Total
94858 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-34147 | 2025-08-05 | N/A | N/A | ||
| An unauthenticated OS command injection vulnerability exists in the Shenzhen Aitemi M300 Wi-Fi Repeater (hardware model MT02). When configuring the device in Extender mode via its captive portal, the extap2g SSID field is inserted unescaped into a reboot-time shell script. This allows remote attackers within Wi-Fi range to inject arbitrary shell commands that execute as root during device reboot, leading to full system compromise. | |||||
| CVE-2025-54794 | 2025-08-05 | N/A | N/A | ||
| Claude Code is an agentic coding tool. In versions below 0.2.111, a path validation flaw using prefix matching instead of canonical path comparison, makes it possible to bypass directory restrictions and access files outside the CWD. Successful exploitation depends on the presence of (or ability to create) a directory with the same prefix as the CWD and the ability to add untrusted content into a Claude Code context window. This is fixed in version 0.2.111. | |||||
| CVE-2025-54795 | 2025-08-05 | N/A | N/A | ||
| Claude Code is an agentic coding tool. In versions below 1.0.20, an error in command parsing makes it possible to bypass the Claude Code confirmation prompt to trigger execution of an untrusted command. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This is fixed in version 1.0.20. | |||||
| CVE-2025-7844 | 2025-08-05 | N/A | N/A | ||
| Exporting a TPM based RSA key larger than 2048 bits from the TPM could overrun a stack buffer if the default `MAX_RSA_KEY_BITS=2048` is used. If your TPM 2.0 module supports RSA key sizes larger than 2048 bit and your applications supports creating or importing an RSA private or public key larger than 2048 bits and your application calls `wolfTPM2_RsaKey_TpmToWolf` on that key, then a stack buffer could be overrun. If the `MAX_RSA_KEY_BITS` build-time macro is set correctly (RSA bits match what TPM hardware is capable of) for the hardware target, then a stack overrun is not possible. | |||||
| CVE-2025-53417 | 2025-08-05 | N/A | N/A | ||
| DIAView (v4.2.0 and prior) - Directory Traversal Information Disclosure Vulnerability | |||||
| CVE-2025-54870 | 2025-08-05 | N/A | N/A | ||
| VTun-ng is a Virtual Tunnel over TCP/IP network. In versions 3.0.17 and below, failure to initialize encryption modules might cause reversion to plaintext due to insufficient error handling. The bug was first introduced in VTun-ng version 3.0.12. This is fixed in version 3.0.18. To workaround this issue, avoid blowfish-256. | |||||
| CVE-2025-4599 | 2025-08-05 | N/A | N/A | ||
| The fragment preview functionality in Liferay Portal 7.4.3.61 through 7.4.3.132, and Liferay DXP 2024.Q4.1 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.13 and 7.4 update 61 through update 92 was found to be vulnerable to postMessage-based XSS because it allows a remote non-authenticated attacker to inject JavaScript into the fragment portlet URL. | |||||
| CVE-2025-54387 | 2025-08-05 | N/A | N/A | ||
| IPX is an image optimizer powered by sharp and svgo. In versions 1.3.1 and below, 2.0.0-0 through 2.1.0, and 3.0.0 through 3.1.0, the approach used to check whether a path is within allowed directories is vulnerable to path prefix bypass when the allowed directories do not end with a path separator. This occurs because the check relies on a raw string prefix comparison. This is fixed in versions 1.3.2, 2.1.1 and 3.1.1. | |||||
| CVE-2025-4604 | 2025-08-05 | N/A | N/A | ||
| The vulnerable code can bypass the Captcha check in Liferay Portal 7.4.3.80 through 7.4.3.132, and Liferay DXP 2024.Q1.1 through 2024.Q1.19, 2024.Q2.0 through 2024.Q2.13, 2024.Q3.0 through 2024.Q3.13, 2024.Q4.0 through 2024.Q4.7, 2025.Q1.0 through 2025.Q1.15 and 7.4 update 80 through update 92 and then attackers can run scripts in the Gogo shell | |||||
| CVE-2025-54980 | 2025-08-05 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54979 | 2025-08-05 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54978 | 2025-08-05 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54977 | 2025-08-05 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54976 | 2025-08-05 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54975 | 2025-08-05 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54974 | 2025-08-05 | N/A | N/A | ||
| Rejected reason: Not used | |||||
| CVE-2025-54797 | 2025-08-05 | N/A | N/A | ||
| Rejected reason: This CVE is a duplicate of CVE-2025-52464. | |||||
| CVE-2025-54782 | 2025-08-04 | N/A | N/A | ||
| Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution (RCE) vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox (safe-eval-like implementation). Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine. The package adds HTTP endpoints to a locally running NestJS development server. One of these endpoints, /inspector/graph/interact, accepts JSON input containing a code field and executes the provided code in a Node.js vm.runInNewContext sandbox. This is fixed in version 0.2.1. | |||||
| CVE-2013-10053 | 2025-08-04 | N/A | N/A | ||
| A remote command execution vulnerability exists in ZPanel version 10.0.0.2 in its htpasswd module. When creating .htaccess files, the inHTUsername field is passed unsanitized to a system() call that invokes the system’s htpasswd binary. By injecting shell metacharacters into the username field, an authenticated attacker can execute arbitrary system commands. Exploitation requires a valid ZPanel account—such as one in the default Users, Resellers, or Administrators groups—but no elevated privileges. | |||||
| CVE-2013-10059 | 2025-08-04 | N/A | N/A | ||
| An authenticated OS command injection vulnerability exists in various D-Link routers (tested on DIR-615H1 running firmware version 8.04) via the tools_vct.htm endpoint. The web interface fails to sanitize input passed from the ping_ipaddr parameter to the tools_vct.htm diagnostic interface, allowing attackers to inject arbitrary shell commands using backtick encapsulation. With default credentials, an attacker can exploit this blind injection vector to execute arbitrary commands. | |||||