and kernel 5.6 before 05.61.09 could lead to escalating privileges in SMM. | |||||
| CVE-2024-20394 | 1 Cisco | 1 Appdynamics | 2025-08-04 | N/A | 5.5 MEDIUM |
| A vulnerability in Cisco AppDynamics Network Visibility Agent could allow an unauthenticated, local attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to the inability to handle unexpected input. An attacker who has local device access could exploit this vulnerability by sending an HTTP request to the targeted service. A successful exploit could allow the attacker to cause a DoS condition by stopping the Network Agent Service on the local device. | |||||
| CVE-2024-33625 | 1 Cyberpower | 1 Powerpanel | 2025-08-04 | N/A | N/A |
| CyberPower PowerPanel business application code contains a hard-coded JWT signing key. This could result in an attacker forging JWT tokens to bypass authentication. | |||||
| CVE-2025-6076 | 2025-08-04 | N/A | N/A | ||
| Partner Software's Partner Software application and Partner Web application do not sanitize files uploaded on the "reports" tab, allowing an authenticated attacker to upload a malicious file and compromise the device. By default, the software runs as SYSTEM, heightening the severity of the vulnerability. | |||||
| CVE-2025-20700 | 2025-08-04 | N/A | N/A | ||
| In the Airoha Bluetooth audio SDK, there is a possible permission bypass that allows access critical data of RACE protocol through Bluetooth LE GATT service. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2025-20702 | 2025-08-04 | N/A | N/A | ||
| In the Airoha Bluetooth audio SDK, there is a possible unauthorized access to the RACE protocol. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
| CVE-2020-26066 | 1 Cisco | 1 Catalyst Sd-wan Manager | 2025-08-04 | N/A | N/A |
| A vulnerability in the web UI of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to gain read and write access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External Entity (XXE) entries when parsing certain XML files. An attacker could exploit this vulnerability by persuading a user to import a crafted XML file with malicious entries. A successful exploit could allow the attacker to read and write files within the affected application.Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. | |||||
| CVE-2024-34025 | 1 Cyberpower | 1 Powerpanel | 2025-08-04 | N/A | N/A |
| CyberPower PowerPanel business application code contains a hard-coded set of authentication credentials. This could result in an attacker bypassing authentication and gaining administrator privileges. | |||||
| CVE-2024-10382 | 1 Google | 1 Androidx.car.app | 2025-08-04 | N/A | N/A |
| There exists a code execution vulnerability in the Car App Android Jetpack Library. CarAppService uses deserialization logic that allows construction of arbitrary java classes. This can lead to arbitrary code execution when combined with specific Java deserialization gadgets. An attacker needs to install a malicious application on victims device to be able to attack any application that uses vulnerable library. We recommend upgrading the library past version 1.7.0-beta02. | |||||
| CVE-2025-2297 | 1 Beyondtrust | 1 Privilege Management For Windows | 2025-08-04 | N/A | 7.8 HIGH |
| Prior to version 25.4.270.0, a local authenticated attacker can manipulate user profile files to add illegitimate challenge response codes into the local user registry under certain conditions. This allows users with the ability to edit their user profile files to elevate their privileges to administrator. | |||||
| CVE-2025-6250 | 1 Beyondtrust | 1 Privilege Management For Windows | 2025-08-04 | N/A | 6.7 MEDIUM |
| Prior to 25.4.270.0, when wmic.exe is elevated with a full admin token the user can stop the Defendpoint service, bypassing anti-tamper protections. Once the service is disabled, the malicious user can add themselves to Administrators group and run any process with elevated permissions. | |||||
| CVE-2025-24854 | 1 Apache | 1 Jspwiki | 2025-08-04 | N/A | N/A |
| A carefully crafted request using the Image plugin could trigger an XSS vulnerability on Apache JSPWiki, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.3 or later. | |||||
| CVE-2025-24853 | 1 Apache | 1 Jspwiki | 2025-08-04 | N/A | N/A |
| A carefully crafted request when creating a header link using the wiki markup syntax, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Further research by the JSPWiki team showed that the markdown parser allowed this kind of attack too. Apache JSPWiki users should upgrade to 2.12.3 or later. | |||||
| CVE-2025-47001 | 1 Adobe | 1 Experience Manager | 2025-08-04 | N/A | 5.4 MEDIUM |
| Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | |||||
| CVE-2025-43712 | 2025-08-04 | N/A | N/A | ||
| JHipster before v.8.9.0 allows privilege escalation via a modified authorities parameter. Upon registering in the JHipster portal and logging in as a standard user, the authorities parameter in the response from the api/account endpoint contains the value ROLE_USER. By manipulating the authorities parameter and changing its value to ROLE_ADMIN, the privilege is successfully escalated to an Admin level. This allowed the access to all admin-related functionalities in the application. NOTE: this is disputed by the Supplier because there is no privilege escalation in the context of the JHipster backend (the report only demonstrates that, after using JHipster to generate an application, one can make a non-functional admin screen visible in the front end of that application). | |||||
| CVE-2025-20145 | 1 Cisco | 9 8608, 8804, 8808 and 6 more | 2025-08-04 | N/A | 5.8 MEDIUM |
| A vulnerability in the access control list (ACL) processing in the egress direction of Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability exists because certain packets are handled incorrectly when they are received on an ingress interface on one line card and destined out of an egress interface on another line card where the egress ACL is configured. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to bypass an egress ACL on the affected device. For more information about this vulnerability, see the section of this advisory. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. | |||||
| CVE-2025-20144 | 1 Cisco | 39 Ios Xr, Ncs 540-12z20g-sys-a, Ncs 540-12z20g-sys-d and 36 more | 2025-08-04 | N/A | 5.8 MEDIUM |
| A vulnerability in the hybrid access control list (ACL) processing of IPv4 packets in Cisco IOS XR Software could allow an unauthenticated, remote attacker to bypass a configured ACL. This vulnerability is due to incorrect handling of packets when a specific configuration of the hybrid ACL exists. An attacker could exploit this vulnerability by attempting to send traffic through an affected device. A successful exploit could allow the attacker to bypass a configured ACL on the affected device. For more information, see the section of this advisory. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. | |||||
| CVE-2025-8515 | 2025-08-04 | N/A | 3.1 LOW | ||
| A vulnerability was found in Intelbras InControl 2.21.60.9 and classified as problematic. This issue affects some unknown processing of the file /v1/operador/ of the component JSON Endpoint. The manipulation leads to information disclosure. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. | |||||
| CVE-2025-6205 | 2025-08-04 | N/A | N/A | ||
| A missing authorization vulnerability affecting DELMIA Apriso from Release 2020 through Release 2025 could allow an attacker to gain privileged access to the application. | |||||