Total
304758 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-41688 | 2025-07-31 | N/A | 7.2 HIGH | ||
| A high privileged remote attacker can execute arbitrary OS commands using an undocumented method allowing to escape the implemented LUA sandbox. | |||||
| CVE-2025-2813 | 2025-07-31 | N/A | 7.5 HIGH | ||
| An unauthenticated remote attacker can cause a Denial of Service by sending a large number of requests to the http service on port 80. | |||||
| CVE-2025-40980 | 2025-07-31 | N/A | N/A | ||
| A Stored Cross Site Scripting vulnerability has been found in UltimatePOS by UltimateFosters. This vulnerability is due to the lack of proper validation of user inputs via ‘/products/<PRODUCT_ID>/edit’, affecting to ‘name’ parameter via POST. The vulnerability could allow a remote attacker to send a specially crafted query to an authenticated user and steal his/her session cookies details. | |||||
| CVE-2025-8192 | 2025-07-31 | N/A | N/A | ||
| There exists a TOCTOU race condition in TvSettings AppRestrictionsFragment.java that lead to start of attacker supplied activity in Settings’ context, i.e. system-uid context, thus lead to launchAnyWhere. The core idea is to utilize the time window between the check of Intent and the use to Intent to change the target component’s state, thus bypass the original security sanitize function. | |||||
| CVE-2025-53558 | 2025-07-31 | N/A | N/A | ||
| ZXHN-F660T and ZXHN-F660A provided by ZTE Japan K.K. use a common credential for all installations. With the knowledge of the credential, an attacker may log in to the affected devices. | |||||
| CVE-2025-5720 | 2025-07-31 | N/A | 6.4 MEDIUM | ||
| The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘author’ parameter in all versions up to, and including, 5.80.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-7847 | 2025-07-31 | N/A | 8.8 HIGH | ||
| The AI Engine plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the rest_simpleFileUpload() function in versions 2.9.3 and 2.9.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server when the REST API is enabled, which may make remote code execution possible. | |||||
| CVE-2023-41674 | 2025-07-31 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54829 | 2025-07-31 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54827 | 2025-07-31 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54826 | 2025-07-31 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54823 | 2025-07-31 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54828 | 2025-07-31 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54825 | 2025-07-31 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54824 | 2025-07-31 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-7356 | 2025-07-30 | N/A | N/A | ||
| Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | |||||
| CVE-2025-6032 | 2025-07-30 | N/A | N/A | ||
| A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack. | |||||
| CVE-2024-11478 | 2025-07-30 | N/A | N/A | ||
| Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | |||||
| CVE-2025-3108 | 1 Llamaindex | 1 Llamaindex | 2025-07-30 | N/A | 7.5 HIGH |
| A critical deserialization vulnerability exists in the run-llama/llama_index library's JsonPickleSerializer component, affecting versions v0.12.27 through v0.12.40. This vulnerability allows remote code execution due to an insecure fallback to Python's pickle module. JsonPickleSerializer prioritizes deserialization using pickle.loads(), which can execute arbitrary code when processing untrusted data. Attackers can exploit this by crafting malicious payloads to achieve full system compromise. The root cause includes an insecure fallback mechanism, lack of validation or safeguards, misleading design, and violation of Python security guidelines. | |||||
| CVE-2025-1793 | 1 Llamaindex | 1 Llamaindex | 2025-07-30 | N/A | N/A |
| Multiple vector store integrations in run-llama/llama_index version v0.12.21 have SQL injection vulnerabilities. These vulnerabilities allow an attacker to read and write data using SQL, potentially leading to unauthorized access to data of other users depending on the usage of the llama-index library in a web application. | |||||