Total
304758 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-4421 | 2025-07-30 | N/A | N/A | ||
| The vulnerability was identified in the code developed specifically for Lenovo. Please visit "Lenovo Product Security Advisories and Announcements" webpage for more information about the vulnerability. https://support.lenovo.com/us/en/product_security/home | |||||
| CVE-2025-4424 | 2025-07-30 | N/A | N/A | ||
| The vulnerability was identified in the code developed specifically for Lenovo. Please visit "Lenovo Product Security Advisories and Announcements" webpage for more information about the vulnerability. https://support.lenovo.com/us/en/product_security/home | |||||
| CVE-2025-4422 | 2025-07-30 | N/A | N/A | ||
| The vulnerability was identified in the code developed specifically for Lenovo. Please visit "Lenovo Product Security Advisories and Announcements" webpage for more information about the vulnerability. https://support.lenovo.com/us/en/product_security/home | |||||
| CVE-2025-25011 | 2025-07-30 | N/A | N/A | ||
| An uncontrolled search path element vulnerability can lead to local privilege Escalation (LPE) via Insecure Directory Permissions. The vulnerability arises from improper handling of directory permissions. An attacker with local access may exploit this flaw to move and delete arbitrary files, potentially gaining SYSTEM privileges. | |||||
| CVE-2024-8550 | 1 Modelscope | 1 Agentscope | 2025-07-30 | N/A | N/A |
| A Local File Inclusion (LFI) vulnerability exists in the /load-workflow endpoint of modelscope/agentscope version v0.0.4. This vulnerability allows an attacker to read arbitrary files from the server, including sensitive files such as API keys, by manipulating the filename parameter. The issue arises due to improper sanitization of user input passed to the os.path.join function, which can be exploited to access files outside the intended directory. | |||||
| CVE-2025-53770 | 1 Microsoft | 1 Sharepoint Server | 2025-07-30 | N/A | N/A |
| Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update to address this vulnerability. In the meantime, please make sure that the mitigation provided in this CVE documentation is in place so that you are protected from exploitation. | |||||
| CVE-2025-49704 | 1 Microsoft | 1 Sharepoint Server | 2025-07-30 | N/A | N/A |
| Improper control of generation of code ('code injection') in Microsoft Office SharePoint allows an authorized attacker to execute code over a network. | |||||
| CVE-2025-49706 | 1 Microsoft | 2 Sharepoint Enterprise Server, Sharepoint Server | 2025-07-30 | N/A | 6.5 MEDIUM |
| Improper authentication in Microsoft Office SharePoint allows an unauthorized attacker to perform spoofing over a network. | |||||
| CVE-2024-12909 | 1 Llamaindex | 1 Llamaindex | 2025-07-30 | N/A | 9.8 CRITICAL |
| A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for SQL injection in the `run_sql_query` function of the `database_agent`. This vulnerability can be exploited by an attacker to inject arbitrary SQL queries, leading to remote code execution (RCE) through the use of PostgreSQL's large object functionality. The issue is fixed in version 0.3.0. | |||||
| CVE-2024-12911 | 1 Llamaindex | 1 Llamaindex | 2025-07-30 | N/A | N/A |
| A vulnerability in the `default_jsonalyzer` function of the `JSONalyzeQueryEngine` in the run-llama/llama_index repository allows for SQL injection via prompt injection. This can lead to arbitrary file creation and Denial-of-Service (DoS) attacks. The vulnerability affects the latest version and is fixed in version 0.5.1. | |||||
| CVE-2024-13870 | 1 Bitdefender | 2 Box, Box Firmware | 2025-07-30 | N/A | 5.7 MEDIUM |
| An improper access control vulnerability exists in Bitdefender Box 1 (firmware version 1.3.52.928 and below) that allows an unauthenticated attacker to downgrade the device's firmware to an older, potentially vulnerable version of a Bitdefender-signed firmware. The attack requires Bitdefender BOX to be booted in Recovery Mode and that the attacker be present within the WiFi range of the BOX unit. | |||||
| CVE-2024-13871 | 1 Bitdefender | 2 Box, Box Firmware | 2025-07-30 | N/A | 8.8 HIGH |
| A command injection vulnerability exists in the /check_image_and_trigger_recovery API endpoint of Bitdefender Box 1 (firmware version 1.3.11.490). This flaw allows an unauthenticated, network-adjacent attacker to execute arbitrary commands on the device, potentially leading to full remote code execution (RCE). | |||||
| CVE-2024-13872 | 1 Bitdefender | 2 Box, Box Firmware | 2025-07-30 | N/A | 7.5 HIGH |
| Bitdefender Box, versions 1.3.11.490 through 1.3.11.505, uses the insecure HTTP protocol to download assets over the Internet to update and restart daemons and detection rules on the devices. Updates can be remotely triggered through the /set_temp_token API method. Then, an unauthenticated and network-adjacent attacker can use man-in-the-middle (MITM) techniques to return malicious responses. Restarted daemons that use malicious assets can then be exploited for remote code execution on the device. | |||||
| CVE-2024-30939 | 1 Yealink | 1 Vp59 Firmware | 2025-07-30 | N/A | N/A |
| An issue discovered in Yealink VP59 Teams Editions with firmware version 91.15.0.118 allows a physically proximate attacker to gain control of an account via a flaw in the factory reset procedure. | |||||
| CVE-2024-28442 | 1 Yealink | 2 Vp59, Vp59 Firmware | 2025-07-30 | N/A | N/A |
| Directory Traversal vulnerability in Yealink VP59 v.91.15.0.118 allows a physically proximate attacker to obtain sensitive information via terms of use function in the company portal component. | |||||
| CVE-2024-31410 | 1 Cyberpower | 1 Powerpanel | 2025-07-30 | N/A | 6.5 MEDIUM |
| The devices which CyberPower PowerPanel manages use identical certificates based on a hard-coded cryptographic key. This can allow an attacker to impersonate any client in the system and send malicious data. | |||||
| CVE-2024-31747 | 1 Yealink | 1 Vp59 Firmware | 2025-07-30 | N/A | N/A |
| An issue in Yealink VP59 Microsoft Teams Phone firmware 91.15.0.118 (fixed in 122.15.0.142) allows a physically proximate attacker to disable the phone lock via the Walkie Talkie menu option. | |||||
| CVE-2024-31856 | 1 Cyberpower | 1 Powerpanel | 2025-07-30 | N/A | 8.8 HIGH |
| An attacker with certain MQTT permissions can create malicious messages to all CyberPower PowerPanel devices. This could result in an attacker injecting SQL syntax, writing arbitrary files to the system, and executing remote code. | |||||
| CVE-2024-32042 | 1 Cyberpower | 1 Powerpanel | 2025-07-30 | N/A | 7.5 HIGH |
| The key used to encrypt passwords stored in the database can be found in the CyberPower PowerPanel application code, allowing the passwords to be recovered. | |||||
| CVE-2024-32047 | 1 Cyberpower | 1 Powerpanel | 2025-07-30 | N/A | N/A |
| Hard-coded credentials for the CyberPower PowerPanel test server can be found in the production code. This might result in an attacker gaining access to the testing or production server. | |||||