Total
308626 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-27695 | 1 Dell | 1 Wyse Management Suite | 2025-07-11 | N/A | 4.9 MEDIUM |
| Dell Wyse Management Suite, versions prior to WMS 5.1 contain an Authentication Bypass by Spoofing vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Information Disclosure. | |||||
| CVE-2025-2762 | 1 Carlinkit | 2 Autokit, Cpc200-ccpa | 2025-07-11 | N/A | 7.8 HIGH |
| CarlinKit CPC200-CCPA Missing Root of Trust Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of CarlinKit CPC200-CCPA devices. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the configuration of the application system-on-chip (SoC). The issue results from the lack of a properly configured hardware root of trust. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the boot process. Was ZDI-CAN-25948. | |||||
| CVE-2025-2073 | 2 Google, Linux | 2 Chrome Os, Linux Kernel | 2025-07-11 | N/A | 8.8 HIGH |
| Out-of-Bounds Read in netfilter/ipset in Linux Kernel ChromeOS [6.1, 5.15, 5.10, 5.4, 4.19] allows a local attacker with low privileges to trigger an out-of-bounds read, potentially leading to information disclosure | |||||
| CVE-2025-2763 | 1 Carlinkit | 2 Autokit, Cpc200-ccpa | 2025-07-11 | N/A | 6.8 MEDIUM |
| CarlinKit CPC200-CCPA Improper Verification of Cryptographic Signature Code Execution Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of CarlinKit CPC200-CCPA devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of update packages on USB drives. The issue results from the lack of proper verification of a cryptographic signature. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-24356. | |||||
| CVE-2025-2764 | 1 Carlinkit | 2 Autokit, Cpc200-ccpa | 2025-07-11 | N/A | 8.0 HIGH |
| CarlinKit CPC200-CCPA update.cgi Improper Verification of Cryptographic Signature Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of CarlinKit CPC200-CCPA devices. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the handling of update packages provided to update.cgi. The issue results from the lack of proper verification of a cryptographic signature. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-24355. | |||||
| CVE-2025-2765 | 1 Carlinkit | 2 Autokit, Cpc200-ccpa | 2025-07-11 | N/A | 8.8 HIGH |
| CarlinKit CPC200-CCPA Wireless Hotspot Hard-Coded Credentials Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of CarlinKit CPC200-CCPA devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the configuration of the wireless hotspot. The issue results from the use of hard-coded credentials. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-24349. | |||||
| CVE-2024-6479 | 1 Shopitpress | 1 Sip Reviews Shortcode For Woocommerce | 2025-07-11 | N/A | 6.5 MEDIUM |
| The SIP Reviews Shortcode for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'no_of_reviews' attribute in the woocommerce_reviews shortcode in all versions up to, and including, 1.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |||||
| CVE-2024-6480 | 1 Shopitpress | 1 Sip Reviews Shortcode For Woocommerce | 2025-07-11 | N/A | 6.4 MEDIUM |
| The SIP Reviews Shortcode for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'no_of_reviews' attribute in the woocommerce_reviews shortcode in all versions up to, and including, 1.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2024-28265 | 1 Ibos | 1 Ibos | 2025-07-11 | N/A | 9.1 CRITICAL |
| IBOS v4.5.5 has an arbitrary file deletion vulnerability via \system\modules\dashboard\controllers\LoginController.php. | |||||
| CVE-2024-48059 | 1 Gaizhenbiao | 1 Chuanhuchatgpt | 2025-07-11 | N/A | 6.1 MEDIUM |
| gaizhenbiao/chuanhuchatgpt project, version <=20240802 is vulnerable to stored Cross-Site Scripting (XSS) in WebSocket session transmission. An attacker can inject malicious content into a WebSocket message. When a victim accesses this session, the malicious JavaScript is executed in the victim's browser. | |||||
| CVE-2024-10084 | 1 Sevenspark | 1 Contact Form 7 - Dynamic Text Extension | 2025-07-11 | N/A | 4.3 MEDIUM |
| The Contact Form 7 – Dynamic Text Extension plugin for WordPress is vulnerable to Basic Information Disclosure in all versions up to, and including, 4.5 via the CF7_get_post_var shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract the titles and text contents of private and password-protected posts, they do not own. | |||||
| CVE-2024-40715 | 1 Veeam | 1 Veeam Backup \& Replication | 2025-07-11 | N/A | 7.7 HIGH |
| A vulnerability in Veeam Backup & Replication Enterprise Manager has been identified, which allows attackers to perform authentication bypass. Attackers must be able to perform Man-in-the-Middle (MITM) attack to exploit this vulnerability. | |||||
| CVE-2024-10683 | 1 Wpplugin | 1 Paypal \& Stripe Add-on | 2025-07-11 | N/A | 6.1 MEDIUM |
| The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg & remove_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.3.1. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. This is only exploitable when the leave a review notice is present in the dashboard. | |||||
| CVE-2025-1290 | 2 Google, Linux | 2 Chrome Os, Linux Kernel | 2025-07-11 | N/A | 8.1 HIGH |
| A race condition Use-After-Free vulnerability exists in the virtio_transport_space_update function within the Kernel 5.4 on ChromeOS. Concurrent allocation and freeing of the virtio_vsock_sock structure during an AF_VSOCK connect syscall can occur before a worker thread accesses it resulting in a dangling pointer and potential kernel code execution. | |||||
| CVE-2024-10717 | 1 Wpmonks | 1 Styler For Ninja Forms | 2025-07-11 | N/A | 6.5 MEDIUM |
| The Styler for Ninja Forms plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the deactivate_license function in all versions up to, and including, 3.3.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users. Note: This issue can also be used to add arbitrary options with an empty value. | |||||
| CVE-2024-39710 | 1 Ivanti | 2 Connect Secure, Policy Secure | 2025-07-11 | N/A | 9.1 CRITICAL |
| Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||||
| CVE-2024-39711 | 1 Ivanti | 2 Connect Secure, Policy Secure | 2025-07-11 | N/A | 9.1 CRITICAL |
| Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||||
| CVE-2024-39712 | 1 Ivanti | 2 Connect Secure, Policy Secure | 2025-07-11 | N/A | 9.1 CRITICAL |
| Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution. | |||||
| CVE-2024-9614 | 1 Mailmunch | 1 Constant Contact Forms | 2025-07-11 | N/A | 6.1 MEDIUM |
| The Constant Contact Forms by MailMunch plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.1.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | |||||
| CVE-2025-1532 | 1 Honor | 1 Phoneservice | 2025-07-11 | N/A | 8.1 HIGH |
| Phoneservice module is affected by code injection vulnerability, successful exploitation of this vulnerability may affect service confidentiality and integrity. | |||||