CVE-2025-41241 - VMware vCenter Denial-of-Service Vulnerability
CVE ID : CVE-2025-41241
Published : July 29, 2025, 1:15 p.m. | 46 minutes ago
Description : VMware vCenter contains a denial-of-service vulnerability. A malicious actor who is authenticated through vCenter and has permission to perform API calls for guest OS customisation may trigger this vulnerability to create a denial-of-service condition.
Severity: 4.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-41241
Published : July 29, 2025, 1:15 p.m. | 46 minutes ago
Description : VMware vCenter contains a denial-of-service vulnerability. A malicious actor who is authenticated through vCenter and has permission to perform API calls for guest OS customisation may trigger this vulnerability to create a denial-of-service condition.
Severity: 4.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-54422 - Sandboxie Password Transmission Vulnerability
CVE ID : CVE-2025-54422
Published : July 29, 2025, 1:15 p.m. | 46 minutes ago
Description : Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions 1.16.1 and below, a critical security vulnerability exists in password handling mechanisms. During encrypted sandbox creation, user passwords are transmitted via shared memory, exposing them to potential interception. The vulnerability is particularly severe during password modification operations, where both old and new passwords are passed as plaintext command-line arguments to the Imbox process without any encryption or obfuscation. This implementation flaw allows any process within the user session, including unprivileged processes, to retrieve these sensitive credentials by reading the command-line arguments, thereby bypassing standard privilege requirements and creating a significant security risk. This is fixed in version 1.16.2.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-54422
Published : July 29, 2025, 1:15 p.m. | 46 minutes ago
Description : Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. In versions 1.16.1 and below, a critical security vulnerability exists in password handling mechanisms. During encrypted sandbox creation, user passwords are transmitted via shared memory, exposing them to potential interception. The vulnerability is particularly severe during password modification operations, where both old and new passwords are passed as plaintext command-line arguments to the Imbox process without any encryption or obfuscation. This implementation flaw allows any process within the user session, including unprivileged processes, to retrieve these sensitive credentials by reading the command-line arguments, thereby bypassing standard privilege requirements and creating a significant security risk. This is fixed in version 1.16.2.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-6060 - DECE Software Geodi Cross-Site Scripting (XSS)
CVE ID : CVE-2025-6060
Published : July 29, 2025, 1:15 p.m. | 46 minutes ago
Description : Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in DECE Software Geodi allows Cross-Site Scripting (XSS).This issue affects Geodi: before GEODI Setup 9.0.146.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-6060
Published : July 29, 2025, 1:15 p.m. | 46 minutes ago
Description : Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in DECE Software Geodi allows Cross-Site Scripting (XSS).This issue affects Geodi: before GEODI Setup 9.0.146.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-6175 - DECE Software Geodi CRLF Injection Vulnerability
CVE ID : CVE-2025-6175
Published : July 29, 2025, 1:15 p.m. | 46 minutes ago
Description : Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in DECE Software Geodi allows HTTP Request Splitting.This issue affects Geodi: before GEODI Setup 9.0.146.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-6175
Published : July 29, 2025, 1:15 p.m. | 46 minutes ago
Description : Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in DECE Software Geodi allows HTTP Request Splitting.This issue affects Geodi: before GEODI Setup 9.0.146.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-6504 - HDP Server IP Spoofing Via X-Forwarded-For Header
CVE ID : CVE-2025-6504
Published : July 29, 2025, 1:15 p.m. | 46 minutes ago
Description : In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header. Since XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofed IP matched a whitelisted range. This vulnerability could be exploited to bypass IP restrictions, though valid user credentials would still be required for resource access.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-6504
Published : July 29, 2025, 1:15 p.m. | 46 minutes ago
Description : In HDP Server versions below 4.6.2.2978 on Linux, unauthorized access could occur via IP spoofing using the X-Forwarded-For header. Since XFF is a client-controlled header, it could be spoofed, allowing unauthorized access if the spoofed IP matched a whitelisted range. This vulnerability could be exploited to bypass IP restrictions, though valid user credentials would still be required for resource access.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-6505 - Progress Software's Hybrid Data Pipeline Server OAuth Client Impersonation and Unauthorized Access Vulnerability
CVE ID : CVE-2025-6505
Published : July 29, 2025, 1:15 p.m. | 46 minutes ago
Description : Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software's Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access. When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-6505
Published : July 29, 2025, 1:15 p.m. | 46 minutes ago
Description : Unauthorized access and impersonation can occur in versions 4.6.2.3226 and below of Progress Software's Hybrid Data Pipeline Server on Linux. This vulnerability allows attackers to combine credentials from different sources, potentially leading to client impersonation and unauthorized access. When OAuth Clients perform an OAuth handshake with the Hybrid Data Pipeline Server, the server accepts client credentials from both HTTP headers and request parameters.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-7458 - SQLite Integer Overflow Denial of Service/Information Disclosure
