Total
307018 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2024-52520 | 1 Nextcloud | 1 Nextcloud Server | 2025-09-05 | N/A | 5.7 MEDIUM |
Nextcloud Server is a self hosted personal cloud system. Due to a pre-flighted HEAD request, the link reference provider could be tricked into downloading bigger websites than intended, to find open-graph data. It is recommended that the Nextcloud Server is upgraded to 28.0.10 or 29.0.7 and Nextcloud Enterprise Server is upgraded to 27.1.11.8, 28.0.10 or 29.0.7. | |||||
CVE-2024-52509 | 1 Nextcloud | 1 Mail | 2025-09-04 | N/A | 3.5 LOW |
Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. The Nextcloud mail app incorrectly allowed attaching shared files without download permissions as attachments. This allowed users to send them the files to themselves and then downloading it from their mail clients. It is recommended that the Nextcloud Mail is upgraded to 2.2.10, 3.6.2 or 3.7.2. | |||||
CVE-2024-10934 | 1 Openbsd | 1 Openbsd | 2025-09-04 | N/A | 9.8 CRITICAL |
In OpenBSD 7.5 before errata 008 and OpenBSD 7.4 before errata 021, avoid possible mbuf double free in NFS client and server implementation, do not use uninitialized variable in error handling of NFS server. | |||||
CVE-2024-51503 | 1 Trendmicro | 1 Deep Security Agent | 2025-09-04 | N/A | 8.0 HIGH |
A security agent manual scan command injection vulnerability in the Trend Micro Deep Security 20 Agent could allow an attacker to escalate privileges and execute arbitrary code on an affected machine. In certain circumstances, attackers that have legitimate access to the domain may be able to remotely inject commands to other machines in the same domain. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability locally and must have domain user privileges to affect other machines. | |||||
CVE-2024-52802 | 1 Riot-os | 1 Riot | 2025-09-04 | N/A | 7.5 HIGH |
RIOT is an operating system for internet of things (IoT) devices. In version 2024.04 and prior, the function `_parse_advertise`, located in `/sys/net/application_layer/dhcpv6/client.c`, has no minimum header length check for `dhcpv6_opt_t` after processing `dhcpv6_msg_t`. This omission could lead to an out-of-bound read, causing system inconsistency. Additionally, the same lack of a header length check is present in the function `_preparse_advertise`, which is called by `_parse_advertise` before handling the request. As of time of publication, no known patched version exists. | |||||
CVE-2025-55305 | 2025-09-04 | N/A | 6.1 MEDIUM | ||
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions below 35.7.5, 36.0.0-alpha.1 through 36.8.0, 37.0.0-alpha.1 through 37.3.1 and 38.0.0-alpha.1 through 38.0.0-beta.6, ASAR Integrity Bypass via resource modification. This only impacts apps that have the embeddedAsarIntegrityValidation and onlyLoadAppFromAsar fuses enabled. Apps without these fuses enabled are not impacted. This issue is fixed in versions 35.7.5, 36.8.1, 37.3.1 and 38.0.0-beta.6. | |||||
CVE-2025-55244 | 2025-09-04 | N/A | 9.0 CRITICAL | ||
Azure Bot Service Elevation of Privilege Vulnerability | |||||
CVE-2025-55242 | 2025-09-04 | N/A | 6.5 MEDIUM | ||
Exposure of sensitive information to an unauthorized actor in Xbox allows an unauthorized attacker to disclose information over a network. | |||||
CVE-2025-55241 | 2025-09-04 | N/A | 9.0 CRITICAL | ||
Azure Entra Elevation of Privilege Vulnerability | |||||
CVE-2025-55238 | 2025-09-04 | N/A | 7.5 HIGH | ||
Dynamics 365 FastTrack Implementation Assets Information Disclosure Vulnerability | |||||
CVE-2025-55209 | 2025-09-04 | N/A | N/A | ||
contactmanager is a module for FreePBX@, which is an open source GUI that controls and manages Asterisk© (PBX). In versions 15.0.14 and below, 16.0.0 through 16.0.26.4 and 17.0.0 through 17.0.5, a stored cross-site scripting (XSS) vulnerability in FreePBX allows a low-privileged User Control Panel (UCP) user to inject malicious JavaScript into the system. The malicious code executes in the context of an administrator when they interact with the affected component, leading to session hijacking and potential privilege escalation. This issue is fixed in versions 15.0.14, 16.0.27 and 17.0.6. | |||||
CVE-2025-55190 | 2025-09-04 | N/A | 9.9 CRITICAL | ||
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0-rc1 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials (usernames, passwords) through the project details API endpoint, even when the token only has standard application management permissions and no explicit access to secrets. This vulnerability does not only affect project-level permissions. Any token with project get permissions is also vulnerable, including global permissions such as: `p, role/user, projects, get, *, allow`. This issue is fixed in versions 2.13.9, 2.14.16, 3.0.14 and 3.1.2. | |||||
CVE-2025-54914 | 2025-09-04 | N/A | 10.0 CRITICAL | ||
Azure Networking Elevation of Privilege Vulnerability | |||||
CVE-2025-7425 | 2025-09-04 | N/A | 7.8 HIGH | ||
A flaw was found in libxslt where the attribute type, atype, flags are modified in a way that corrupts internal memory management. When XSLT functions, such as the key() process, result in tree fragments, this corruption prevents the proper cleanup of ID attributes. As a result, the system may access freed memory, causing crashes or enabling attackers to trigger heap corruption. | |||||
CVE-2025-48560 | 2025-09-04 | N/A | 5.5 MEDIUM | ||
In AndroidManifest.xml, there is a possible way for an app to monitor motion events due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
CVE-2025-48559 | 2025-09-04 | N/A | 5.5 MEDIUM | ||
In multiple functions of AppOpsService.java, there is a possible add a large amount of app ops due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
CVE-2025-48551 | 2025-09-04 | N/A | 5.0 MEDIUM | ||
In multiple locations, there is a possible leak of an image across the Android User isolation boundary due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is needed for exploitation. | |||||
CVE-2025-48550 | 2025-09-04 | N/A | 5.5 MEDIUM | ||
In testGrantSlicePermission of SliceManagerTest.java, there is a possible permanent denial of service due to a path traversal error. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
CVE-2025-48549 | 2025-09-04 | N/A | 7.8 HIGH | ||
In multiple locations, there is a possible way to record audio via a background app due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | |||||
CVE-2025-48545 | 2025-09-04 | N/A | 5.5 MEDIUM | ||
In isSystemUid of AccountManagerService.java, there is a possible way for an app to access privileged APIs due to a confused deputy. This could lead to local privilege escalation with no additional execution privileges needed. User interaction is not needed for exploitation. |