Total
304758 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-53817 | 2025-07-18 | N/A | N/A | ||
| 7-Zip is a file archiver with a high compression ratio. 7-Zip supports extracting from Compound Documents. Prior to version 25.0.0, a null pointer dereference in the Compound handler may lead to denial of service. Version 25.0.0 contains a fix cor the issue. | |||||
| CVE-2025-50586 | 2025-07-18 | N/A | N/A | ||
| StudentManage v1.0 was discovered to contain Cross-Site Request Forgery (CSRF). | |||||
| CVE-2025-46000 | 2025-07-18 | N/A | N/A | ||
| An arbitrary file upload vulnerability in the component /rsc/filemanager.rsc.class.php of Filemanager commit c75b914 v.2.5.0 allows attackers to execute arbitrary code via uploading a crafted SVG file. | |||||
| CVE-2025-52162 | 2025-07-18 | N/A | N/A | ||
| agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 was discovered to contain an XML External Entity (XXE) via the RSSReader endpoint. This vulnerability allows attackers to access sensitive data via providing a crafted XML input. | |||||
| CVE-2025-52163 | 2025-07-18 | N/A | N/A | ||
| A Server-Side Request Forgery (SSRF) in the component TunnelServlet of agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 allows attackers to forcefully initiate connections to arbitrary internal and external resources via a crafted request. This can lead to sensitive data exposure. | |||||
| CVE-2025-52168 | 2025-07-18 | N/A | N/A | ||
| Incorrect access control in the dynawebservice component of agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 allows unauthenticated attackers to access arbitrary files on the system. | |||||
| CVE-2025-52166 | 2025-07-18 | N/A | N/A | ||
| Incorrect access control in Software GmbH Agorum core open v11.9.2 & v11.10.1 allows authenticated attackers to escalate privileges to Administrator and access sensitive components and information. | |||||
| CVE-2025-45156 | 2025-07-18 | N/A | N/A | ||
| Splashin iOS v2.0 fails to enforce server-side interval restrictions for location updates for free-tier users. | |||||
| CVE-2025-7801 | 2025-07-18 | N/A | 7.3 HIGH | ||
| A vulnerability has been found in BossSoft CRM 6.0 and classified as critical. Affected by this vulnerability is an unknown functionality of the file /crm/module/HNDCBas_customPrmSearchDtl.jsp. The manipulation of the argument cstid leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-52169 | 2025-07-18 | N/A | N/A | ||
| agorum Software GmbH Agorum core open v11.9.2 & v11.10.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability. | |||||
| CVE-2025-46002 | 2025-07-18 | N/A | N/A | ||
| An issue in Filemanager v2.5.0 and below allows attackers to execute a directory traversal via sending a crafted HTTP request to the filemanager.php endpoint. | |||||
| CVE-2025-7476 | 1 Fabianros | 1 Simple Car Rental System | 2025-07-18 | N/A | 9.8 CRITICAL |
| A vulnerability classified as critical was found in code-projects Simple Car Rental System 1.0. This vulnerability affects unknown code of the file /admin/approve.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-7475 | 1 Fabianros | 1 Simple Car Rental System | 2025-07-18 | N/A | 9.8 CRITICAL |
| A vulnerability classified as critical has been found in code-projects Simple Car Rental System 1.0. This affects an unknown part of the file /pay.php. The manipulation of the argument mpesa leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-7477 | 1 Fabianros | 1 Simple Car Rental System | 2025-07-18 | N/A | 7.2 HIGH |
| A vulnerability, which was classified as critical, has been found in code-projects Simple Car Rental System 1.0. This issue affects some unknown processing of the file /admin/add_cars.php. The manipulation of the argument image leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-22248 | 1 Broadcom | 2 Bitnami, Bitnami\/pgpool | 2025-07-18 | N/A | 7.5 HIGH |
| The bitnami/pgpool Docker image, and the bitnami/postgres-ha k8s chart, under default configurations, comes with an 'repmgr' user that allows unauthenticated access to the database inside the cluster. The PGPOOL_SR_CHECK_USER is the user that Pgpool itself uses to perform streaming replication checks against nodes, and should not be at trust level. This allows to log into a PostgreSQL database using the repgmr user without authentication. If Pgpool is exposed externally, a potential attacker could use this user to get access to the service. This is also present within the bitnami/postgres-ha Kubernetes Helm chart. | |||||
| CVE-2025-44177 | 1 Wss | 1 Protop | 2025-07-18 | N/A | N/A |
| A directory traversal vulnerability was discovered in White Star Software Protop version 4.4.2-2024-11-27, specifically in the /pt3upd/ endpoint. An unauthenticated attacker can remotely read arbitrary files on the underlying OS using encoded traversal sequences. | |||||
| CVE-2024-3366 | 1 Xuxueli | 1 Xxl-job | 2025-07-18 | N/A | 9.8 CRITICAL |
| A vulnerability classified as problematic was found in Xuxueli xxl-job up to 2.4.1. This vulnerability affects the function deserialize of the file com/xxl/job/core/util/JdkSerializeTool.java of the component Template Handler. The manipulation leads to injection. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259480. | |||||
| CVE-2025-53670 | 1 Jenkins | 1 Nouvola Divecloud | 2025-07-18 | N/A | N/A |
| Jenkins Nouvola DiveCloud Plugin 1.08 and earlier stores DiveCloud API Keys and Credentials Encryption Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||
| CVE-2025-53669 | 1 Jenkins | 1 Vaddy | 2025-07-18 | N/A | N/A |
| Jenkins VAddy Plugin 1.2.8 and earlier does not mask Vaddy API Auth Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them. | |||||
| CVE-2025-53668 | 1 Jenkins | 1 Vaddy | 2025-07-18 | N/A | N/A |
| Jenkins VAddy Plugin 1.2.8 and earlier stores Vaddy API Auth Keys unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. | |||||