CVE ID : CVE-2025-7458
Published : July 29, 2025, 1:15 p.m. | 46 minutes ago
Description : An integer overflow in the sqlite3KeyInfoFromExprList function in SQLite versions 3.39.2 through 3.41.1 allows an attacker with the ability to execute arbitrary SQL statements to cause a denial of service or disclose sensitive information from process memory via a crafted SELECT statement with a large number of expressions in the ORDER BY clause.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-7458
Published : July 29, 2025, 1:15 p.m. | 46 minutes ago
Description : An integer overflow in the sqlite3KeyInfoFromExprList function in SQLite versions 3.39.2 through 3.41.1 allows an attacker with the ability to execute arbitrary SQL statements to cause a denial of service or disclose sensitive information from process memory via a crafted SELECT statement with a large number of expressions in the ORDER BY clause.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-42644 - FlashMQ Assertion Failure Vulnerability
CVE ID : CVE-2024-42644
Published : July 29, 2025, 2:15 p.m. | 3 hours, 46 minutes ago
Description : FlashMQ v1.14.0 was discovered to contain an assertion failure in the function PublishCopyFactory::getNewPublish, which occurs when the QoS value of the publish object is greater than 0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-42644
Published : July 29, 2025, 2:15 p.m. | 3 hours, 46 minutes ago
Description : FlashMQ v1.14.0 was discovered to contain an assertion failure in the function PublishCopyFactory::getNewPublish, which occurs when the QoS value of the publish object is greater than 0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-42645 - FlashMQ Denial of Service (DoS) Vulnerability
CVE ID : CVE-2024-42645
Published : July 29, 2025, 2:15 p.m. | 3 hours, 46 minutes ago
Description : An issue in FlashMQ v1.14.0 allows attackers to cause an assertion failure via sending a crafted retain message, leading to a Denial of Service (DoS).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-42645
Published : July 29, 2025, 2:15 p.m. | 3 hours, 46 minutes ago
Description : An issue in FlashMQ v1.14.0 allows attackers to cause an assertion failure via sending a crafted retain message, leading to a Denial of Service (DoS).
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-52358 - Vivaldi iCONTROL+ Server Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-52358
Published : July 29, 2025, 2:15 p.m. | 3 hours, 46 minutes ago
Description : A cross-site scripting vulnerability in Vivaldi United Group iCONTROL+ Server including Firmware version 4.7.8.0.eden Logic version 5.32 and below. This issue allows attackers to inject JavaScript payloads within the error or edit-menu-item parameters which are then executed in the victim's browser session.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-52358
Published : July 29, 2025, 2:15 p.m. | 3 hours, 46 minutes ago
Description : A cross-site scripting vulnerability in Vivaldi United Group iCONTROL+ Server including Firmware version 4.7.8.0.eden Logic version 5.32 and below. This issue allows attackers to inject JavaScript payloads within the error or edit-menu-item parameters which are then executed in the victim's browser session.
Severity: 6.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-28172 - Grandstream Networks UCM6510 Authentication Bypass
CVE ID : CVE-2025-28172
Published : July 29, 2025, 3:15 p.m. | 2 hours, 46 minutes ago
Description : Grandstream Networks UCM6510 v1.0.20.52 and before is vulnerable to Improper Restriction of Excessive Authentication Attempts. An attacker can perform an arbitrary number of authentication attempts using different passwords and eventually gain access to the targeted account using a brute force attack.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-28172
Published : July 29, 2025, 3:15 p.m. | 2 hours, 46 minutes ago
Description : Grandstream Networks UCM6510 v1.0.20.52 and before is vulnerable to Improper Restriction of Excessive Authentication Attempts. An attacker can perform an arbitrary number of authentication attempts using different passwords and eventually gain access to the targeted account using a brute force attack.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-46059 - Langchain-ai GmailToolkit Arbitrary Code Execution Vulnerability
CVE ID : CVE-2025-46059
Published : July 29, 2025, 3:15 p.m. | 2 hours, 46 minutes ago
Description : langchain-ai v0.3.51 was discovered to contain an indirect prompt injection vulnerability in the GmailToolkit component. This vulnerability allows attackers to execute arbitrary code and compromise the application via a crafted email message.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-46059
Published : July 29, 2025, 3:15 p.m. | 2 hours, 46 minutes ago
Description : langchain-ai v0.3.51 was discovered to contain an indirect prompt injection vulnerability in the GmailToolkit component. This vulnerability allows attackers to execute arbitrary code and compromise the application via a crafted email message.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-50738 - Apache Memos Information Disclosure Cross-Site Request Forgery
CVE ID : CVE-2025-50738
Published : July 29, 2025, 3:15 p.m. | 2 hours, 46 minutes ago
Description : The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo. This can be exploited by an attacker to disclose the viewing user's IP address, browser User-Agent string, and potentially other request-specific information to the attacker-controlled server, leading to information disclosure and user tracking.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-50738
Published : July 29, 2025, 3:15 p.m. | 2 hours, 46 minutes ago
