Total
309365 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-4282 | 1 Broadcom | 1 Brocade Sannav | 2025-08-26 | N/A | 9.8 CRITICAL |
| Brocade SANnav OVA before SANnav 2.3.1b enables SHA1 deprecated setting for SSH for port 22. | |||||
| CVE-2025-49385 | 2 Microsoft, Trendmicro | 2 Windows, Maximum Security 2022 | 2025-08-26 | N/A | 7.8 HIGH |
| Trend Micro Security 17.8 (Consumer) is vulnerable to a link following local privilege escalation vulnerability that could allow a local attacker to unintentionally delete privileged Trend Micro files including its own. | |||||
| CVE-2025-49384 | 2 Microsoft, Trendmicro | 2 Windows, Maximum Security 2022 | 2025-08-26 | N/A | 7.8 HIGH |
| Trend Micro Security 17.8 (Consumer) is vulnerable to a link following local privilege escalation vulnerability that could allow a local attacker to unintentionally delete privileged Trend Micro files including its own. | |||||
| CVE-2021-34185 | 1 Mackron | 1 Miniaudio | 2025-08-26 | 6.8 MEDIUM | 7.8 HIGH |
| Miniaudio 0.10.35 has an integer-based buffer overflow caused by an out-of-bounds left shift in drwav_bytes_to_u32 in miniaudio.h | |||||
| CVE-2021-34184 | 1 Mackron | 1 Miniaudio | 2025-08-26 | 7.5 HIGH | 9.8 CRITICAL |
| Miniaudio 0.10.35 has a Double free vulnerability that could cause a buffer overflow in ma_default_vfs_close__stdio in miniaudio.h. | |||||
| CVE-2024-55945 | 1 Typo3 | 1 Typo3 | 2025-08-26 | N/A | 4.3 MEDIUM |
| TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: The user opens a malicious link, such as one sent via email. The user visits a compromised or manipulated website while the following settings are misconfigured: 1. `security.backend.enforceReferrer` feature is disabled, 2. `BE/cookieSameSite` configuration is set to `lax` or `none`. The vulnerability in the affected downstream component “DB Check Module” allows attackers to manipulate data through unauthorized actions. Users are advised to update to TYPO3 versions 11.5.42 ELTS which fixes the problem described. There are no known workarounds for this issue. | |||||
| CVE-2024-55924 | 1 Typo3 | 1 Typo3 | 2025-08-26 | N/A | 8.0 HIGH |
| TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: The user opens a malicious link, such as one sent via email. The user visits a compromised or manipulated website while the following settings are misconfigured: 1. `security.backend.enforceReferrer` feature is disabled, 2. `BE/cookieSameSite` configuration is set to lax or none. The vulnerability in the affected downstream component “Scheduler Module” allows attackers to trigger pre-defined command classes - which can lead to unauthorized import or export of data in the worst case. Users are advised to update to TYPO3 versions 11.5.42 ELTS which fixes the problem described. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-55923 | 1 Typo3 | 1 Typo3 | 2025-08-26 | N/A | 4.3 MEDIUM |
| TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: The user opens a malicious link, such as one sent via email. The user visits a compromised or manipulated website while the following settings are misconfigured: 1. `security.backend.enforceReferrer` feature is disabled, 2. `BE/cookieSameSite` configuration is set to lax or none. The vulnerability in the affected downstream component “Indexed Search Module” allows attackers to delete items of the component. Users are advised to update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS which fix the problem described. There are no known workarounds for this issue. | |||||
| CVE-2024-55922 | 1 Typo3 | 1 Typo3 | 2025-08-26 | N/A | 5.4 MEDIUM |
| TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: The user opens a malicious link, such as one sent via email. The user visits a compromised or manipulated website while the following settings are misconfigured: 1. `security.backend.enforceReferrer` feature is disabled, 2. `BE/cookieSameSite` configuration is set to lax or none The vulnerability in the affected downstream component “Form Framework Module” allows attackers to manipulate or delete persisted form definitions. Users are advised to update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS which fix the problem described. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-55921 | 1 Typo3 | 1 Typo3 | 2025-08-26 | N/A | 7.5 HIGH |
| TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: The user opens a malicious link, such as one sent via email. The user visits a compromised or manipulated website while the following settings are misconfigured: 1. `security.backend.enforceReferrer` feature is disabled, 2. `BE/cookieSameSite` configuration is set to lax or none. The vulnerability in the affected downstream component “Extension Manager Module” allows attackers to retrieve and install 3rd party extensions from the TYPO3 Extension Repository - which can lead to remote code execution in the worst case. Users are advised to update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS which fix the problem described. | |||||
| CVE-2024-55920 | 1 Typo3 | 1 Typo3 | 2025-08-26 | N/A | 4.3 MEDIUM |
| TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: The user opens a malicious link, such as one sent via email. The user visits a compromised or manipulated website while the following settings are misconfigured: 1. `security.backend.enforceReferrer` feature is disabled, 2. `BE/cookieSameSite` configuration is set to lax or none. The vulnerability in the affected downstream component “Dashboard Module” allows attackers to manipulate the victim’s dashboard configuration. Users are advised to update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS which fix the problem described. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-55894 | 1 Typo3 | 1 Typo3 | 2025-08-26 | N/A | 4.3 MEDIUM |
| TYPO3 is a free and open source Content Management Framework. A vulnerability has been identified in the backend user interface functionality involving deep links. Specifically, this functionality is susceptible to Cross-Site Request Forgery (CSRF). Additionally, state-changing actions in downstream components incorrectly accepted submissions via HTTP GET and did not enforce the appropriate HTTP method. Successful exploitation of this vulnerability requires the victim to have an active session on the backend user interface and to be deceived into interacting with a malicious URL targeting the backend, which can occur under the following conditions: The user opens a malicious link, such as one sent via email. The user visits a compromised or manipulated website while the following settings are misconfigured: 1. `security.backend.enforceReferrer` feature is disabled, 2. `BE/cookieSameSite` configuration is set to lax or none. The vulnerability in the affected downstream component “Backend User Module” allows attackers to initiate password resets for other backend users or to terminate their user sessions. Users are advised to update to TYPO3 versions 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS which fix the problem described. | |||||
| CVE-2025-30355 | 1 Matrix | 1 Synapse | 2025-08-26 | N/A | 7.1 HIGH |
| Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available. | |||||
| CVE-2024-48988 | 1 Apache | 1 Streampark | 2025-08-26 | N/A | 7.6 HIGH |
| SQL Injection vulnerability in Apache StreamPark. This issue affects Apache StreamPark: from 2.1.4 before 2.1.6. Users are recommended to upgrade to version 2.1.6, which fixes the issue. This vulnerability is present only in the distribution package (SpringBoot platform) and does not involve Maven artifacts. It can only be exploited after a user has successfully logged into the platform (implying that the attacker would first need to compromise the login authentication). As a result, the associated risk is considered relatively low. | |||||
| CVE-2025-55194 | 1 Part-db Project | 1 Part-db | 2025-08-26 | N/A | 5.7 MEDIUM |
| Part-DB is an open source inventory management system for electronic components. Prior to version 1.17.3, any authenticated user can upload a profile picture with a misleading file extension (e.g., .jpg.txt), resulting in a persistent 500 Internal Server Error when attempting to view or edit that user’s profile. This makes the profile permanently inaccessible via the UI for both users and administrators, constituting a Denial of Service (DoS) within the user management interface. This issue has been patched in version 1.17.3. | |||||
| CVE-2025-50422 | 2025-08-26 | N/A | 2.9 LOW | ||
| Cairo through 1.18.4, as used in Poppler through 25.08.0, has an "unscaled->face == NULL" assertion failure for _cairo_ft_unscaled_font_fini in cairo-ft-font.c. | |||||
| CVE-2025-48964 | 2025-08-26 | N/A | 6.5 MEDIUM | ||
| ping in iputils before 20250602 allows a denial of service (application error in adaptive ping mode or incorrect data collection) via a crafted ICMP Echo Reply packet, because a zero timestamp can lead to large intermediate values that have an integer overflow when squared during statistics calculations. NOTE: this issue exists because of an incomplete fix for CVE-2025-47268 (that fix was only about timestamp calculations, and it did not account for a specific scenario where the original timestamp in the ICMP payload is zero). | |||||
| CVE-2025-46686 | 2025-08-26 | N/A | 3.5 LOW | ||
| Redis through 8.0.3 allows memory consumption via a multi-bulk command composed of many bulks, sent by an authenticated user. This occurs because the server allocates memory for the command arguments of every bulk, even when the command is skipped because of insufficient permissions. NOTE: this is disputed by the Supplier because abuse of the commands network protocol is not a violation of the Redis Security Model. | |||||
| CVE-2025-45854 | 1 Jehc | 1 Jehc-bpm | 2025-08-26 | N/A | 10.0 CRITICAL |
| /server/executeExec of JEHC-BPM 2.0.1 allows attackers to execute arbitrary code via execParams. | |||||
| CVE-2025-45764 | 2025-08-26 | N/A | 3.2 LOW | ||
| jsrsasign v11.1.0 was discovered to contain weak encryption. NOTE: this issue has been disputed by a third party who believes that CVE IDs can be assigned for key lengths in specific applications that use a library, and should not be assigned to the default key lengths in a library. This dispute is subject to review under CNA rules 4.1.4, 4.1.14, and other rules; the dispute tagging is not meant to recommend an outcome for this CVE Record. | |||||