Total
307117 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-52492 | 2025-07-08 | N/A | 7.5 HIGH | ||
| A vulnerability has been discovered in the firmware of Paxton Paxton10 before 4.6 SR6. The firmware file, rootfs.tar.gz, contains hard-coded credentials for the Twilio API. A remote attacker who obtains a copy of the firmware can extract these credentials. This could allow the attacker to gain unauthorized access to the associated Twilio account, leading to information disclosure, potential service disruption, and unauthorized use of the Twilio services. | |||||
| CVE-2025-7132 | 1 Campcodes | 1 Payroll Management System | 2025-07-08 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability was found in Campcodes Payroll Management System 1.0. It has been rated as critical. Affected by this issue is some unknown functionality of the file /ajax.php?action=save_payroll. The manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-47202 | 2025-07-08 | N/A | 9.1 CRITICAL | ||
| In RRC in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400, the lack of a length check leads to out-of-bounds writes. | |||||
| CVE-2025-45479 | 2025-07-08 | N/A | 9.8 CRITICAL | ||
| Insufficient security mechanisms for created containers in educoder challenges v1.0 allow attackers to execute arbitrary code via injecting crafted content into a container. | |||||
| CVE-2025-45065 | 2025-07-08 | N/A | 9.8 CRITICAL | ||
| employee record management system in php and mysql v1 was discovered to contain a SQL injection vulnerability via the loginerms.php endpoint. | |||||
| CVE-2025-43933 | 2025-07-08 | N/A | 9.8 CRITICAL | ||
| fblog through 983bede allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header. | |||||
| CVE-2025-43932 | 2025-07-08 | N/A | 9.8 CRITICAL | ||
| JobCenter through 7e7b0b2 allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header. | |||||
| CVE-2025-43931 | 2025-07-08 | N/A | 9.8 CRITICAL | ||
| flask-boilerplate through a170e7c allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header. | |||||
| CVE-2025-43930 | 2025-07-08 | N/A | 9.8 CRITICAL | ||
| Hashview 0.8.1 allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset depends on the Host HTTP header. | |||||
| CVE-2025-26780 | 2025-07-08 | N/A | 7.5 HIGH | ||
| An issue was discovered in L2 in Samsung Mobile Processor and Modem Exynos 2400 and Modem 5400. The lack of a length check leads to a Denial of Service via a malformed PDCP packet. | |||||
| CVE-2023-51232 | 2025-07-08 | N/A | 7.5 HIGH | ||
| Directory Traversal vulnerability in dagster-webserver Dagster thru 1.5.11 allows remote attackers to obtain sensitive information via crafted request to the /logs endpoint. This may be restricted to certain file names that start with a dot ('.'). | |||||
| CVE-2025-7173 | 1 Code-projects | 1 Library System | 2025-07-08 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in code-projects Library System 1.0 and classified as critical. This vulnerability affects unknown code of the file /add-student.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-6869 | 1 Oretnom23 | 1 Simple Company Website | 2025-07-08 | 5.8 MEDIUM | 4.7 MEDIUM |
| A vulnerability was found in SourceCodester Simple Company Website 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /admin/testimonials/manage.php. The manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2025-3247 | 1 Rocklobster | 1 Contact Form 7 | 2025-07-08 | N/A | 5.3 MEDIUM |
| The Contact Form 7 plugin for WordPress is vulnerable to Order Replay in all versions up to, and including, 6.0.5 via the 'wpcf7_stripe_skip_spam_check' function due to insufficient validation on a user controlled key. This makes it possible for unauthenticated attackers to reuse a single Stripe PaymentIntent for multiple transactions. Only the first transaction is processed via Stripe, but the plugin sends a successful email message for each transaction, which may trick an administrator into fulfilling each order. | |||||
| CVE-2025-1566 | 1 Google | 1 Chrome Os | 2025-07-08 | N/A | 7.5 HIGH |
| DNS Leak in Native System VPN in Google ChromeOS Dev Channel on ChromeOS 16002.23.0 allows network observers to expose plaintext DNS queries via failure to properly tunnel DNS traffic during VPN state transitions. | |||||
| CVE-2025-1568 | 1 Google | 1 Chrome Os | 2025-07-08 | N/A | 8.8 HIGH |
| Access Control Vulnerability in Gerrit chromiumos project configuration in Google ChromeOS 16063.87.0 allows an attacker with a registered Gerrit account to inject malicious code into ChromeOS projects and potentially achieve Remote Code Execution and Denial of Service via editing trusted pipelines by insufficient access controls and misconfigurations in Gerrit's project.config. | |||||
| CVE-2021-28967 | 1 Gimly | 1 Matlab | 2025-07-08 | 7.5 HIGH | 9.8 CRITICAL |
| The unofficial MATLAB extension before 2.0.1 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace because of lint configuration settings. | |||||
| CVE-2024-29215 | 1 Mattermost | 1 Mattermost Server | 2025-07-08 | N/A | 4.3 MEDIUM |
| Mattermost versions 9.5.x <= 9.5.3, 9.7.x <= 9.7.1, 9.6.x <= 9.6.1, 8.1.x <= 8.1.12 fail to enforce proper access control which allows a user to run a slash command in a channel they are not a member of via linking a playbook run to that channel and running a slash command as a playbook task command. | |||||
| CVE-2018-1000875 | 1 Universityofcalifornia | 1 Boinc Server | 2025-07-08 | 7.5 HIGH | 9.8 CRITICAL |
| Berkeley Open Infrastructure for Network Computing BOINC Server and Website Code version 0.9-1.0.2 contains a CWE-302: Authentication Bypass by Assumed-Immutable Data vulnerability in Website Terms of Service Acceptance Page that can result in Access to any user account. This attack appear to be exploitable via Specially crafted URL. This vulnerability appears to have been fixed in 1.0.3. | |||||
| CVE-2025-4981 | 1 Mattermost | 1 Mattermost Server | 2025-07-08 | N/A | 9.9 CRITICAL |
| Mattermost versions 10.5.x <= 10.5.5, 9.11.x <= 9.11.15, 10.8.x <= 10.8.0, 10.7.x <= 10.7.2, 10.6.x <= 10.6.5 fail to sanitize filenames in the archive extractor which allows authenticated users to write files to arbitrary locations on the filesystem via uploading archives with path traversal sequences in filenames, potentially leading to remote code execution. The vulnerability impacts instances where file uploads and document search by content is enabled (FileSettings.EnableFileAttachments = true and FileSettings.ExtractContent = true). These configuration settings are enabled by default. | |||||