Total
11829 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-34072 | 2025-07-03 | N/A | N/A | ||
|
A data exfiltration vulnerability exists in Anthropic’s deprecated Slack Model Context Protocol (MCP) Server via automatic link unfurling. When an AI agent using the Slack MCP Server processes untrusted data, it can be manipulated to generate messages containing attacker-crafted hyperlinks embedding sensitive data. Slack’s link preview bots (e.g., Slack-LinkExpanding, Slackbot, Slack-ImgProxy) will then issue outbound requests to the attacker-controlled URL, resulting in zero-click exfiltration ...
Show More |
|||||
| CVE-2025-6563 | 2025-07-03 | N/A | N/A | ||
|
A cross-site scripting vulnerability is present in the hotspot of MikroTik's RouterOS on versions below 7.19.2. An attacker can inject the `javascript` protocol in the `dst` parameter. When the victim browses to the malicious URL and logs in, the XSS executes. The POST request used to login, can also be converted to a GET request, allowing an attacker to send a specifically crafted URL that automatically logs in the victim (into the attacker's account) and triggers the payload.
|
|||||
| CVE-2025-52891 | 2025-07-03 | N/A | 6.5 MEDIUM | ||
|
ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least one XML tag is empty (eg <foo></foo>), then a segmentation fault occurs. This issue has been patched in version 2.9.11. A workaround involves setting SecParseXmlIntoArgs to Off.
|
|||||
| CVE-2025-53076 | 1 Samsung | 1 Rlottie | 2025-07-03 | N/A | 9.8 CRITICAL |
|
Improper Input Validation vulnerability in Samsung Open Source rLottie allows Overread Buffers.This issue affects rLottie: V0.2.
|
|||||
| CVE-2025-29814 | 1 Microsoft | 1 Partner Center | 2025-07-03 | N/A | 9.3 CRITICAL |
|
Improper authorization in Microsoft Partner Center allows an authorized attacker to elevate privileges over a network.
|
|||||
| CVE-2025-24060 | 1 Microsoft | 10 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 7 more | 2025-07-03 | N/A | 7.8 HIGH |
|
Improper input validation in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
|
|||||
| CVE-2025-24062 | 1 Microsoft | 8 Windows 10 21h2, Windows 10 22h2, Windows 11 22h2 and 5 more | 2025-07-03 | N/A | 7.8 HIGH |
|
Improper input validation in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
|
|||||
| CVE-2025-24073 | 1 Microsoft | 13 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 10 more | 2025-07-03 | N/A | 7.8 HIGH |
|
Improper input validation in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
|
|||||
| CVE-2025-24074 | 1 Microsoft | 10 Windows 10 1809, Windows 10 21h2, Windows 10 22h2 and 7 more | 2025-07-03 | N/A | 7.8 HIGH |
|
Improper input validation in Windows DWM Core Library allows an authorized attacker to elevate privileges locally.
|
|||||
| CVE-2025-1186 | 1 Xunruicms | 1 Xunruicms | 2025-07-03 | 6.5 MEDIUM | 6.3 MEDIUM |
|
A vulnerability was found in dayrui XunRuiCMS up to 4.6.4. It has been declared as critical. This vulnerability affects unknown code of the file /Control/Api/Api.php. The manipulation of the argument thumb leads to deserialization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.
|
|||||
| CVE-2025-48944 | 1 Vllm | 1 Vllm | 2025-07-01 | N/A | 6.5 MEDIUM |
|
vLLM is an inference and serving engine for large language models (LLMs). In version 0.8.0 up to but excluding 0.9.0, the vLLM backend used with the /v1/chat/completions OpenAPI endpoint fails to validate unexpected or malformed input in the "pattern" and "type" fields when the tools functionality is invoked. These inputs are not validated before being compiled or parsed, causing a crash of the inference worker with a single request. The worker will remain down until it is restarted. Version 0.9 ...
Show More |
|||||
| CVE-2024-45219 | 1 Apache | 1 Cloudstack | 2025-07-01 | N/A | 8.5 HIGH |
|
Account users in Apache CloudStack by default are allowed to upload and register templates for deploying instances and volumes for attaching them as data disks to their existing instances. Due to missing validation checks for KVM-compatible templates or volumes in CloudStack 4.0.0 through 4.18.2.3 and 4.19.0.0 through 4.19.1.1, an attacker that can upload or register templates and volumes, can use them to deploy malicious instances or attach uploaded volumes to their existing instances on KVM-ba ...
Show More |
|||||
| CVE-2020-35509 | 1 Redhat | 1 Keycloak | 2025-06-30 | N/A | 5.4 MEDIUM |
|
A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity.
|
|||||
| CVE-2023-28911 | 2025-06-30 | N/A | 6.5 MEDIUM | ||
|
A specific flaw exists within the Bluetooth stack of the MIB3 infotainment. The issue results from the lack of proper validation of user-supplied data, which can result in an arbitrary channel disconnection. An attacker can leverage this vulnerability to cause a denial-of-service attack for every connected client of the infotainment device.