Description : The Memos application, up to version v0.24.3, allows for the embedding of markdown images with arbitrary URLs. When a user views a memo containing such an image, their browser automatically fetches the image URL without explicit user consent or interaction beyond viewing the memo. This can be exploited by an attacker to disclose the viewing user's IP address, browser User-Agent string, and potentially other request-specific information to the attacker-controlled server, leading to information disclosure and user tracking.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-51970 - PuneethReddyHC Online Shopping System SQL Injection
CVE ID : CVE-2025-51970
Published : July 29, 2025, 3:15 p.m. | 2 hours, 46 minutes ago
Description : A SQL Injection vulnerability exists in the action.php endpoint of PuneethReddyHC Online Shopping System Advanced 1.0 due to improper sanitization of user-supplied input in the keyword POST parameter.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-51970
Published : July 29, 2025, 3:15 p.m. | 2 hours, 46 minutes ago
Description : A SQL Injection vulnerability exists in the action.php endpoint of PuneethReddyHC Online Shopping System Advanced 1.0 due to improper sanitization of user-supplied input in the keyword POST parameter.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-28171 - Grandstream UCM6510 Information Disclosure
CVE ID : CVE-2025-28171
Published : July 29, 2025, 4:15 p.m. | 1 hour, 46 minutes ago
Description : An issue in Grandstream UCM6510 v.1.0.20.52 and before allows a remote attacker to obtain sensitive information via the Login function at /cgi and /webrtccgi.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-28171
Published : July 29, 2025, 4:15 p.m. | 1 hour, 46 minutes ago
Description : An issue in Grandstream UCM6510 v.1.0.20.52 and before allows a remote attacker to obtain sensitive information via the Login function at /cgi and /webrtccgi.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-28170 - Grandstream Networks GXP1628 Directory Traversal Vulnerability
CVE ID : CVE-2025-28170
Published : July 29, 2025, 5:15 p.m. | 46 minutes ago
Description : Grandstream Networks GXP1628 <=1.0.4.130 is vulnerable to Incorrect Access Control. The device is configured with directory listing enabled, allowing unauthorized access to sensitive directories and files.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-28170
Published : July 29, 2025, 5:15 p.m. | 46 minutes ago
Description : Grandstream Networks GXP1628 <=1.0.4.130 is vulnerable to Incorrect Access Control. The device is configured with directory listing enabled, allowing unauthorized access to sensitive directories and files.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-31965 - HCL BigFix Remote Control Server WebUI Information Disclosure Vulnerability
CVE ID : CVE-2025-31965
Published : July 29, 2025, 5:15 p.m. | 46 minutes ago
Description : Improper access restrictions in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0248 and lower) allow non-admin users to view unauthorized information on certain web pages.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-31965
Published : July 29, 2025, 5:15 p.m. | 46 minutes ago
Description : Improper access restrictions in HCL BigFix Remote Control Server WebUI (versions 10.1.0.0248 and lower) allow non-admin users to view unauthorized information on certain web pages.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-44136 - MapTiler Tileserver-php XSS
CVE ID : CVE-2025-44136
Published : July 29, 2025, 5:15 p.m. | 46 minutes ago
Description : MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting (XSS). The GET parameter "layer" is reflected in an error message without html encoding. This leads to XSS and allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victim's browser.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-44136
Published : July 29, 2025, 5:15 p.m. | 46 minutes ago
Description : MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting (XSS). The GET parameter "layer" is reflected in an error message without html encoding. This leads to XSS and allows an unauthenticated attacker to execute arbitrary HTML or JavaScript code on a victim's browser.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-44137 - MapTiler Tileserver-php Directory Traversal Vulnerability
CVE ID : CVE-2025-44137
Published : July 29, 2025, 5:15 p.m. | 46 minutes ago
Description : MapTiler Tileserver-php v2.0 is vulnerable to Directory Traversal. The renderTile function within tileserver.php is responsible for delivering tiles that are stored as files on the server via web request. Creating the path to a file allows the insertion of "../" and thus read any file on the web server. Affected GET parameters are "TileMatrix", "TileRow", "TileCol" and "Format"
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-44137
Published : July 29, 2025, 5:15 p.m. | 46 minutes ago
Description : MapTiler Tileserver-php v2.0 is vulnerable to Directory Traversal. The renderTile function within tileserver.php is responsible for delivering tiles that are stored as files on the server via web request. Creating the path to a file allows the insertion of "../" and thus read any file on the web server. Affected GET parameters are "TileMatrix", "TileRow", "TileCol" and "Format"
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-54420 - Apache HTTP Server Cross-Site Request Forgery
CVE ID : CVE-2025-54420
Published : July 29, 2025, 5:15 p.m. | 46 minutes ago
Description : Rejected reason: This CVE is a duplicate of CVE-2025-8129.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-54420
Published : July 29, 2025, 5:15 p.m. | 46 minutes ago
Description : Rejected reason: This CVE is a duplicate of CVE-2025-8129.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-54432 - Apache HTTP Server Unvalidated User Input Remote Code Execution
CVE ID : CVE-2025-54432
Published : July 29, 2025, 5:15 p.m. | 46 minutes ago
Description : Rejected reason: This CVE is a duplicate of another CVE. See CVE-2018-25031 and CVE-2021-46708.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-54432
Published : July 29, 2025, 5:15 p.m. | 46 minutes ago
Description : Rejected reason: This CVE is a duplicate of another CVE. See CVE-2018-25031 and CVE-2021-46708.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...