The vulnerability was originally discovered in Skoda Superb III car with MIB3 infotainment unit OEM part number 3V0035820. The list of affected MIB3 OEM part ...
Show More |
|||||
| CVE-2024-23335 | 1 Mybb | 1 Mybb | 2025-06-30 | N/A | 4.7 MEDIUM |
|
MyBB is a free and open source forum software. The backup management module of the Admin CP may accept `.htaccess` as the name of the backup file to be deleted, which may expose the stored backup files over HTTP on Apache servers. MyBB 1.8.38 resolves this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability
|
|||||
| CVE-2024-29008 | 1 Apache | 1 Cloudstack | 2025-06-30 | N/A | 6.4 MEDIUM |
|
A problem has been identified in the CloudStack additional VM configuration (extraconfig) feature which can be misused by anyone who has privilege to deploy a VM instance or configure settings of an already deployed VM instance, to configure additional VM configuration even when the feature is not explicitly enabled by the administrator. In a KVM based CloudStack environment, an attacker can exploit this issue to attach host devices such as storage disks, and PCI and USB devices such as network ...
Show More |
|||||
| CVE-2024-4548 | 1 Deltaww | 1 Diaenergie | 2025-06-27 | N/A | 9.8 CRITICAL |
|
An SQLi vulnerability exists in Delta Electronics DIAEnergie v1.10.1.8610 and prior when CEBC.exe processes a 'RecalculateHDMWYC' message, which is split into 4 fields using the '~' character as the separator. An unauthenticated remote attacker can perform SQLi via the fourth field.
|
|||||
| CVE-2024-4547 | 1 Deltaww | 1 Diaenergie | 2025-06-27 | N/A | 9.8 CRITICAL |
|
A SQLi vulnerability exists in Delta Electronics DIAEnergie v1.10.1.8610 and prior when CEBC.exe processes a 'RecalculateScript' message, which is splitted into 4 fields using the '~' character as the separator. An unauthenticated remote attacker can perform SQLi via the fourth field
|
|||||
| CVE-2024-27385 | 1 Samsung | 4 Exynos 1380, Exynos 1380 Firmware, Exynos 1480 and 1 more | 2025-06-26 | N/A | 6.7 MEDIUM |
|
A vulnerability was discovered in the slsi_handle_nan_rx_event_log_ind function in Samsung Mobile Processor Exynos 1380 and Exynos 1480 related to no input validation check on tag_len for rx coming from userspace, which can lead to heap overwrite.
|
|||||
| CVE-2024-27386 | 1 Samsung | 4 Exynos 1380, Exynos 1380 Firmware, Exynos 1480 and 1 more | 2025-06-26 | N/A | 6.7 MEDIUM |
|
A vulnerability was discovered in the slsi_handle_nan_rx_event_log_ind function in Samsung Mobile Processor Exynos 1380 and Exynos 1480 related to no input validation check on tag_len for tx coming from userspace, which can lead to heap overwrite.
|
|||||
| CVE-2024-31959 | 1 Samsung | 6 Exynos 1480, Exynos 1480 Firmware, Exynos 2200 and 3 more | 2025-06-26 | N/A | 8.4 HIGH |
|
An issue was discovered in Samsung Mobile Processor Exynos 2200, Exynos 1480, Exynos 2400. It lacks a check for the validation of native handles, which can result in code execution.
|
|||||
| CVE-2025-52568 | 2025-06-26 | N/A | N/A | ||
|
NeKernal is a free and open-source operating system stack. Prior to version 0.0.3, there are several memory safety issues that can lead to memory corruption, disk image corruption, denial of service, and potential code execution. These issues stem from unchecked memory operations, unsafe typecasting, and improper input validation. This issue has been patched in version 0.0.3.
|
|||||
| CVE-2025-52569 | 2025-06-26 | N/A | N/A | ||
|
GitForge.jl is a unified interface for interacting with Git "forges." Versions prior to 5.9.1 lack input validation of input validation for user-provided values in certain functions. In the `GitHub.repo()` function, the user can provide any string for the `repo_name` field. These inputs are not validated or safely encoded and are sent directly to the server. This means a user can add path traversal patterns like `../` in the input to access any other endpoints on `api.github.com` that were not i ...
Show More |
|||||
| CVE-2025-50178 | 2025-06-26 | N/A | N/A | ||
|
GitForge.jl is a unified interface for interacting with Git "forges." Versions prior to 0.4.3 lack input validation for user provided values in certain functions. In the `GitForge.get_repo` function for GitHub, the user can provide any string for the owner and repo fields. These inputs are not validated or safely encoded and are sent directly to the server. This means a user can add path traversal patterns like `../` in the input to access any other endpoints on api.github.com that were not inte ...
Show More |
|||||
| CVE-2022-29204 | 1 Google | 1 Tensorflow | 2025-06-25 | 2.1 LOW | 5.5 MEDIUM |
|
TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implementation of `tf.raw_ops.UnsortedSegmentJoin` does not fully validate the input arguments. This results in a `CHECK`-failure which can be used to trigger a denial of service attack. The code assumes `num_segments` is a positive scalar but there is no validation. Since this value is used to allocate the output tensor, a negative value would result in a `CHECK`-failure (assertion ...
Show More |
|||||
| CVE-2018-14671 | 1 Clickhouse | 1 Clickhouse | 2025-06-25 | 7.5 HIGH | 9.8 CRITICAL |
|
In ClickHouse before 18.10.3, unixODBC allowed loading arbitrary shared objects from the file system which led to a Remote Code Execution vulnerability.
|
|||||
| CVE-2021-1470 | 1 Cisco | 1 Catalyst Sd-wan Manager | 2025-06-24 | N/A | 4.9 MEDIUM |
|
A vulnerability in the web-based management interface of Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system.
This vulnerability is due to improper input validation of SQL queries to an affected system. An attacker could exploit this vulnerability by authenticating to the application and sending malicious SQL queries to an affected system. A successful exploit could allow the attacker to modify values on or retu ...
Show More |
|||||
| CVE-2025-6240 | 2025-06-23 | N/A | N/A | ||
|
Improper Input Validation vulnerability in Profisee on Windows (filesystem modules) allows Path Traversal after authentication to the Profisee system.This issue affects Profisee: from 2020R1 before 2024R2.
|
|||||
| CVE-2025-6545 | 2025-06-23 | N/A | N/A | ||
|
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation. This vulnerability is associated with program files lib/to-buffer.Js.
This issue affects pbkdf2: from 3.0.10 through 3.1.2.
|
|||||
| CVE-2025-6547 | 2025-06-23 | N/A | N/A | ||
|
Improper Input Validation vulnerability in pbkdf2 allows Signature Spoofing by Improper Validation.This issue affects pbkdf2: <=3.1.2.
|
|||||
| CVE-2025-4563 | 2025-06-23 | N/A | 2.7 LOW | ||
|
A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.
|
|||||
| CVE-2025-26413 | 1 Apache | 1 Kvrocks | 2025-06-23 | N/A | 7.5 HIGH |
|
Improper Input Validation vulnerability in Apache Kvrocks.
The SETRANGE command didn't check if the `offset` input is a positive integer and use it as an index
of a string. So it will cause the server to crash due to its index is out of range.
This issue affects Apache Kvrocks: through 2.11.1.
Users are recommended to upgrade to version 2.12.0, which fixes the issue.
|
|||||
| CVE-2023-47355 | 1 Eyuepcanyilmaz | 1 Root Quick Reboot | 2025-06-20 | N/A | 7.5 HIGH |
|
The com.eypcnnapps.quickreboot (aka Eyuep Can Yilmaz {ROOT] Quick Reboot) application 1.0.8 for Android has exposed broadcast receivers for PowerOff, Reboot, and Recovery (e.g., com.eypcnnapps.quickreboot.widget.PowerOff) that are susceptible to unauthorized broadcasts because of missing input validation.
|
|||||
| CVE-2023-48354 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-06-20 | N/A | 5.5 MEDIUM |
|
In telephone service, there is a possible improper input validation. This could lead to local information disclosure with no additional execution privileges needed
|
|||||
| CVE-2023-48346 | 2 Google, Unisoc | 14 Android, S8000, Sc7731e and 11 more | 2025-06-20 | N/A | 5.5 MEDIUM |
|
In video decoder, there is a possible improper input validation. This could lead to local denial of service with no additional execution privileges needed
|
|||||
| CVE-2023-40394 | 1 Apple | 2 Ipados, Iphone Os | 2025-06-20 | N/A | 3.3 LOW |
|
The issue was addressed with improved validation of environment variables. This issue is fixed in iOS 16.6 and iPadOS 16.6. An app may be able to access sensitive user data.
|
|||||
| CVE-2023-46929 | 1 Gpac | 1 Gpac | 2025-06-18 | N/A | 7.5 HIGH |
|
An issue discovered in GPAC 2.3-DEV-rev605-gfc9e29089-master in MP4Box in gf_avc_change_vui /afltest/gpac/src/media_tools/av_parsers.c:6872:55 allows attackers to crash the application.
|
|||||
| CVE-2024-37917 | 1 Pexip | 1 Pexip Infinity | 2025-06-18 | N/A | 7.5 HIGH |
|
Pexip Infinity before 35.0 has improper input validation that allows remote attackers to trigger a denial of service (software abort) via a crafted signalling message.
|
|||||
| CVE-2025-30080 | 1 Pexip | 1 Pexip Infinity | 2025-06-18 | N/A | 7.5 HIGH |
|
Signalling in Pexip Infinity 29 through 36.2 before 37.0 has improper input validation that allows remote attackers to trigger a temporary denial of service (software abort).
|
|||||
| CVE-2025-1088 | 2025-06-18 | N/A | 2.7 LOW | ||
|
In Grafana, an excessively long dashboard title or panel name will cause Chromium browsers to become unresponsive due to Improper Input Validation vulnerability in Grafana.
This issue affects Grafana: before 11.6.2 and is fixed in 11.6.2 and higher.
|
|||||